Lab Report File - P4 Lab 1 Configuring Basic Access Control List
Lab Report File - P4 Lab 1 Configuring Basic Access Control List
NAME OF THE
Data network management
SUBJECT:
TEACHER: Erika Estrada Castañeda
GROUP: TI-5
DATE: 22/05/23
Jorge David Otero Lizárraga
NAME OF THE
Alan Armando Andrade Barraza
STUDENT:
Juan Antonio Salazar Valenzuela
In this lab, you will learn how to configure basic network security using
INTRODUCTION: Access Control Lists. You will
apply both standard and extended ACLs.
2.- PROCESS
MATERIAL / EQUIPMENT / CANT. MATERIAL / EQUIPMENT / CANT.
REAGENTS REAGENTS
Router 1 PC 1
Switch 1 Ethernet cable, serial cable 3
Before configuring and applying this ACL, be sure to test connectivity from PC1 (or
the Fa0/1 interface on
R1) to PC3 (or the Fa0/1 interface on R3). Connectivity tests should be successful
before applying the
ACL.
3
Step 1: Create the ACL on router R3.
In global configuration mode, create a standard named ACL called STND-1.
R3(config)#ip access-list standard STND-1
In standard ACL configuration mode, add a statement that denies any packets with a
source address of
192.168.11.0/24 and prints a message to the console for each matched packet.
R3(config-std-nacl)#deny 192.168.11.0 0.0.0.255 log
Permit all other traffic.
R3(config-std-nacl)#permit any
Step 2: Apply the ACL.
Apply the ACL STND-1 as a filter on packets entering R3 through Serial interface
0/0/1.
R3(config)#interface serial 0/0/1
R3(config-if)#ip access-group STND-1 in
R3(config-if)#end
R3#copy run start
Step 3: Test the ACL.
Before testing the ACL, make sure that the console of R3 is visible. This will allow
you to see the access
Network laboratory
In privileged EXEC mode on R3, issue the show access-lists command. You see
output similar to the
following. Each line of an ACL has an associated counter showing how many packets
have matched the
rule.
Standard IP access list STND-1
10 deny 192.168.11.0, wildcard bits 0.0.0.255 log (5 matches)
20 permit any (25 matches)
The purpose of this ACL was to block hosts from the 192.168.11.0/24 network. Any
other hosts, such as
those on the 192.168.10.0/24 network should be allowed access to the networks on
R3. Conduct another
test from PC1 to PC3 to ensure that this traffic is not blocked.
You can also use an extended ping from the Fa0/0 interface on R1 to the Fa0/1
interface on R3.
R1#ping ip
Target IP address: 192.168.30.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Network laboratory
Extended ACLs are typically placed close to the source. The EXTEND-1 ACL will be placed
on the Serial
interface, and will filter outbound traffic.
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group EXTEND-1 out log
R1(config-if)#end
R1#copy run start
Step 3: Test the ACL.
From PC1, ping the loopback interface on R2. These pings should fail, because all traffic
from the
192.168.10.0/24 network is filtered when the destination is 209.165.200.225. If the
destination is any
other address, the pings should succeed. Confirm this by pinging R3 from the
192.168.10.0/24 network
device.
Note: The extended ping feature on R1 cannot be used to test this ACL, since the traffic will
originate
within R1 and will never be tested against the ACL applied to the R1 serial interface.
You can further verify this by issuing the show ip access-list on R1 after pinging.
R1#show ip access-list
Extended IP access list EXTEND-1
10 deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225 (4 matches)
20 permit ip any any
Task 5: Control Access to the VTY Lines with a Standard ACL
It is good practice to restrict access to the router VTY lines for remote administration. An
ACL can be
applied to the VTY lines, allowing you to restrict access to specific hosts or networks. In this
task, you will
configure a standard ACL to permit hosts from two networks to access the VTY lines. All
other hosts are
denied.
Verify that you can telnet to R2 from both R1 and R3.
Step 1: Configure the ACL.
Configure a named standard ACL on R2 that permits traffic from 10.2.2.0/30 and
5
192.168.30.0/24. Deny
all other traffic. Call the ACL TASK-5.
R2(config)#ip access-list standard TASK-5
R2(config-std-nacl)#permit 10.2.2.0 0.0.0.3
R2(config-std-nacl)#permit 192.168.30.0 0.0.0.255
Step 2: Apply the ACL.
Enter line configuration mode for VTY lines 0–4.
R2(config)#line vty 0 4
Use the access-class command to apply the ACL to the vty lines in the inbound direction.
Note that this
differs from the command used to apply ACLs to other interfaces.
R2(config-line)#access-class TASK-5 in
R2(config-line)#end
R2#copy run start
Step 3: Test the ACL
6 Telnet to R2 from R1. Note that R1 does not have IP addresses in the address range listed
in the ACL
TASK-5 permit statements. Connection attempts should fail.
R1# telnet 10.1.1.2
Trying 10.1.1.2 …
Network laboratory
3.1 Results:
Network laboratory
The practice was relatively easy because our team only had to configure the basics on a router and a
switch going forward with the practice we are going to need to configure the ACL protocol but at the
moment we did not had any difficulty or problem until this point.
______________________________
INSTRUCTOR'S SIGNATURE