hi,
how would i implement an access control list on a cisco router?
lets say i have a mini network setup, with 8 computers and 4 routers. and each 2 set computer is attached to a switch. (so it will look like a star network)
how would i;
stop a telnet from a workstation to a router, stop a ping from a workstation to a workstation.
thanx
Jon
so would this work;
Router(config)#access-list 112 deny icmp 128.34.4.2
128.34.5.2 echo Router(config)#access-list 112 permit tcp any anyto stop a ping from a workstation to a worksttaion?
thanx
jon
"access-class"
Brief samples only
For telnet filtering you can place an ACL on the line itself. Note the ACL is created normally but the placement command is "access-class" Creating the ACL: Router(config)#access-list 2 permit Router(config)#access-list 2 deny any Placing the ACL: Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password $#@!~ Router(config-line)#access-class 2 in
You need to use an extended or named ACL to filter icmp/ping. Note- you do not use an operator ("eq") with ICMP, and the service is "echo" not "ping". Creating the ACL: Router(config)#access-list 112 deny icmp echo Router(config)#access-list 112 permit tcp any any
Placing the ACL - note "access-group" is used for interfaces. Router(config)#int fa0/0 Router(config)#access-group 112 in
Most of the full story is here:
Firstly, as Aubrey said, you need to specify "host" or wildcard mask
0.0.0.0 for the first command. Secondly, you need to permit all other IP traffic instead of TCP traffic. Otherwise, non-TCP packets such as UDP packets will also be blocked.Router(config)#access-list 112 deny icmp host 128.34.4.2 host
128.34.5.2 echo Router(config)#access-list 112 permit ip any anyKPLAB
Well, almost, perhaps, maybe.
First for each IP address you need to specify "host" or wildcard mask
0.0.0.0 or some other mask to cover a group of addresses.Secondly, yes effectively, if .4.2 and .5.2 are on different subnets and/or VLANS and are connected to different gateways/routers; and provided you also set up an ACL to filter traffic in the other direction.
I know it's technical, but it is a technical topic, did you check out the link in my other post? ACLs are at the top edge of "Basic Routing" (and used to be in "Intermediate Routing") as a level of difficulty - an understanding of IP routing will help make sense of it all.
However, preventing ping between 2 workstations on the same subnet/VLAN would require some host Operating System TCP/IP fiddling.
Aubrey
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.