Lab 4 Cisco - Extended - Access - List - Lab
Lab 4 Cisco - Extended - Access - List - Lab
Students will configure and apply extended access control lists (ACLs) on routers to control
traffic based on specific IP addresses, protocols, and port numbers.
Implicit deny:
The last statement of an ACL is always an implicit deny. This statement is automatically
inserted at the end of each ACL even though it is not physically present. The implicit deny
blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit
statement will block all traffic.
Objective:
Students will learn how to configure and apply Cisco Standard Access Control Lists (ACLs)
to control traffic flow through a network. By the end of this lab, students should understand
how to create, apply, and verify extended ACLs on Cisco routers.
IPv4 ACLs include the use of wildcard masks which are a string of 32 binary digits used by
the router to determine which bits of the address to examine for a match.
Lab Setup
Network Topology:
Devices:
- 2 Routers (R1, R2)
- 3 PCs (PC1, PC2, PC3)
-1 Server
- 2 Switches (S1, S2)
Connectivity:
PC1 -> S1 -> R1 (Fa0/0)
PC2 ->S1
R1(Fa0/1)->R2(Fa0/1)
PC3 -> Switch2 -> R2 (Fa0/1)
Server 0 -> Switch2 -> R2 (Fa0/2)
IP Addressing Scheme:
PC1: 192.168.10.2 SUBNET:255.255.255.0 GW: 192.168.10.1
PC2: 192.168.10.20 SUBNET:255.255.255.0 GW: 192.168.10.1
PC3: 192.168.30.2 SUBNET:255.255.255.0 GW: 192.168.30.1
R1 (Fa0/0): 192.168.10.1/24
R2 (Fa0/0): 192.168.30.1/24
R1 (Fa0/1): 10.10.10.1/24
R2 (Fa0/1): 10.10.10.2/24
Routing Configuration:
Steps
1. Connect the routers using a crossover cable between Fa0/1 of R1 and R2.
2. Assign IP addresses to the router interfaces.
On R1:
enable
configure terminal
interface FastEthernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
interface FastEthernet 0/1
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
write
Lab Tasks
Expected Outcome:
All PCs should be able to ping each other successfully.
Steps:
- Access R1's command-line interface.
- Create an access list that denies http traffic from PC1:
- Apply the access list to the appropriate interface (R1’s Fa0/0 inbound):
```bash
R1(config)# interface fa0/0
R1(config-if)# ip access-group 100 in
```
Expected Outcome:
PC1 should be able to ping Server0.
PC2 should be able to ping PC3.