Scribd
Upload
96 views7 pages

IP Traffic Management With Access Control List Using Cisco Packet Tracer

a

Uploaded by

halim agung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views7 pages

IP Traffic Management With Access Control List Using Cisco Packet Tracer

a

Uploaded by

halim agung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/304627953

IP Traffic Management With Access Control List Using Cisco Packet Tracer

Article · May 2016

CITATIONS READS

3 2,868

2 authors:

Shipra Suman Aditi Agrawal


Sam Higginbottom University of Agriculture, Technology and Sciences Sam Higginbottom University of Agriculture, Technology and Sciences
4 PUBLICATIONS   3 CITATIONS    19 PUBLICATIONS   16 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Intelligent transportation Systems View project

All content following this page was uploaded by Shipra Suman on 30 June 2016.

The user has requested enhancement of the downloaded file.


ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

IP Traffic Management With Access Control List


Using Cisco Packet Tracer
Shipra Suman, Er. Aditi Agrawal

Abstract— Access Control List (ACL) is a set of


commands grouped together to filter the traffic that In order to filter traffic between interfaces, ACL needs to be
enters and leaves the interface. The ACL commands activated in Interface Subconfiguration Mode [7]. Thus the
allow the administrator to deny or permit traffic that direction of filtering the traffic is classified into:
enters the interface. ACL also performs other tasks such
as restricting telnet, filtering routing information and
prioritizing WAN traffic with queuing. A wildcard mask a. Inbound: The traffic is filtered as it enters the
allow to match the range of address in the ACL interface. If the ACL is set as inbound, the router
statements. A router makes two references to ACL such compares the incoming packet with the interface
as numbered and named. These references support two ACL before it leaves the interface.
types of filtering such as standard and extended. In this b. Outbound: The traffic is filtered as it leaves the
paper we have analyzed and simulated the network using interface. . If the ACL is set as outbound, the router
Standard ACL and Extended ACL. The configuration is forwards the received packet to the exit interface
done using CISCO packet tracer. where the packet is compared with the interface
ACL..
Index Terms- ACL, Telnet, Wildcard Mask, Standard ACL,
Extended ACL, Packet Tracer The ACL are of two types:
a. Numbered ACL: Unique number is assigned to each
I. INTRODUCTION ACL.
b. Named ACL: Unique name is assigned to each ACL.
Cisco provides Access Control Lists (ACLs) to control the
flow of traffic from one interface to the other in the network. The ACLs supports the following types:
ACL also performs other tasks such as restricting telnet, a. Standard ACL: ACL is applied on destination router.
filtering routing information and prioritizing WAN traffic It permits or deny the packet on the basis of source
with queuing [7]. A wildcard mask allow to match the range addresses only.
of address in the ACL statements. A router makes two b. Extended ACL: ACL is applied on source router. It
references to ACL such as numbered and named. These permits or deny the packet on the basis of source as
references support two types of filtering such as standard and well as destination addresses.
extended [5]. The ACL statements are configured first and
If a single host is to be permitted or denied into a network the
then they are activated.
syntax is:
In a single ACL number maximum 16000 statements
permit/deny <source IP address> <wildcard mask>
can be created. If we add one statement later, it will get added
or
at the bottom of all statement. Router read ACL top to
permit/deny host <source IP address>
bottom. If a single ACL is removed then all ACLs created
will get removed. The benefits of ACL are as follows:
e.g. permit/deny 192.168.10.10 0.0.0.255
a. Reduce network traffic and increase network
or
performance.
permit/deny host 192.168.10.10
b. Control the flow of traffic.
If a single network is to be permitted or denied into a network
c. Take a decision as required.
the syntax is:
In this paper Standard ACL and Extended ACL are permit/deny <Network ID> <wildcard mask>
analyzed and simulated using Cisco Packet Tracer.
e.g. permit/deny 192.168.10.0 0.0.0.255
II. ACCESS CONTROL LIST
If the whole network is to be permitted or denied, the syntax
ACL is created in the global configuration mode. After is:
creating the basic group of ACL commands, we need to
activate them [6]. permit/deny 255.255.255.255 255.255.255.255
or

1556
All Rights Reserved © 2016 IJSETR
ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

permit/deny any any  source_IP address – Specifies the IP address of the


source.

After creating the standard ACL, it must be activated on the


III. WILDCARD MASKING routers interface. The ip access-group command enables to
activate the ACL on the interface.
Wildcard mask are used for matching a range of IP addresses The following steps are followed to activate the standard
in ACL, instead of manually entering it. Also, wildcards are numbered ACL:
used with access lists to specify host, network or a range of i. Log into the router.
addresses. It is similar to an inverted subnet mask [2]. In ii. Switch to the privileged mode
order to match IP address of a packet with the ACL iii. Switch to the configured mode.
statement, a wildcard is created by inverting the bit values of iv. Type interface type slot/port to configure on the router’s
the subnet mask. Table 1 shows the subnet mask and port.
wildcard mask of Class A,B and C IP addresses. v. Type ip access-group ACL_# in/out to activate the
standard numbered ACL on the configured
Table 1. Subnet Mask and Wildcard Mask of Class A,B and interface.
C IP addresses
e.g. access-list 10 deny host 192.168.20.2
CLASS SUBNET MASK WILDCARD access-list 10 permit 192.168.20.0 0.0.0.255
MASK interface fast 0/0
A 255.0.0.0 0.255.255.255 ip access-group 10 out
255.255.0.0 0.0.255.255 The figure 1 shows how to specify or place standard ACL
B
in a network.
C 255.255.255.0 0.0.0.255

IV. CONFIGURING ACL

The guidelines have to be followed to configure the ACL.


The “access-list” command is used to create an ACL. The
syntax to create an ACL is:

access-list <ACL_#> permit/deny conditions


where,
 ACL_# - Allows to group statements into a single list.
 permit/deny- Specifies the action to be performed.
 conditions - Specifies which packet needs to match
for a router to execute an action.

After creating the ACL, it has to be applied to a process in the


IOS. In order to activate ACL on the interface, the following
Figure 1. Standard ACL
syntax is followed:
VI. EXTENDED ACL
interface type slot_#/port_#
The extended ACLs are more flexible in comparison to the
ip access-group ACL_# in/out standard ACLs [7]. Unlike standard ACLs, extended ACL
where, filter the source and destination IP address, IP protocols such
 in/out – Specifies the direction of traffic ,whether it is as IP, TCP, UDP, ICMP and protocol information such as
inbound or outbound. port number. The access-list command is used to configure
an extended ACL. ACL number for extended ACL range
from 100 to 199 and 2000 to 2699 [5]. The syntax to
V. STANDARD ACL
configure extended ACL is:
The Standard ACLs filters the source IP address in an IP
packet. It is also used to restrict telnet access to the router. access-list <ACL_#> <permit/deny> <IP protocol>
ACL number for standard ACL range from 1 to 99 and 1300 <source IP address> <wildcard mask> <destination IP
to 1999. An entry can be created in a standard numbered IP address> <wildcard mask> <operator> <port_#/name>
ACL by using the access-list command [5]-[7]. The syntax of where,
this command is:  IP protocol – Specifies the IP protocol to be matched
such as UDP, IGRP, EIGRP and IGMP.
access-list <ACL_#> <permit/deny> <source_IP address>  operator – Table 2 shows the operator for TCP and
<wildcard mask> UDP connections [5].
where,

1557
All Rights Reserved © 2016 IJSETR
ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

 port_#/name – Specifies the TCP/UDP port names or A virtual networking model comprising of CISCO routers
numbers. Table 3 and 4 shows TCP and UDP port was developed by using Cisco Packet Tracer simulator as
names and numbers respectively [5]. shown in figure 3 [1].

Networking Model Algorithm:


In this network model we have implemented Routing
Table 2. Operators for TCP and UDP Connection Information Protocol. We have used many components such
as routers, switches and made physical connection by using
Operator Description copper straight through cables and serial DCE cables for fast
lt Less than ethernet and serial ports [4].
gt Greater than
neq Not equal to
eq Equal to
range Range of port numbers

Table 3. TCP Port Names and Numbers

Name Command Number


Parameter
FTP Data ftp-data 20
FTP Control ftp 21
Telnet telnet 23
SMTP Smtp 25
WWW www 80

Table 4. UDP Port Names and Numbers Figure 3.Networking Model in Cisco Packet Tracer

Name Command Number The algoritm for Standard ACL as well as Extended ACL are
Parameter discussed below:
DNS Query dns 53
TFTP tftp 69 A. Standard ACL:
SNMP Snmp 161
IP RIP Rip 520 First step is to configure the CISCO Routers.

The figure 2 shows how to specify or place extended ACL in Configuration of Router0 using RIP protocol is as follows:
a network.
Router>en
Router#config t
Enter configuration commands, one per line. End with
CNTL/Z.
Router(config)#int s2/0
Router(config-if)#ip add 192.168.10.1 255.255.255.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial2/0, changed state to


down
Router(config-if)#int f0/0
Router(config-if)#ip add 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed


state to up
Figure 2. Extended ACL
%LINEPROTO-5-UPDOWN: Line protocol on Interface
VII. CONFIGURATION USING CISCO PACKET TRACER FastEthernet0/0, changed state to up
SIMULATOR
Router(config-if)#router rip
Router(config-router)#network 192.168.10.0
Router(config-router)#network 192.168.20.0

1558
All Rights Reserved © 2016 IJSETR
ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

Router(config-router)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#write memory
Building configuration...
[OK]

Configuration of Router1 using RIP protocol is as follows:

Router>en
Router#config t
Enter configuration commands, one per line. End with
CNTL/Z.
Router(config)#int s2/0
Router(config-if)#ip add 192.168.10.2 255.255.255.0
Figure 4. Configuring PC0
Router(config-if)#clock rate 64000
B. Extended ACL:
Router(config-if)#no shutdown
Similar to standard ACL firstly routers are configured
%LINK-5-CHANGED: Interface Serial2/0, changed state to and then extended numbered ACL is congifured. Figure
up 5 shows the network model for extended ACL.

Router(config-if)#int f0/0
Router(config-if)#ip add
%LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial2/0, changed state to up
192.168.30.1 255.255.255.0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed


state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface


FastEthernet0/0, changed state to up

Router(config-if)#router rip
Router(config-router)#network 192.168.10.0
Router(config-router)#network 192.168.30.0
Router(config-router)#exit
Router(config)#access-list 10 deny host 192.168.20.2
Figure 5. Extended ACL
Router(config)#access-list 10 permit 192.168.20.0 0.0.0.255
Router(config)#interface fast 0/0
Router(config-if)#ip access-group 10 out Configuration of Router0 using RIP protocol is as follows:
Router(config-if)#end
Router>en
%SYS-5-CONFIG_I: Configured from console by console Router#config t
Router#write memory Enter configuration commands, one per line. End with
Building configuration... CNTL/Z.
[OK] Router(config)#int s2/0
Router# Router(config-if)#ip add 10.10.10.1 255.0.0.0
Router(config-if)#clock rate 64000
Configuration of PC: Router(config-if)#no shutdown
Figure 4 shows the configuration of PC0. %LINK-5-CHANGED: Interface Serial2/0, changed state to
down
Router(config-if)#int f0/0
Router(config-if)#ip add 20.20.20.1 255.0.0.0
Router(config-if)#no shutdown

1559
All Rights Reserved © 2016 IJSETR
ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

%LINK-5-CHANGED: Interface FastEthernet0/0, changed Figure 6 shows that when the host i.e. PC1 connected to
state to up Router0 tries to telnet serial port connected to Router1, the
access-list permits the host to route the packets.
%LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up

Router(config-if)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 20.0.0.0
Router(config-router)#exit
Router(config)#access-list 101 deny tcp host 20.20.20.2
10.10.10.2 0.255.255.255 eq telnet
Router(config)#access-list 101 permit tcp 20.0.0.0
0.255.255.255 10.10.10.2 0.255.255.255 eq telnet
Router(config)#access-list 101 permit ip any any
Router(config)#int f0/0
Router(config-if)#ip access-group 101 in
Router(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to
up Figure 6. Router0 host can Telnet Router1
%LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial2/0, changed state to up

Configuration of Router1 using RIP protocol is as follows:

Router>en
Router#config t
Enter configuration commands, one per line. End with
CNTL/Z.
Router(config)#int s2/0
Router(config-if)#ip add 10.10.10.2 255.0.0.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial2/0, changed state to


up

Router(config-if)#int f0/0
Router(config-if)# Figure 7. Router0 can’t Telnet Router1
%LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial2/0, changed state to up Figure 7 shows that when the host i.e. PC0 connected to
ip add 30.30.30.1 255.0.0.0 Router0 tries to telnet serial port connected to Router1, the
Router(config-if)#no shutdown access-list denies the host to route the packets.

%LINK-5-CHANGED: Interface FastEthernet0/0, changed VIII. CONCLUSION AND FUTURE SCOPE


state to up
This paper shows the configuration of standard ACL and
%LINEPROTO-5-UPDOWN: Line protocol on Interface extended ACL on the router. The standard ACL create filters
FastEthernet0/0, changed state to up based on source addresses only and are used for server based
Router(config-if)#router rip filtering, where as extended ACL provide more security by
Router(config-router)#network 10.0.0.0 creating filters based on source addresses as well as
Router(config-router)#network 30.0.0.0 destination addresses, protocol and port number. The
Router(config-router)#line vty 0 4 extended ACL in this paper used TCP/IP protocol. Routing
Router(config-line)#password 1234 Information Protocol (RIP) is used for routing the packets.
Router(config-line)#login
Router(config-line)#exit In future work, more IP protocols such as UDP, ICMP and
Router(config)#enable secret qwerty IP can be used in extended ACL. Apart from RIP routing
Router(config)# protocols , EIGRP, OSPF and BGP routing protocols can be
used for routing packets.
Verify the Telnet access:

1560
All Rights Reserved © 2016 IJSETR
ISSN: 2278 – 7798
International Journal of Science, Engineering and Technology Research (IJSETR)
Volume 5, Issue 5, May 2016

REFERENCES

[1] Pritesh K. Jain, Manoj Sindhwani, S. Sachdeva,


“Comparative Study of Routing Protocols with Subnetting
Implementation in Cisco Packet Tracer”, International
Journal of Advanced Research in Computer Science and
Software Engineering, Vol. 4, No. 12, dec. 2014.

[2] S. Pozo, A.J. Varela-Vaca, and R.M. Gasca.,”A


quadratic, complete, and minimal consistency diagnosis
process for firewall acls”, Advanced Information Networking
and Applications (AINA), 24th IEEE International
Conference , pages 1037-1046, april 2010.

[3] David E. Taylor.“Survey and taxonomy of packet


classification techniques.”ACM Computing Surveys, Vol.
37, No. 3, 2005. Pages 238-275

[4] A. Velte and T. Velte.“Cisco: A Beginner’s Guide”,


McGraw-Hill Inc. 3rd edition (2004).

[5] Cisco Systems Inc. http://www.cisco.com

[6] Sharat Kaushik, Anita Tomar, Poonam, “Access Control


List Implementation in a Private Network”, International
Journal of Information & Computation Technology, Vol. 4,
No. 14, 2014, pp. 1361-1366.

[7] Lammle, Todd. (2011). Cisco Certified Network


Associate Study Guide, Wiley Publishing, Inc., Seventh
Edition.

Shipra Suman, PG Student, Department of Electronics and


Communication Engineering, SHIATS, Allahabad, India

Er. Aditi Agrawal, Assistant Professor, Department of Electronics And


Communication Engineering, SHIATS, Allahabad, India
.

1561
All Rights Reserved © 2016 IJSETR
View publication stats

You might also like