CCNA ACL Lab

Information Technology Experiential Learning Lab (ITELL) ©Copyright 2005

School of Information Studies
Syracuse University
Created by 4/22/2008 by: James Benninger
Used in CCNA
Attendance
Your attendance is very important for this lab. THIS IS REQUIRED.

Lab Overview
This lab is designed to provide students with familiarity and experience in working with access control
lists. The lab will provide an overview on how to use access lists to secure a network. The lab will also
give you an understanding of the different kinds of access lists.

Students will be able to gain access to the switch, do basic switch configuration, enter a series of ACE’s
(access control entries), and also configure different kinds of ACL’s (access control lists).

This lab is based on Cisco Catalyst 3560-24PS switches, which provides a combination of twenty four
1Gbs ports and four 10gps uplink ports.

Lab Prerequisites
Before attempting this lab, students should have the following knowledge and experience:

Intermediate-level experience working with the Microsoft Windows operating system and
associated application, such as the HyperTerminal.

General knowledge of the OSI model, the principles of packet switching and layered
communication.

Familiarity with the basic design and operation of Ethernet networks, including a general
understanding of Ethernet frame format, addressing, and cabling systems.

Working knowledge of TCP/IP including a general understanding of IP addressing and how
TCP/IP works on Ethernet networks.

Working familiarity with the Windows TCP/IP Ping utility.

2
Expected Duration
Approximately 1-1.5 hours

1. Introduction to Access Control Lists:

a. The first objective of the lab is to understand the different kinds of ACL’s (Access Control
Lists)
1. Port ACL- These are applied to layer two interfaces of a switch. These ACLs can only
be placed to block incoming traffic. Port level ACLs can use both MAC and IP
addresses to filter traffic.
2. Router ACL- These can filter traffic on layer 3 switched virtual interfaces. These
ACLs allow for filtering of both inbound and outbound traffic. However, these ACLs
can only filter by IP.
3. VLAN ACL- These are known as VLAN maps and they can be applied to all the traffic
that is coming in and out of a VLAN. In order for them to work you assign the map to
a VLAN and tell it to match with an access-list. VLAN maps do not filter by the
direction of traffic.

b. There are also two types of distinct ACL’s that you will be configuring in the lab. These two
types are:
1. Standard
 Standard ACL’s are given a number between 1 and 99 when being
configured. These access lists cannot filter by protocol. The permit and deny
statements used to configure these access lists will deny everything. These
can be useful, though you can run into problems if you want to do
something such as allow ICMP requests to go through, but you want to
block telnet to a certain host.
2. Extended
 Extended ACL’s use

3
 c. The third thing you should keep in mind when configuring access –lists is that the last line of
every ACL should be a permit ip any any. This is because by default there is an implicit deny
ip any any in every access list configuration.

2. Basic Switch Configuration:

Note: For the purposes of this section, when entering commands X should be replaced by the
VLAN number located on the sheet of paper pasted on your desk.

a. Before configuring the access control lists we must do the basic configuration of the switch
1. To access the switch via the console line, please refer to appendix A.
2. Enter the following commands into the CLI (command line interface) of the switch

Switch> enable
Password: ITELLadmin
Switch# configure terminal
Switch(config)# hostname <your Department> (e.g. Technical_Support)

3. Now we need to configure the PC’s of your department onto separate VLAN’s
 This needs to be done so that we can filter the traffic between yours PC’s
 To do this enter the following commands in config mode:

Switch(config)#int gigabitEthernet 0/17

Switch(config-if)#no shutdown
Switch(config-if)#switchport access vlan X
Switch(config-if)#switchport mode access

4. To verify that you have correctly entered the commands type:

4
 Switch(config-if)# Ctrl-Z
Switch# sh vlan

5. The output should look similar to the following (pay close attention to the circled
information):

6. Next we need to assign an IP Address to the VLAN you have created. This is because
the VLAN will be used as the default gateway for your host PC later on in the lab.
7. To assign the IP to the VLAN type the following command in config mode:

Switch(config)#int vlan X
Switch(config-if)#no shutdown
Switch(config-if)#ip address 192.168.X.1 255.255.255.0
Switch(config-if)#Ctrl-Z

5
 8. To verify that you have correctly configured everything type in the show
running-config command while in privileged exec mode.

3. Configuring RIP:
a. You now need to configure the routing protocol RIP. You will configure it now and will
be using it later on in the lab to ping from the 192.168.1.0 network to the 192.168.X.0
network you have configured.
1. The next thing that you are going to do is configure a routing protocol on your
switch. To do this we are going to enable RIP version two. To do this type in the
following commands from config mode:

Switch(config)#ip routing -This command

enables ip routing
Switch(config)#router rip -This command turns on the
routing protocol RIP
Switch(config-router)#version 2 -This specifies that you want
to
use RIP version 2
Switch(config-router)#network 192.168.1.0 -These two commands state the
networks in which you want
your switch to advertise
through RIP
Switch(config-router)#network 192.168.X.0

2. To verify that you have correctly configured rip, exit to privileged-exec mode and
type show ip route. You should see RIP statements in the routing table. If you do
not, go back in the lab and make sure that you have properly configured RIP.

4. Configuring your host PC

a. You must now assign your host an IP address so that it is on the proper VLAN:
1. To correctly assign your host PC an IP address, refer to appendix B.

6
 2. Note down the ip address and default gateway address here as you will need to use
them in later sections in the lab
IP Address: ______________________
Default Gateway Address: ______________________

Please Answer Question #1 Before Moving To The Next Section

5. Verifying Connectivity Between PC’s

a. To verify the connectivity between your PC’s we will use ping.
1. To ping another computer we must open a windows command prompt. To do this
go to Start>Run>Type “cmd” >Hit Enter
2. First we will try and ping the default gateway for your PC. To do this type in the
following command:

Ping <The default gateway address you noted down earlier in the lab>
Example: Ping 192.168.9.1

3. If you can successfully ping your default gateway, then the next step is to try and
ping the other host PC in your department.
4. To do this type in the following command:

Ping <The IP address of the other host PC in your department>

Example: Ping 192.168.1.69

5. You should notice that the ping was successful. If it was not, then you should go
back in the lab and make sure that you have correctly configured your PC, RIP, and
the switch.

Please Answer Question #2 and #3 Before Moving To The Next Section

7
6. Configuring A Standard ACL
a. In configuring the basic access list you will be making an access list statement to
deny traffic from the 192.168.1.0 network. After making the statement you will
apply it to port gi0/15. Notice when configuring your access list that you are
using a number between 1 and 99.

1. To configure the access list enter the following commands:

Switch(config)#access-list (any # between 1 and 99) deny

192.168.1.0 0.0.0.255

Switch(config)#access-list (# used in last statement) permit ip any any

Write down the access list number you chose here so that you have it for the next step
in the lab: _______

2. You will now apply this access list to the gigabit Ethernet 15 port. To do this enter
the following commands:

Switch(config)#ip interface gigabitethernet0/15 -Specifies which

interface you want to
configure
Switch(config-if)#ip access-group (# of your ACL) in -Specifies the ACL in
which you are assigning
to the interface

b. Next you need to check to make sure that you have correctly configured and assigned
your access-list. Since this is a standard ACL (refer to section 1), when you typed in the
deny statement ICMP (PING) will automatically be denied.

8
 3. To test this you and your partner should try to ping each other
 If you have forgotten how to ping refer to section 5.4.
4. You should notice that the pings are not successful. Your output should look similar
to the following:

Note: If your output does not match this, then you should go back and check to make sure
that you have properly configured and applied your ACL.

c. In order to configure your next access-list you will take the current access-list off of the
port. If you wanted to, you could leave it on the port and add more, but you have to
keep in mind that both of the ACL’s will be working on the port.

5. To remove an access-list from port 15 type in the following commands:

Switch(config)#ip interface gigabitethernet0/15

Switch(config-if)#no ip access-group (# of your ACL) in]

6. To verify that you have properly removed the access-list type in the following
commands. You should still see the access-list in the configuration, but you should
no longer see the access-list associated with port 15.

Switch(config-if)#<Ctrl Z>
Switch#show running-configuration

9
 7. You have just taken the ACL off of the port. You have not removed the ACL from the
switch. This is good practice because if you want to use this ACL on a different port
or if you want to redo it on the port all you have to do is put it back on the port. This
prevents you from having to recreate the ACL every time you want to use it. You can
view your created ACL’s in two different ways. To view your configured ACL enter
the following commands from privileged exec mode.
Switch# Show run
Or
Switch# Show access-list

Please Answer Question #4 Before Moving To The Next Section

7. Configuring an Extended ACL

a. The configuration for the extended ACL will be similar to the configuration you did for
the standard ACL. One difference will be the number in which you assign to your ACL.
Another difference will be that with the extended ACL you will be able to assign a
specific protocol that you wish to access control.
1. To configure the extended ACL that will block all icmp requests from PC1 of
your department, type in the following commands:

Switch(config)#access-list (any # between 100 and 199) deny icmp host (PC1’s
ip address) any host-unknown

2. To verify that you have correctly configured your access list exit to
privileged-exec mode and enter the show access-list command. The output
should look similar to the following:

10
 3. Next you need to apply the ACL to a port. For the purposes of this section
you should put the ACL on the port that PC1 is attached to. This is interface
gi0/15. To do this type the following commands from config mode:

Switch(config)#ip interface gigabitethernet0/15

Switch(config-if)#ip access-group (# of your ACL) in

4. To test this you and your partner should try to ping each other. If you have
forgotten how to ping refer to section 4.4.

5. You should notice that your pings are again unsuccessful.

6. Before moving onto the next section you should remove the ACL from the
port by typing in the following commands from config mode:

Switch(config)#ip interface gigabitethernet0/15

Switch(config-if)#no ip access-group (# of your ACL) in]

Please Answer Question #5 Before Moving To The Next Section

8. Simulation Test
a. In this section you will be configuring an access-list that would be similar to what you
can expect to see on the CCNA exam. The ACL’s in the exam simulation will generally
require a few statements in order to get the right affects.
For this simulation our goal is to block all traffic from the 192.168.1.0 network
to the 192.168.X.0 network. However, we want to allow PC1 from the MIS department
which should be on the 192.168.1.0 network.

1. The first step is to create an ACL that permits PC1 to go to a PC2 in your
department. When entering this command, please be sure to enter a different
number then the one you have used in your previous ACL’s. To create the ACL
go to config mode and type in the following command:

Switch(config)#access-list (# between 100-199) permit icmp host 192.168.1.250

host 192.168.X.100

11
 2. The next statement needed will be the statement that will deny any other
traffic from the 192.168.1.0 network to the 192.168.X.0 network. To do this
type in the following command from config mode:

Switch(config)#access-list (# used in last statement) deny icmp 192.168.1.0

0.0.0.255 any

3. The next step is to permit all other traffic. This allows transit traffic to go
across the network. This should be the last line of all access lists configured in a
real world environment. To do this type in the following command:

Switch(config)#access-list (# used in last statement) permit ip any any

4. Now that you have properly configured your ACL you must add it to a port.
To do this enter the following commands:

Switch(config)#int interface gigabitethernet0/13

Switch(config-if)#ip access-group (# of your ACL) in

5. To test this you and your partner should try to ping each other

6. You should notice that the pings were successful. If they were not successful
please look back at your statements and make sure that they have been
properly entered.

7. The next step is to go to another department in the room that has been
properly configured. Try to ping PC2 of your department from PC1 of their
department. You should notice that the ping is unsuccessful. This is due to the
fact that you have denied all traffic from the 192.168.1.0 network to the
192.168.X.0 network.

Please Answer Question #6 and #7 Before Moving To The Next Section

9. Housekeeping

a. Once the lab exercises are completed, please return your configuration to the original
state i.e to restore the switch to its factory defaults.

1. From the command line, go to privileged exec mode and type in the
following command to bring the switch back to factory defaults:

Switch#erase nvram

12
Appendix A:Configuring Hyperterminal
1. Once you have connected the null modem serial cable to the COM 1 serial port on your PC, open the
Hyperterminal program by clicking on Start  Run and entering c:\program files\windows
NT\hypertrm.exe

2. When you click OK, the ‘New Connection – Hyperterminal’ window opens up.

3. Type in a name for your connection, e.g.; Summit, click OK.

4. The ‘Connect to’ Dialog box opens. Make sure you connect using COM1. Click OK.

5. The Hyperterminal software on the PC must be configured with the following settings:

13
 • 9600 baud
• 8 data bits
• No parity
• 1 stop bit
• XON/XOFF
The ‘COM 1’ Properties dialog box opens. Make sure the settings are as follows:

6. Click OK and then hit [return] a few times and you should see the prompt login:

Note: On PCs where Hyperterminal has never been opened before, you will first See the ‘Location
Information’ dialog box when you open the program. In this case, enter 315 in the area code field, then
click OK, and in the ‘Modem and Phone Information’ dialog box click OK again. This will open the dialog
box as seen in Step 1.

14
 Appendix B:To change static IP of workstation

Note: Make sure you remember to configure both the IP addresses of PC 1 and 2 before you
proceed.

1. From the desktop, right-click on the My Network Places icon and select Properties
option.
2. Right-click on LAN connection and select Properties menu option.
3. Go back to the LAN Properties window. Note the various network services available in
theGeneral tab window
4. Double-click on Internet Protocol (TCP/IP).

5. Select the option Use the following IP address.

6. Next you have to specify the IP address.

PC1- In the box next, where it says IP address, enter the first available IP address
from the Flat IP Pool on your desk
PC2- In the box next, where it says IP address, enter 192.168.X.100 (X should be
replaced with the VLAN number pasted on your)

15
7. Next you have to specify the Subnet mask. In Subnet mask you should have:
“255.255.255.0”.

8. Next you have to set the Default Gateway.

PC1- In the box next to Default Gateway enter the Switch IP address from the
label on your desk.
PC2- In the box next to Default Gateway enter 192.168.X.1 X should be replaced
with the VLAN number pasted on your)

9. Click OK in the TCP/IP properties window and then click OK in the Local Area
Connection window.

10. Verify that your IP address has changed by running the ipconfig command from the
command line.

16
 LAB QUESTIONS

Name Date

Course Professor

Lab CCNA ACL Lab

1. What is the purpose of using the ip routing command? (Section 3)

2. Fill in the following blanks with the information you typed in: (Section 4)

a) IP Address: _______________________________

b) Subnet Mask: _______________________________

c) Default Gateway: _______________________________

3. Why is PING command useful? (Section 5}

4. What was the purpose of entering the following command? Switch(config-if)#ip

access-group (# of your ACL) in? (Section 6)

17
6. Why was the ping from another department’s PC1 to your departments PC2
unsuccessful? (Section 8)

7. Why is the Switch(config)#access-list (# used in last statement) permit ip any any

command used? (Section 8)

18