Scribd
Upload
15 views19 pages

P2 - Acl

Uploaded by

4832550
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views19 pages

P2 - Acl

Uploaded by

4832550
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 19

CS23016| Seemeen Patel

PRACTICAL 2

AIM: – Configuring and Verifying Standard IPv4 ACLs (Solution)

ACL Overview

Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a device and permit or deny packets crossing specified interfaces. An ACL is a
sequential collection of permit and deny conditions that apply to packets. When a packet is received on an
interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the
required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests
packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the
packets. Because the switch stops testing after the first match, the order of conditions in the list is critical. If no
conditions match, the switch rejects the packet. If there are no restrictions, the switch forwards the packet;
otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards. You configure
access lists on a device to provide basic security for your network

Topology

Page | 1
CS23016| Seemeen Patel

Addressing Table

Objectives

Part 1: Set Up the Topology and Initialize Devices

 Set up equipment to match the network topology.


 Initialize and reload the routers and switches.

Part 2: Configure Devices and Verify Connectivity

 Assign a static IP address to PCs.


 Configure basic settings on routers.
 Configure basic settings on switches.
 Configure OSPF routing on R1, ISP, and R3.
 Verify connectivity between devices.

Part 3: Configure and Verify Standard Numbered and Named ACLs

Page | 2
CS23016| Seemeen Patel

 Configure, apply, and verify a numbered standard ACL.


 Configure, apply, and verify a named ACL.

Part 4: Modify a Standard ACL

 Modify and verify a named standard ACL.


 Test the ACL.

Background / Scenario

Network security is an important issue when designing and managing IP networks. The ability to configure
proper rules to filter packets, based on established security policies, is a valuable skill. In this lab, you will set
up filtering rules for two offices represented by R1 and R3. Management has established some access policies
between the LANs located at R1 and R3, which you must implement. The ISP router sitting between R1 and R3
will not have any ACLs placed on it. You would not be allowed any administrative access to an ISP router
because you can only control and manage your own equipment.

Required Resources

 3 Routers (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
 2 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
 2 PCs (Windows 7, Vista, or XP with terminal emulation program, such as Tera Term)
 Console cables to configure the Cisco IOS devices via the console ports
 Ethernet and serial cables as shown in the topology

Part 1: Set Up the Topology and Initialize Devices

In Part 1, you set up the network topology and clear any configurations, if necessary.

a. Cable the network as shown in the topology.


b. Initialize and reload the routers and switches.

Part 2: Configure Devices and Verify Connectivity

In Part 2, you configure basic settings on the routers, switches, and PCs. Refer to the Topology and Addressing
Table for device names and address information.

1. Configure IP addresses on PC-A and PC-C.

Page | 3
CS23016| Seemeen Patel

Page | 4
CS23016| Seemeen Patel

2. Configure basic settings for the routers.

Page | 5
CS23016| Seemeen Patel

a. Console into the router and enter global configuration mode.

b. Copy the following basic configuration and paste it to the running-configuration on the router. And
switches

no ip domain-lookup
hostname R3
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
Line con 0
password cisco
login
logging synchronous
line vty 0 4
password cisco
login

c. Configure the device name as shown in the topology.

d. Create loopback interfaces on each router as shown in the Addressing Table.

e. Configure interface IP addresses as shown in the Topology and Addressing Table.

f. Assign a clock rate of 128000 to the DCE serial interfaces.

g. Enable Telnet access.

h. Copy the running configuration to the startup configuration.

Page | 6
CS23016| Seemeen Patel

Page | 7
CS23016| Seemeen Patel

3. (Optional) Configure basic settings on the switches.

a. Console into the switch and enter global configuration mode.

b. Copy the following basic configuration and paste it to the running-configuration on the switch.

no ip domain-lookup
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
Line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
login
exit

Page | 8
CS23016| Seemeen Patel

Page | 9
CS23016| Seemeen Patel

Page | 10
CS23016| Seemeen Patel

c. Configure the device name as shown in the topology.

d. Configure the management interface IP address as shown in the Topology and Addressing Table.

e. Configure a default gateway.

f. Enable Telnet access.

g. Copy the running configuration to the startup configuration.

4. Configure Rip routing on R1, ISP, and R3.

a. Configure RIP version 2 and advertise all networks on R1, ISP, and R3. The OSPF configuration for
R1 and ISP is included for reference.

R1(config)# router rip

R1(config-router)# version 2

R1(config-router)# network 192.168.10.0

R1(config-router)# network 192.168.20.0

R1(config-router)# network 10.1.1.0

ISP(config)# router rip

ISP(config-router)# version 2

ISP(config-router)# network 209.165.200.224

ISP(config-router)# network 10.1.1.0

ISP(config-router)# network 10.2.2.0

Page | 11
CS23016| Seemeen Patel

R3(config)# router RIP

R1(config-router)# version 2

R3(config-router)# network 192.168.30.0

R3(config-router)# network 192.168.40.0

R3(config-router)# network 10.2.2.0

b. After configuring Rip on R1, ISP, and R3, verify that all routers have complete routing tables, listing
all networks. Troubleshoot if this is not the case.

5. Verify connectivity between devices.


a. From PC-A, ping PC-C and the loopback interface on R3. Were your pings successful? _______ Yes

Page | 12
CS23016| Seemeen Patel

b. From R1, ping PC-C and the loopback interface on R3. Were your pings successful? _______ Yes

Page | 13
CS23016| Seemeen Patel

c. From PC-C, ping PC-A and the loopback interface on R1. Were your pings successful? _______ Yes

d. From R3, ping PC-A and the loopback interface on R1. Were your pings successful? _______ Yes

Part 3: Configure and Verify Standard Numbered and Named ACLs

1. Configure a numbered standard ACL.

R3(config)# access-list 1 remark Allow R1 LANs Access

R3(config)# access-list 1 permit 192.168.10.0 0.0.0.255

R3(config)# access-list 1 permit 192.168.20.0 0.0.0.255

R3(config)# access-list 1 deny any

b. Apply the ACL to the appropriate interface in the proper direction.

R3(config)# interface g0/1

R3(config-if)# ip access-group 1 out

c. Verify a numbered ACL.

Page | 14
CS23016| Seemeen Patel

R3# show access-lists 1


or
R3# show access-lists
R3# show ip interface g0/1
or
R3# show ip interface

4. Test the ACL to see if it allows traffic from the 192.168.20.0/24 network access to the 192.168.30.0/24

Page | 15
CS23016| Seemeen Patel

2. Configure a named standard ACL.


1. Create the standard named ACL BRANCH-OFFICE-POLICY on R1.

R1(config)# ip access-list standard BRANCH-OFFICE-POLICY


R1(config-std-nacl)# permit host 192.168.30.3
R1(config-std-nacl)# permit 192.168.40.0 0.0.0.255
R1(config-std-nacl)# end

b. Apply the ACL to the appropriate interface in the proper direction.


R1# config t
R1(config)# interface g0/1
R1(config-if)# ip access-group BRANCH-OFFICE-POLICY out

c. Verify a named ACL.


1) On R1, issue the show access-lists command.
R1# show access-lists

2) On R1, issue the show ip interface g0/1 command.

Page | 16
CS23016| Seemeen Patel

R1# show ip interface g0/1

3) Test the ACL. From the command prompt on PC-C, ping PC-A’s IP address.

4) Test the ACL to ensure that only the PC-C host is allowed access to the 192.168.10.0/24 network. You
must do an extended ping and use the G0/1 address on R3 as your source. Ping PC-A’s IPaddress.

Page | 17
CS23016| Seemeen Patel

5) Test the ACL to see if it allows traffic from the 192.168.40.0/24 network access to the 192.168.10.0/24
network. You must perform an extended ping and use the loopback 0 address on R3 as your source. Ping
PC-A’s IP address.

Part 4: Modify a named standard ACL.

a. From R1 privileged EXEC mode, issue a show access-lists command.


R1# show access-lists

b. Add two additional lines at the end of the ACL. From global config mode, modify the ACL, BRANCH-
OFFICE-POLICY.

R1#(config)# ip access-list standard BRANCH-OFFICE-POLICY


R1(config-std-nacl)# 30 permit 209.165.200.224 0.0.0.31
R1(config-std-nacl)# 40 deny any
R1(config-std-nacl)# end

Page | 18
CS23016| Seemeen Patel

c. Verify the ACL.

1) On R1, issue the show access-lists command.

R1# show access-lists

2) From the ISP command prompt, issue an extended ping. Test the ACL to see if it allows traffic from the
209.165.200.224/27 network access to the 192.168.10.0/24 network. You must do an extended ping and use
the loopback 0 address on ISP as your source. Ping PC-A’s IP address.

Page | 19

You might also like