Net330‐AccessListAssignment - ConnorEast/Tech-Journal GitHub Wiki

Set up STND-1 Access List

The following sets up an access list which is used to block 192.168.11.x addresses from accessing 192.168.30.10

CLI Section	CLI Command	Command Explanation
R3(config)	ip access-list standard STND-1	Create a standard access list labeled "STND-1"
R3(config-std-nacl)	deny 192.168.11.0 0.0.0.255	When in the STND-1 Config, this command blocks incoming traffic from 192.168.11.0 through all 255 hosts.
R3(config-std-nacl)	permit any	Allows for any non-configured traffic to go through the choke point
R3(config)	interface se0/0/0	Go to the serial cable interface
(config-if)	ip access-group 100 in	Sets the access-group equal to the identifier of 100 for all incoming traffic.
R3#	Copy Run Start	Saves any and all changes on routers

Set up Extend-1 Access List

The following sets up Extended access list which denies IPs access from specific hosts.

CLI Section	CLI Command	Explanation
R1(config)	ip access-list extended EXTEND-1	Creates an Extended access-list allowing for more consistent denial information. The tables name is EXTEND-1
R1(config-std-nacl)	deny ip 192.168.10.0 0.0.0.255 host 200.200.200.1	Any and all traffic from any 192.168.10.X address should not be able to access host 200.200.200.1
R1(config-std-nacl)	deny ip 192.168.10.0 0.0.0.255 host 200.200.200.2	Any and all traffic from any 192.168.10.X address should not be able to access host 200.200.200.2
R1(config-std-nacl)	#permit ip any any	Allows for any IP that isn't specified to transfer data to the 200.200.200.1/2 network devices.
R1(config)	interface se0/0/0	Connects to the Serial interface.
(config-if)	ip access-group EXTEND-1 out	This sets the port to not allow for outgoing traffic relating to the EXTEND-1 rule set.

Disabling ISP to Server

The following Sets up a blockade so external traffic being routed through the ISP can not access specific internal servers.

CLI Section	CLI Command	Explanation
R1(config)	ip access-list extended EXTEND-2
R1(config-std-nacl)	deny ip 200.200.200.0 0.0.0.255 host 192.168.20.210
R1(config-std-nacl)	permit ip any any
R1(config-std-nacl)	exit
R1(config)	interface se0/2/0
(config-if)	ip access-group EXTEND-2 in

Disabling Non-HTTP traffic

The following only allows for http traffic to an internal web server.

CLI Section	CLI Command	Explanation
R1(config)	ip access-list extended ALLOW-HTTP
R1(config-std-nacl)	permit tcp any host 192.168.20.201 eq 80
R1(config-std-nacl)	deny ip any any
R1(config-std-nacl)	exit
R1(config)	int fa0/0
(config-if)	ip access-group ALLOW-HTTP out

⚠️ GitHub.com Fallback ⚠️