KEMBAR78
Cisco ACL Configuration Guide | PDF
Scribd
Upload
157 views2 pages

Cisco ACL Configuration Guide

The document contains configuration examples for 4 ACLs: 1) ACL 101 denies FTP access and ICMP traffic from the internet to an internal web server and LAN, allowing all other traffic. 2) ACL 111 denies access from an internal LAN to a branch server, allowing all other traffic. 3) ACL "vty_block" permits access to router VTY lines only from an internal LAN. 4) Extended ACL "branch_to_hq" denies access from two branch LANs to an internal LAN, and permits all other traffic.

Uploaded by

jawheramr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
157 views2 pages

Cisco ACL Configuration Guide

The document contains configuration examples for 4 ACLs: 1) ACL 101 denies FTP access and ICMP traffic from the internet to an internal web server and LAN, allowing all other traffic. 2) ACL 111 denies access from an internal LAN to a branch server, allowing all other traffic. 3) ACL "vty_block" permits access to router VTY lines only from an internal LAN. 4) Extended ACL "branch_to_hq" denies access from two branch LANs to an internal LAN, and permits all other traffic.

Uploaded by

jawheramr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

TP:ACL

ACL 1 Requirements

Create ACL 101.


Explicitly block FTP access to the Enterprise Web Server from the internet.
No ICMP traffic from the internet should be allowed to any hosts on HQ LAN 1
Allow all other traffic.
HQ(config)#access-list 101 deny tcp any host 192.168.1.70 eq ftp

HQ(config)#access-list 101 deny icmp any 192.168.1.0 0.0.0.63

HQ(config)#access-list 101 permit ip any any

HQ(config)#interface Serial0/1/0

HQ(config-if)#ip access-group 101 in

ACL 2 Requirements

Use ACL number 111


No hosts on HQ LAN 1 should be able to access the Branch Server.
All other traffic should be permitted.
HQ(config)#access-list 111 deny ip any host 192.168.2.45

HQ(config)#access-list 111 permit ip any any

HQ(config)#interface GigabitEthernet0/0/0

HQ(config-if)#ip access-group 111 in

ACL 2 Requirements
Use ACL number 111
No hosts on HQ LAN 1 should be able to access the Branch Server.
All other traffic should be permitted.
HQ(config)#access-list 111 deny ip any host 192.168.2.45
HQ(config)#access-list 111 permit ip any any
HQ(config)#interface GigabitEthernet0/0/0

HQ(config-if)#ip access-group 111 in


ACL 3: Requirements
Create a named standard ACL. Use the name vty_block. The name of your ACL must match this
name exactly.
Only addresses from the HQ LAN 2 network should be able to access the VTY lines of the HQ
router.
HQ(config)#ip access-list standard vty_block
HQ(config-std-nacl)#permit 192.168.1.64 0.0.0.7
HQ(config-std-nacl)#line vty 0 4
HQ(config-line)#access-class vty_block in

ACL 4: Requirements
Create a named extended ACL called branch_to_hq. The name of your ACL must match
this name exactly.
No hosts on either of the Branch LANs should be allowed to access HQ LAN 1. Use one
access list statement for each of the Branch LANs.
All other traffic should be allowed.
Branch(config)#ip access-list extended branch_to_hq

Branch(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.31 192.168.1.0 0.0.0.63

Branch(config-ext-nacl)#deny ip 192.168.2.32 0.0.0.15 192.168.1.0 0.0.0.63

Branch(config-ext-nacl)#permit ip any any

Branch(config-ext-nacl)#interface Serial0/1/1

Branch(config-if)#ip access-group branch_to_hq out

You might also like