Lab Worksheet 7

Basic Access Control List

I. Objective
In this lab, you will learn how to configure basic network security using Access Control Lists.
You will apply both standard and extended ACLs.

II. Discussion of the Theory

One of the simplest ways of controlling the traffic in and out of a Cisco device is by using an
access list (ACL). These lists are generally composed of a permit or deny action that is configured to
affect those packets that are allowed to pass or be dropped.

The ACL is one of the most basic building blocks learned first when venturing into Cisco
device configuration. Once the basic structure and logic of these ACLs is understood, they are not
particularly hard to configure.

There are several different types of ACL that are defined by either the ACL number or by the
syntax used to define the ACL when using named ACLs. The table displays a list of the most
commonly used ACL numbers and their associated ACL type.

Protocol Range
Standard IP 1–99 and 1300–1999
Extended IP 100–199 and 2000–2699

Both standard and extended IP access lists do nothing without being applied to a specific
interface. When being applied, the access list is configured in a specific direction from the perspective
of the interface with the options of coming into the interface (in) or going out of the interface (out). The
general rule when applying access lists is to apply standard IP access lists as close to the destination
as possible and to apply extended access lists as close to the source as possible. The reasoning for
this rule is that standard access lists lack granularity, it is better to implement them as close to the
destination as possible; extended access lists have more potential granularity, thus they are better
implemented close to the source.

1
 III. Lab Exercise

Topology Diagram

`
Task 1: Prepare the Network
Cable a network that is similar to the one in the topology diagram.

Task 2: Perform Basic Router and Switch Configurations

Configure the R1, R2, R3, S1, S2, and S3 routers and switches according to the following
guidelines:
• Configure the router hostname to match the topology diagram.
• Disable DNS lookup.
• Configure an EXEC mode password of class.
• Configure a password of cisco for console connections.
• Configure a password of cisco for VTY connections.
• Configure IP addresses and masks on all devices. Note: xx-pair number and yy- block
number
• Enable RIPv2 on all routers for all networks.
• Configure a loopback interface on R2 to simulate the ISP.
• Configure IP addresses for the VLAN 1 interface on each switch.
• Configure each switch with the appropriate default gateway.
• Verify full IP connectivity using the ping command.

2
 Task 3: Configuring a Standard ACL

Standard ACLs can filter traffic based on source IP address only. A typical best practice is
to configure a standard ACL as close to the destination as possible. In this task, you are
configuring a standard ACL. The ACL is designed to block traffic from the 192.168.yy.0/24
network located in a student lab from accessing any local networks on R3. This ACL will be
applied inbound on the R3 serial interface. Remember that every ACL has an implicit “deny all”
that causes all traffic that has not matched a statement in the ACL to be blocked. For this reason,
add the permit any statement to the end of the ACL.

Before configuring and applying this ACL, be sure to test connectivity from PC1 (or the
Fa0/1 interface on R1) to PC3 (or the Fa0/1 interface on R3). Connectivity tests should be
successful before applying the ACL.

Step 1: Create a standard named ACL on router R3.

In global configuration mode, create a standard named ACL called STND-1.

R3(config)#ip access-list standard STND-1

R3(config-std-nacl)#deny 192.168.yy.0 0.0.0.255
R3(config-std-nacl)#permit any

Step 2: Apply the ACL on interface.

Apply the ACL STND-1 as a filter on packets entering R3 through Serial interface 0/0/1.

R3(config)#interface serial 0/0/1

R3(config-if)#ip access-group STND-1 in
R3(config-if)#end
R3#copy run start

Step 3: Test the ACL.

Testing ACL will allow you to see the access list log messages when the packet is denied.
Test the ACL by pinging from PC2 to PC3. Is ping successful? ___________________
Why?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________

In privileged EXEC mode on R3, issue the show access-lists command. You see output similar
to the following. Each line of an ACL has an associated counter showing how many packets have
matched the rule.

R3# show access-lists

Standard IP access list STND-1

10 deny 192.168.11.0, wildcard bits 0.0.0.255 log (5 matches)
20 permit any (25 matches)

Task 4: Configuring an Extended ACL

When greater granularity is required, you should use an extended ACL. Extended ACLs
can filter traffic based on more than just source address. Extended ACLs can filter on protocol,
source, and destination IP addresses, and source and destination port numbers.

An additional policy for this network states that devices from the 192.168.xx.0/24 LAN are
only permitted to reach internal networks. Computers on this LAN are not permitted to access the

3
 Internet. Therefore, these users must be blocked from reaching the IP address 209.165.200.225.
Because this requirement needs to enforce both source and destination, an extended ACL is
needed.
In this task, you are configuring an extended ACL on R1 that blocks traffic originating from any
device on the 192.168.xx.0/24 network to access the 209.165.200.255 host (the simulated ISP).
This ACL will be applied outbound on the R1 Serial 0/0/0 interface. A typical best practice for
applying extended ACLs is to place them as close to the source as possible.

Before beginning, verify that you can ping 209.165.200.225 from PC1.
Is ping successful? _____

Step 1: Configure a named extended ACL.

In global configuration mode, create a named extended ACL called EXTEND-1.

R1(config)#ip access-list extended EXTEND-1

Notice that the router prompt changes to indicate that you are now in extended ACL
configuration mode. From this prompt, add the necessary statements to block traffic from the
192.168.xx.0/24 network to the host.

R1(config-ext-nacl)#deny ip 192.168.xx.0 0.0.0.255 host 209.165.200.225

Recall that the implicit “deny all” blocks all other traffic without the additional permit
statement. Add the permit statement to ensure that other traffic is not blocked.

R1(config-ext-nacl)#permit ip any any

Step 2: Apply the ACL.

With standard ACLs, the best practice is to place the ACL as close to the destination as possible.
Extended ACLs are typically placed close to the source. The EXTEND-1 ACL will be placed on
the Serial interface, and will filter outbound traffic.

R1(config)#interface serial 0/0/0

R1(config-if)#ip access-group EXTEND-1 out
R1(config-if)#end
R1#copy run start

Step 3: Test the ACL.

From PC1, ping the loopback interface on R2. These pings should fail, because all traffic from the
192.168.xx.0/24 network is filtered when the destination is 209.165.200.225. If the destination is
any other address, the pings should succeed. Confirm this by pinging R3 from the
192.168.xx.0/24 network device.
Note: The extended ping feature on R1 cannot be used to test this ACL, since the traffic will
originate within R1 and will never be tested against the ACL applied to the R1 serial interface.

You can further verify this by issuing the show ip access-list on R1 after pinging.

R1#show ip access-list
(Describe the result)

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________

4
IV. Conclusion

*End of Lab Worksheet 7*