Packet Tracer - Configuring Extended ACLs - Scenario 2

Topology

RIP V2

Addressing Table
Device

Interface

IP Address

Subnet Mask

Default Gateway

Fa0/0

172.22.34.65

255.255.255.224

N/A

Fa1/0

172.22.34.97

255.255.255.224

N/A

S2/0

172.20.10.1

255.255.255.252

N/A

Fa0/0

172.22.34.1

255.255.255.224

N/A

S2/0

172.20.10.2

255.255.255.252

N/A

S3/0

172.20.20.1

255.255.255.252

N/A

Fa0/0

172.22.34.129

255.255.255.224

N/A

S2/0

172.20.20.2

255.255.255.252

N/A

Server

NIC

172.22.34.10

255.255.255.224

172.22.34.1

PC1

NIC

172.22.34.66

255.255.255.224

172.22.34.65

PC2

NIC

172.22.34.99

255.255.255.224

172.22.34.97

PC1

NIC

172.22.34.130

255.255.255.224

172.22.34.129

PC2

NIC

172.22.34.135

255.255.255.224

172.22.34.129

R1

R2

R3

Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Configure, Apply and Verify an Extended Named ACL
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 1 of 3

Packet Tracer - Configuring Extended ACLs - Scenario 1

Background / Scenario
Two employees no access to services provided by the server. PC1 and PC2 no web access.

Part 1: Configure, Apply and Verify an Extended Numbered ACL

Step 1: Configure an ACL to deny www.
a. From global configuration mode onR1, enter the following command to determine the first valid number
for an extended access list.
R1(config)# access-list ?
<1-99>
IP standard access list
<100-199> IP extended access list
b. Add 100 to the command,followed by a question mark.
R1(config)# access-list 100 ?
deny
Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
c.

Enter the wildcard mask, followed by a question mark.

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?
A.B.C.D Destination address
anyAny destination host
eq
Match only packets on a given port number
gt
Match only packets with a greater port number
host
A single destination host
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
range
Match only packets in the range of port numbers

d. Configure the destination address. In this scenario, we are filtering traffic for a single destination, the
server. Enter thehost keywordfollowed by the servers IP address.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.10
?
dscp
Match packets with given dscp value
eq
Match only packets on a given port number
established established
gt
Match only packets with a greater port number
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
precedence
Match packets with given precedence value
range
Match only packets in the range of port numbers
<cr>

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.10

eq ?

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 2 of 3

Packet Tracer - Configuring Extended ACLs - Scenario 1

<0-65535> Port number
ftp
File Transfer Protocol (21)
pop3
Post Office Protocol v3 (110)
smtp
Simple Mail Transport Protocol (25)
telnetTelnet (23)
www
World Wide Web (HTTP, 80)
R1(config)#access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.10
eq www

Step 2: Apply the ACL on the correct interface to filter traffic.

From R1s perspective, the traffic that ACL 100 applies to is inbound from the network connected to Gigabit
Ethernet 0/0 interface. Enter interface configuration mode and apply the ACL.
R1(config)# interface fastEthernet 0/0
R1(config-if)# ip access-group 100 in

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 3 of 3