-------Standard numbered ACL--------------------- Deny all traffic from Server LAN to Mike Server: #ping 10.2.2.1 -> it works Bob: (config)#access-list 1 deny 192.168.1.0 0.0.0.255 (config)#access-list 1 permit any #show access-lists -> observe index numbers (config)#int s0/2 (config-if)#ip access-group 1 out Server: #ping 10.2.2.1 -> Packet filtered by 10.1.1.2 Bob: #show access-lists -> observe matches (config)#int s0/1 (config-if)#no ip access-group 1 out Server: #ping 10.2.2.1 -> it works ------------------------------------------------- -------Extended numbered ACL--------------------- Deny telnet traffic from Alice (10.1.1.1) to Mike (10.2.2.1) Alice: #telnet 10.2.2.1 -> pass cisco -> it works Bob: (config)#access-list 101 deny tcp host 10.1.1.1 host 10.2.2.1 eq telnet (config)#access-list 101 permit ip any any (config)#int s0/1 (config-if)#ip access-group 101 in #show access-lists -> observe index numbers Alice: #telnet 10.2.2.1 -> Destination unreachable Bob: #show access-lists -> observe matches (conf)#int s0/1 (conf-if)#no ip access-group 101 in Alice: #telnet 10.2.2.1 -> pass cisco -> it works --------------------------------------------- ---------Numbered ACL on VTY----------------- Permit telnet only from Server to Bob Server: #telnet 10.1.1.2 -> it works Alice: #telnet 10.1.1.2 -> it works Bob: (config)#access-list 2 permit host 192.168.1.3 (config)#line vty 0 4 (config-line)# access-class 2 in Server: #telnet 10.1.1.2 -> it works Alice: #telnet 10.1.1.2 -> Connection refused by host Bob: #show access-lists -> observe matches (config)#line vty 0 4 (config-line)#no access-class 2 in Alice: #telnet 10.1.1.2 -> it works ---------------------------------------------- -------------Named Standard ACL--------------- Deny traffic from Alice (192.168.1.1) to Bob (10.1.1.2) Alice: #ping 10.1.1.2 source 192.168.1.1 -> it works Bob: (config)#ip access-list standard std_acl (config-std-nacl)#deny host 192.168.1.1 (config-std-nacl)#permit any (config)#int s0/1 (config-if)#ip access-group std_acl in Alice: #ping 10.1.1.2 source 192.168.1.1 -> unreachable Bob: #show access-lists -> observe matches (config)#int s0/1 (config-if)#no ip access-group std_acl in Alice: #ping 10.1.1.2 source 192.168.1.1 -> it works ------------------------------------------------ ---------------Named Extended ACL--------------- Block telnet traffic from Server to Mike (10.2.2.1) Server: #telnet 10.2.2.1 -> it works Bob: (config)#ip access-list extended ext_acl (config-ext-nacl)#deny tcp host 192.168.1.3 host 10.2.2.1 eq telnet (config-ext-nacl)#permit ip any any (config)#int s0/1 (config-if)#ip access-group ext_acl in Server: #telnet 10.2.2.1 -> Unable to connect Bob: #show access-lists -> observe matches ------------------------------------------ --------------Edit Named ACL-------------- Add rule to permit telnet from 192.168.1.0/24 to Mike Bob: (config)#ip access-list extended ext_acl (config-ext-nacl)#5 permit tcp 192.168.1.0 0.0.0.255 host 10.2.2.1 eq telnet Server: #telnet 10.2.2.1 -> it works Bob: #show access-list (config)#int s0/1 (config-if)#no ip access-group ext_acl in ----------------------------------------------- Reload Bob -----------AAA local database------------------ Alice: (config)#username student secret cisco2 (config)#aaa new-model (config)#aaa autentication login default local-case (config)#line vty 0 4 (config-if)#login authentication default Mike: telnet 10.1.1.1 -> requests username and password ------------------------------------------------ -------------Authentication Radius-------------- Alice: (config)#aaa new-model (config)#radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 (config)#radius-server key cisco (config)#aaa authentication login radius-login group radius local-case (config)#line vty 0 4 (config-line)#login authentication radius-login Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge -> 1 #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge -> 1 ---------------------------------------------------- ------------Authorization Radius------------------- Alice: (config)#aaa authorization exec default group radius if-authenticated (config)#aaa authorization commands 15 default group radius if-authenticated [the default list is automatically applied on all interfaces/lines] Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge -> 1 #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge -> 15 ---------------------------------------------------- ---------------Accounting Radius------------------- Alice: (config)#aaa accounting exec default start-stop group radius [the default list is automatically applied on all interfaces/lines] Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge -> 1 #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge -> 15 #conf t Server: #less /var/log/freeradius/radacct/192.168.1.1/.. --------------------------------------------------- Reload Alice ------------Authentication Tacacs------------------- Alice: (config)#aaa new-model (config)#tacacs-server host 192.168.1.3 single-connection (config)#tacacs-server key cisco (config)#aaa authentication login tacacs-login group tacacs+ local-case (config)#line vty 0 4 (config-line)#login authentication tacacs-login Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge -> 1 #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge -> 1 --------------------------------------------------- ---------------Authorization Tacacs---------------- Alice: (config)#aaa authorization exec default group tacacs+ (config)#aaa authorization commands 15 default group tacacs+ [the default list is automatically applied on all interfaces/lines] Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge -> 1 #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge -> 15 -------------------------------------------------- --------------Accounting Tacacs------------------- (config)#aaa accounting exec default start-stop group tacacs+ (config)#aaa accounting commands 1 default start-stop tacacs+ (config)#aaa accounting commands 15 default start-stop tacacs+ [the default list is automatically applied on all interfaces/lines] Mike: #telnet 10.1.1.1 -> user student pass cisco #show priviledge #telnet 10.1.1.1 -> user admin pass ciscocisco #show priviledge #conf t Server: less /var/log/tac_plus.acct -> login and commands --------------------------------------------------