(8) ACL Implementation


Acacia Router - ACL Configuration

Router(config)# access-list 101 permit tcp host 10.42.110.1 any eq email
................. (when applied to pri0 incoming) disallows outside world all access except to send e-mail to e-mail server

Router(config)# access-list 102 permit tcp any any eq DNS
Router(config)# access-list 102 permit tcp any any eq email
Router(config)# access-list 102 permit tcp any any eq http
................. (when applied to pri0 outgoing) allows everyone in school to e-mail, DNS & http outside of school - deny all other services

Router(config)# int pri0
Router(config-if)# ip access-group 101 in
Router(config-if)# ip access-group 102 out
................. APPLIES above access lists to pri0 (which connects to the outside world)

Router(config)# access-list 103 permit ip 10.42.111.0 0.0.0.255 10.42.112.0 0.0.0.255
Router(config)# access-list 103 permit ip 10.42.111.0 0.0.0.255 10.42.113.0 0.0.0.255
................. (when applied to e0 incoming) permits admin access to curriculum

Router(config)# int E0
Router(config-if)# ip access-group 103 in
................. APPLIES above access list to e0 (which connects to the admin section)

Router(config)# access-list 104 permit tcp 10.42.112.0 0.0.0.255 host 10.42.111.2 eq DNS
Router(config)# access-list 104 permit tcp 10.42.112.0 0.0.0.255 host 10.42.111.2 eq email
Router(config)# access-list 104 permit tcp 10.42.112.0 0.0.0.255 host 10.42.111.2 eq http
Router(config)# access-list 104 permit tcp 10.42.112.0 0.0.0.255 host 10.42.111.2 eq ftp-data
Router(config)# access-list 104 deny ip 10.42.112.0 0.0.0.255 10.42.111.0 0.0.0.255
................. (when applied to e1 incoming) denies curriculum access to admin, BUT allows curriculum to access services of the enterprise server (e-mail, DNS, application & library)
......................... NOTE: http was allowed because we have assumed library info service is in the form of http.
......................... NOTE: ftp-data was allowed because we're not sure how else to allow applications to be downloaded - we have assumed that passwords can be used to prevent students from causing any damage.

Router(config)# int E1
Router(config-if)# ip access-group 104 in
................. APPLIES above access list to e1 (which connects to the curriculum section)

Router(config)# access-list 103 permit tcp 10.42.113.0 0.0.0.255 host 10.42.111.2 eq DNS
Router(config)# access-list 103 permit tcp 10.42.113.0 0.0.0.255 host 10.42.111.2 eq email
Router(config)# access-list 103 permit tcp 10.42.113.0 0.0.0.255 host 10.42.111.2 eq http
Router(config)# access-list 103permit tcp 10.42.113.0 0.0.0.255 host 10.42.111.2 eq ftp-data
Router(config)# access-list 103 deny ip 10.42.113.0 0.0.0.255 10.42.111.0 0.0.0.255
................. (when applied to e2 incoming) denies curriculum access to admin, BUT allows curriculum to access services of the enterprise server (e-mail, DNS, application & library)

Router(config)# int E2
Router(config-if)# ip access-group 105 in
................. APPLIES above access list to e2 (which connects to the curriculum section)

*****Followed by all ipx acls - which are exactly the same as above, but using access-list numbers 900-999

 

 

Security Policies/Purpose of ACLs:

The ACLs will be used to:

 

List of Routers with ACLs

 

Reasons for using ACLs

The ACL's have been placed as close to the source networks as possible, which is standard practice when using extended access control lists. Furthermore, this is the only router in the school, and ACLs are essential in denying curriculum access to admin, but permitting admin access to curriculum.