Computer System Engineering

Department
ENCS413
Network Lab
Access List

Student Name & ID: Amna Srour 1131074

Instructor:Iyad Tumar
Date: 26-11-2018
Eng:Ahmad Dar Khalil
What the meaning of access list?
The technical name for an access list is Access Control List (ACL).
The individual entries in an access control list are called access
control entries.
Access lists filter network traffic by controlling whether routed
packets are forwarded or blocked at the router's interfaces. The
router examines each packet to determine whether to forward or
drop the packet, based on the criteria specified within the access
lists.
ACLs are a network filter utilized by routers and some switches to
permit and restrict data flows into and out of network interfaces.
When an ACL is configured on an interface, the network device
analyzes data passing through the interface, compares it to the
criteria described in the ACL, and either permits the data to flow or
prohibits it.
Why we use access list?
There are a variety of reasons we use ACLs. The primary reason is
to provide a basic level of security for the network. ACLs are not
as complex and in depth of protection as stateful firewalls, but they
do provide protection on higher speed interfaces where line rate
speed is important and firewalls may be restrictive. ACLs are also
used to restrict updates for routing from network peers and can be
instrumental in defining flow control for network traffic.

 Types of Access List :

1. Standard IP Access List
Standard access lists create filters based on source addresses and
are used for server based

Page | 2
 filtering. Address based access lists distinguish routes on a network
you want to control by using
network address number (IP). Address-based access lists consist of
a list of addresses or address
ranges and a statement as to whether access to or from that address
is permitted or denied.
Standard IP lists (1-99) only check source addresses of all IP
packets.
Configuration Syntax

access-list access-list-number {permit deny} source {source-mask}

Apply ACL to an interface

ip access-group access-list-number {in |out}

2.Extended IP Access List

Extended access lists create filters based on source addresses,
destination addresses,
protocol, port number and other features and are used for packet
based filtering for packets that
traverse the network.
Extended IP lists (100-199) check both source and destination
addresses, specific UDP/TCP/IP protocols, and destination ports.

Page | 3
 Configuration Syntax

access-list access-list-number {permit|deny} protocol source{source-
mask}destination{destination-mask}[eq destination-port]

 Procedure :
At the beginning of lab lecture we build this first topology:

First, we assigned an IP addresses for each PC as shown in table below:

Device IP address Gateway

PC0 192.168.10.2 192.168.10.1
PC1 192.168.10.3 192.168.10.1
PC2 192.168.20.2 192.168.20.1
PC3 192.168.20.3 192.168.20.1

Page | 4
Then we configured a routers and make routing using RIP:
ON R0:

Router >en

Router# conf t

Router (config)# int f0/0

Router (config-if)# ip add 192.168.20.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# int f1/0

Router (config-if)# ip add 192.168.10.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# router rip

Then we solved the tasks:

Task 1. Prevent PC0 to access network 192.168.20.0/24 using the
Slandered ACLs.
First, we need to create an access list to deny PC0, using this command
as following: (Standered ACL takes ID’s of 1 to 99)

Router0(config)#access-list 10 deny host 192.168.10.2

Router0(config)#access-list 10 permit any

Page | 5
The command access-list 10 permit any used because by default after
assigning an access list, by default there is an implicit deny all clause at
the end of every ACL. Anything that is not explicitly permitted is
denied. Then you have to give the ACL to an interface, in our case give
it to fa1/0, using this command:

Router0(config-if)#ip access-group 10 in

Then we try to ping any pc in the network 192.168.20.0 from pc0, it

going to faild.

EX:

Task 2. Allow just PC0 to access network 192.168.20.0/24 using the

Slandered ACLs

Page | 6
Task 3. Using the Slandered ACLs, prevent network 192.168.10.0 from
accessing network 192.168.20.0 only (use the wild-card, not ‘any’
option).

Task 4. Using Extended ACLs Prevent PC0 from accessing PC2. (all
other traffic is allowed).
First of all, we must remove the past access list by : no access-list 10
then, then we create an access list to deny PC0, as following: (Extended
ACL takes ID’s of 100 to 199)

Router0(config)#access-list 101 deny ip host 192.168.10.2 host

192.168.20.2 Router0(config)#access-list 101 permit ip any any

The command access-list 101 permit ip any any used because by default after assigning an access list, by
default there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly
permitted is denied.

Page | 7
Then we have to give the ACL to an interface, in our case give it to fa1/0, using this command:

Router0(config-if)#no ip access-group 10 in

The command no ip access-group

Router0(config-if)#ip 10 101
access-group in used
in to remove the past access
list,and the command ip access-group 101 in used to assign the new one

Task 5. Using Extended ACLs allow PC0 to access PC2. (all other
traffic is not allowed)

Task 6. Using Extended ACLs deny PC0 to make HTTP request to PC2.
(all other traffic is allowed).

Page | 8
Task 7. We update the topology to by as that:

Task 9. Make RIP routing on both routers and make sure that you can
ping all the PCs.
ON R1:

Router>en

Router# conf t

Router (config)# int f0/0

Router (config-if)# ip add 192.168.30.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# int se2/0

Router (config-if)# ip add 192.168.40.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# router rip

Page | 9
Router(config-router)# network 192.168.20.0

Router(config-router)# network 192.168.10.0

ON R0: add new networks ;

Router >en

Router# conf t

Router (config)# int f0/0

Router (config-if)# ip add 192.168.20.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# int f1/0

Router (config-if)# ip add 192.168.10.1 255.255.255.0

Router (config-if)# no shutdown

Router (config-if)# exit

Router (config)# router rip

Router(config-router)# network 192.168.10.0

Router(config-router)# network 192.168.30.0

Router(config-router)# network 192.168.40.0

Task 9. Using Extended ACLs Prevent PC0 from accessing PC4. (all
other traffic is allowed). We put the rule.in router 1

Page | 10
Task 10. Using Standard ACLs Prevent PC0 from accessing PC4. (all
other traffic is allowed). we put the rule.

11. [Homework]: Enable telnet on Router1 then, deny all the host from
make telnet with interface se2/0 of Router1 expect PC0, it can make
telnet with any interface. [try to minimize the traffic on the serial line as
much as possible]. All other traffic should be allowed.

Page | 11
  Conclusion
In access list, we have noticed that we can prevent a specific host or
whole network to accessing to a specific host or network by ping request
or telnet remote, which help us to control the network and make it
efficient.

Page | 12
  References

1) Computer Networking: A Top down Approach, 5th edition, 2010 by Jim Kurose
and Keith Ross.

2) Computer Networks Lab Manual.

3) http://blog.pluralsight.com/access-control-list-concepts, 26-11-2018.

4) http://orbit-computer-solutions.com/Access-Control-Lists--ACL-.php, 26-11-
2018

5) Slides of Computer Networking: A Top Down Approach ,6 th edition ,Jim

Kurose, Keith Ross,Addison-Wesley,March 2012,chapter 4

Page | 13