|
MOUNTAIN SKY ACCESS CONTROL LISTS CONFIGURATION
- Access Control Lists are used to allow administrators to
provide additional security for their networks. Access lists are used to
filter traffic based upon ip address, ranges of ip addresses, and tcp and
udp port numbers.
- For the Mountain Sky IP addressing scheme the Access Control Lists
would look like the following:
Access list on Router's
Ethernet 0 for VLAN1 (enterprise and administrative servers)
#permit access from VLAN2 (teachers, administration and staff
network) to VLAN1
MtnSky(config)#access-list 101 permit ip 10.64.0.0.0.0.255.255
any
#permit access from VLAN3 (curriculum
computers network) to VLAN1 -
#E-mail/DNS server on port 25 (SMTP)
MtnSky(config)#access-list 101 permit tcp 192.168.0.0.0.0.255.255
host 10.32.0.1 eq 25
#permit access from VLAN 3 to VLAN1 -
E-mail/DNS server on tcp port 53(DNS)
MtnSky(config)#access-list 101 permit tcp
192.168.0.0.0.0.255.255 host 10.32.0.1 53
#permit access from VLAN 3 to VLAN1 -
E-mail/DNS server on udp port 53(DNS)
MtnSky(config)#access-list 101 permit udp
192.168.0.0.0.0.255.255 host 10.32.0.1 53
#permit access from VLAN 3 to VLAN1 -
E-mail/DNS server on tcp port 110(POP3)
MtnSky(config)#access-list 101 permit tcp
192.168.0.0.0.0.255.255 host 10.32.0.1 110
#permit access from VLAN3 to VLAN1 -
Application server on any port
MtnSky(config)#access-list 101 permit ip 192.168.0.0.0.0.255.255
host 10.32.0.2
#deny any other traffic (this rule is implicit though but it's OK to
insert it)
MtnSky(config)#access-list 101 deny ip any any
To apply this ACL to interface Ethernet 0 (on VLAN1):
MtnSky(config)#interface Ethernet0
MtnSky(config-if)#ip access-group 101 in |
Access list on Router's
interface Ethernet1 for VLAN2 (teachers, administration and staff
computers network)
#permit access from VLAN1 to VLAN2
MtnSky(config)#access-list 102 permit ip 10.32.0.0.0.0.255.255
any
#deny any other traffic (this rule is implicit
though but it's OK to insert it)
MtnSky(config)#access-list 102 deny ip any any
To apply this ACL to interface Ethernet1 (on VLAN2):
MtnSky(config)#interface Ethernet1
MtnSky(config-if)#ip access-group 102 in |
Access list on Router's
interface Ethernet 2 for VLAN3 - VLAN48 (curriculum network computers)
#deny acces from VLAN3 to VLAN2
MtnSky(config)#access-list 103 deny ip
192.168.0.0.0.0.255.255 10.64.0.0.0.0.255.255
#permit access from VLAN1 to VLAN3
MtnSky(config)#access-list 103 permit ip 10.32.0.0.0.0.255.255
any
#permit access from VLAN2 to VLAN3
MtnSky(config)#access-list 103 permit ip 10.64.0.0.0.0.255.255
any
#deny any other traffic (this rule is implicit
though but it's OK to insert it)
MtnSky(config)#access-list 103 deny ip any any
To apply this ACL to interface Ethernet2 (on VLAN3):
MtnSky(config)#interface Ethernet2
MtnSky(config-if)#ip access-group 103 out |
- All the above explained access control lists should be implemented only
after MountainSky Router has been configured (like we explained in other
section) |
|