Categories
Labs

Access Control List Part – 3

By this point we have created ACL and each access control entry (ACE) comes below the existed entries and here we are going to modify and manage the ACLs.

image002

Let’s say we have configured the ACL 103 with some entries and a new requirements come to create one more entry. We know that each entry comes below the previous defined entries and this makes rules inappropriate in order.

image004

Now there comes a new requirement and we implement another ACE, so this list becomes as shown below.

image006

Now this is useless list because the latest ACE will not take affect at all so we have to manage this list in appropriate order to make it useful and nice.

Approach – 1

The first approach that Cisco tells is to:

·       copy the entire ACL

·       paste it in notepad

·       rearrange the rules

·       remove ACL from router

·       and paste the arranged ACL from notepad to the router Console

Question: What could happen when the running ACL that is attached to the interface is removed?

Answer: Nothing happens routers avoids the ACL even the ACL is attached to interface.

Now when we paste the arranged ACL into the router console it appears as following.

image008

Caution: This approach could drop your SSH or Telnet connection to the router because of ACL implementation so keep it in mind before doing this.

Approach – 2

Named ACL

Cisco also offers named ACL that removes the hurdles of number ACL. There are two main benefits of named ACL:

·       It can make it easy to understand the purpose of ACL by providing name to it

·       It assigns a number to each ACE that makes it simple to rearrange the ACEs and manage the entire ACL

 The syntax difference between numbered and named ACL is:

·       Access-list for numbered ACL.

·       IP access-list for named ACL

image010

Configuring Named ACL

Now we are going to make the same ACL we made before but this time we are going to make it named ACL. It is important to know that named are case-sensitive.

image012

Above we created named ACL and showed it. Notice that there is gape of 10 among each ACE and it is flexible to add more ACEs in this empty space and these are the numbers that are assigned to each ACE in order to manage the entries.

Now if we want to create another entry and place it above number 50 we can easily do this by using any number in between 41 – 49.

image014

Look we just assigned number 45 to new ACE and it came right at its place.

Now for some reasons we come to a point where we decide to remove the number 20 ACE, so we can easily do this as following.

image016

Notice that the number sequence has changed when we removed number 20 ACE. The sequence is now 10, 30, 40, 45, and 50. Now we can make sequence ordered by executing resequence command.

We can implement this ACL on an interface as we did with previous ACLs.

image018

ACL for IPv6

The concept for IPv4 and IPv6 is same but there is a syntax difference for configuring these type types of ACLs.

In IPv6 ACL there is no concept of numbers assignment to list at creation time and there is also no keyword for standard and extended. If you use the word host it considers it as standard and if you use any protocol it considers it as extended ACL.

IPv6 ACL Configuration

image020

The above configuration of ACL tells that deny the telnet connection for specified host. It is important to remember that numbering is different in IPv6 and it is done as following.

image022

Notice that we used sequence command instead of typing number directly. The sequence number is attached at end of the ACE in this ACL.

image024

Now the last step in ACL configuration is to punch the ACL on an interface and this is done as following.

image026

Note: We can punch 4 maximum ACLs on an interface two with IPv4 for in and out direction and two with IPv6 for in and out direction.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo