Scribd
Upload
177 views18 pages

ACL Config

The document describes three labs on configuring access control lists (ACLs) on Cisco routers: 1. Lab 1 demonstrates configuring a standard numbered ACL to permit traffic from R2 to R1 and deny traffic from R3 to R1. 2. Lab 2 builds on Lab 1 by configuring extended numbered ACLs to permit Telnet from R1 to R2 while denying pings, and permit pings from R3 to R2 while denying Telnet. 3. Lab 3 introduces named ACLs, which allow inserting or deleting rules without disrupting the entire ACL, and demonstrates advanced configuration options like inserting rules mid-list.

Uploaded by

Yasser Lyraa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
177 views18 pages

ACL Config

The document describes three labs on configuring access control lists (ACLs) on Cisco routers: 1. Lab 1 demonstrates configuring a standard numbered ACL to permit traffic from R2 to R1 and deny traffic from R3 to R1. 2. Lab 2 builds on Lab 1 by configuring extended numbered ACLs to permit Telnet from R1 to R2 while denying pings, and permit pings from R3 to R2 while denying Telnet. 3. Lab 3 introduces named ACLs, which allow inserting or deleting rules without disrupting the entire ACL, and demonstrates advanced configuration options like inserting rules mid-list.

Uploaded by

Yasser Lyraa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Access Control List

Configuration for

CCNA Students

By

Eng. Abeer Hosni

https://www.facebook.com/groups/1720572871550995/
Lab 1 (Standard Numbered ACL):

Objective:

Permit all traffic coming from R2 to R1. And prevent all traffic coming from R3 to R1.

R1(config)#int f0/0

R1(config-if)#ip address 10.0.0.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#router eigrp 1

R1(config-router)#no auto-summary

R1(config-router)#network 10.0.0.1 0.0.0.0

R2(config)#int f0/0

R2(config-if)#ip address 10.0.0.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#int f0/1

R2(config-if)#ip address 11.0.0.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#router eigrp 1
R2(config-router)#no auto-summary

R2(config-router)#network 10.0.0.2 0.0.0.0

R2(config-router)#network 11.0.0.2 0.0.0.0

R3(config)#int f0/0

R3(config-if)#ip address 11.0.0.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#int f0/1

R3(config-if)#ip address 192.168.0.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#router eigrp 1

R3(config-router)#no auto-summary

R3(config-router)#network 11.0.0.3 0.0.0.0

R3(config-router)#network 192.168.0.3 0.0.0.0

Test end to end connectivity:

C:\Users\pc1>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 10.0.0.1: bytes=32 time=37ms TTL=247

Reply from 10.0.0.1: bytes=32 time=38ms TTL=247

Reply from 10.0.0.1: bytes=32 time=42ms TTL=247

Reply from 10.0.0.1: bytes=32 time=38ms TTL=247

R1(config-router)#do ping 192.168.0.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/84/108 ms

Now we will configure ACL on R1:

R1(config)#access-list 1 permit 10.0.0.0 0.0.0.255

If we want to configure a specific host, the configuration will be as follows:

R1(config)#access-list 1 permit 10.0.0.2 0.0.0.0

Or) R1(config)#access-list 1 permit host 10.0.0.2

R1(config)#access-list 1 deny 11.0.0.0 0.0.0.255

R1(config)#int f0/0

R1(config-if)#ip access-group 1 in

To test:

R2#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/96 ms

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

C:\Users\pc1>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 10.0.0.1: Destination net unreachable.

Reply from 10.0.0.1: Destination net unreachable.

Reply from 10.0.0.1: Destination net unreachable.


Reply from 10.0.0.1: Destination net unreachable.

The PC can’t reach the 10.0.0.1 IP address due to the explicit deny at the end of the chain.

Note:
R1#ping 192.168.0.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

The Echo request is successful but the Echo reply couldn’t return back to R1.

To verify:

R1#show access-list

Standard IP access list 1

10 permit 10.0.0.0, wildcard bits 0.0.0.255 (660 matches)

20 deny 11.0.0.0, wildcard bits 0.0.0.255 (30 matches)

If we want to allow all other traffic coming from all other networks:

R1(config)#access-list 1 permit any

C:\Users\pc1>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 10.0.0.1: bytes=32 time=174ms TTL=253

Reply from 10.0.0.1: bytes=32 time=143ms TTL=253

Reply from 10.0.0.1: bytes=32 time=96ms TTL=253

Reply from 10.0.0.1: bytes=32 time=116ms TTL=253

R1#show access-list

Standard IP access list 1


10 permit 10.0.0.0, wildcard bits 0.0.0.255 (720 matches)

20 deny 11.0.0.0, wildcard bits 0.0.0.255 (60 matches)

30 permit any

Lab 2 (Extended Numbered ACL):

Objective:

Based on the previous lab.

1- Permit Telnet coming from R1 to R2 and deny pings coming from R1 to R2.
2- Permit pings coming from R3 to R2 and deny telnet coming from R3 to R2.

R1(config)#no access-list 1
R1(config)#int f0/0
R1(config-if)#no ip access-group 1 in
R2(config)#line vty 0 4
R2(config-line)#password 123
R2(config-line)#login
R2(config-if)#exit
R2(config)#access-list 100 permit tcp host 10.0.0.1 host 10.0.0.2 eq 23
R2(config)#access-list 100 deny icmp host 10.0.0.1 host 10.0.0.2 echo
R2(config)#access-list 100 permit eigrp any any (The control plane must be allowed
too).
R2(config)#access-list 101 permit icmp host 11.0.0.3 host 11.0.0.2 echo
R2(config)#access-list 101 deny tcp host 11.0.0.3 host 11.0.0.2 eq telnet
R2(config)#access-list 101 permit eigrp any any (The control plane must be allowed
too).
R2(config)#int f0/0
R2(config-if)#ip access-group 100 in
R2(config-if)#int f0/1
R2(config-if)#ip access-group 101 in

To test:

R1#telnet 10.0.0.2

Trying 10.0.0.2 ... Open

R1#ping 10.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

R3#telnet 11.0.0.2

Trying 11.0.0.2 ...

% Destination unreachable; gateway or host down

R3#ping 11.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/120 ms

C:\Users\pc1>ping 11.0.0.2

Pinging 11.0.0.2 with 32 bytes of data:

Reply from 11.0.0.2: Destination net unreachable.


Reply from 11.0.0.2: Destination net unreachable.

Reply from 11.0.0.2: Destination net unreachable.

Reply from 11.0.0.2: Destination net unreachable.

To verify:

R2(config)#do show access-list

Extended IP access list 100

10 permit tcp host 10.0.0.1 host 10.0.0.2 eq telnet (54 matches)

20 deny icmp host 10.0.0.1 host 10.0.0.2 echo (15 matches)

30 permit eigrp any any (222 matches)

Extended IP access list 101

10 permit icmp host 11.0.0.3 host 11.0.0.2 echo (15 matches)

20 deny tcp host 11.0.0.3 host 11.0.0.2 eq telnet (3 matches)

30 permit eigrp any any (222 matches)

To permit all other traffic:

R2(config)#access-list 101 permit ip any any

C:\Users\pc1>ping 11.0.0.2

Pinging 11.0.0.2 with 32 bytes of data:

Reply from 11.0.0.2: bytes=32 time=105ms TTL=254

Reply from 11.0.0.2: bytes=32 time=64ms TTL=254

Reply from 11.0.0.2: bytes=32 time=74ms TTL=254

Reply from 11.0.0.2: bytes=32 time=107ms TTL=254

To verify:

R2(config)#do show access-list

Extended IP access list 100

10 permit tcp host 10.0.0.1 host 10.0.0.2 eq telnet (69 matches)


20 deny icmp host 10.0.0.1 host 10.0.0.2 echo (15 matches)

30 permit eigrp any any (144 matches)

Extended IP access list 101

10 permit icmp host 11.0.0.3 host 11.0.0.2 echo (15 matches)

20 deny tcp host 11.0.0.3 host 11.0.0.2 eq telnet (3 matches)

30 permit eigrp any any (135 matches)

40 permit ip any any (12 matches)

Notes:
1- The log key word can be used to log the changes:
Ex) R2(config)#access-list 101 deny ip any any log
2- The remark option is used as a description and can be seen in the running-config.
Ex) R2(config)#access-list 101 remark This ACL is applied to all traffic coming from LAN1

Lab 3 (Named ACL):


If we delete only one sentence of the numbered ACL, the whole chain is gone. Besides, each
new sentence is appended to the end of the chain. We can’t insert a new sentence in the
middle of the chain.

Using named ACL allows us to insert sentences and delete some of them without destroying the
whole chain.

1- The first lab using named ACL:


R1(config)#ip access-list standard PERMIT_NETWORK10
R1(config-std-nacl)#permit 10.0.0.0 0.0.0.255
R1(config-std-nacl)#deny 11.0.0.0 0.0.0.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#int f0/0
R1(config-if)#ip access-group PERMIT_NETWORK10 in
R1(config-if)#do show access-list
Standard IP access list PERMIT_NETWORK10
10 permit 10.0.0.0, wildcard bits 0.0.0.255 (57 matches)
20 deny 11.0.0.0, wildcard bits 0.0.0.255 (15 matches)
30 permit any
R1(config-if)#ip access-list standard PERMIT_NETWORK10
R1(config-std-nacl)#no 20 (We can delete an entry using its sequence
number).
R1(config-std-nacl)#no 20
R1(config-std-nacl)#15 deny host 11.0.0.3
R1(config-std-nacl)#do show ip access-list
Standard IP access list PERMIT_NETWORK10
15 deny 11.0.0.3
10 permit 10.0.0.0, wildcard bits 0.0.0.255 (147 matches)
30 permit any
2- The second lab using named ACL:
R1(config)#no ip access-list standard PERMIT_NETWORK10
R2(config)#ip access-list extended FROM_R1
R2(config-ext-nacl)#permit tcp host 10.0.0.1 host 10.0.0.2 eq 23
R2(config-ext-nacl)#deny icmp host 10.0.0.1 host 10.0.0.2 echo
R2(config-ext-nacl)#permit eigrp any any
R2(config-ext-nacl)#int f0/0
R2(config-if)#ip access-group FROM_R1 in
R2(config-if)#ip access-list extended FROM_R3
R2(config-if)#ip access-list extended FROM_R3
R2(config-ext-nacl)#permit icmp host 11.0.0.3 host 11.0.0.2 echo
R2(config-ext-nacl)#deny tcp host 11.0.0.3 host 11.0.0.2 eq telnet
R2(config-ext-nacl)#permit eigrp any any
R2(config-ext-nacl)#int f0/1
R2(config-if)#ip access-group FROM_R3 in
R2(config-if)#do show access-list
Extended IP access list FROM_R1
10 permit tcp host 10.0.0.1 host 10.0.0.2 eq telnet (48 matches)
20 deny icmp host 10.0.0.1 host 10.0.0.2 echo (15 matches)
30 permit eigrp any any (201 matches)
Extended IP access list FROM_R3
10 permit icmp host 11.0.0.3 host 11.0.0.2 echo (15 matches)
20 deny tcp host 11.0.0.3 host 11.0.0.2 eq telnet (3 matches)
30 permit eigrp any any (75 matches)

R2(config-if)#ip access-list extended FROM_R3


R2(config-ext-nacl)#no 20
R2(config-ext-nacl)#15 permit tcp 11.0.0.0 0.0.0.255 host 11.0.0.2 eq 23
R2(config-ext-nacl)#25 permit ip any any
R2(config-ext-nacl)#do show ip access-list FROM_R3
Extended IP access list FROM_R3
10 permit icmp host 11.0.0.3 host 11.0.0.2 echo (15 matches)

15 permit tcp 11.0.0.0 0.0.0.255 host 11.0.0.2 eq telnet


25 permit ip any any (105 matches)
30 permit eigrp any any (135 matches)

Lab 4 (Editing numbered ACL using named ACL):


Since the order of the sentences is very important, suppose that we have configured an ACL on
R1 in

a wrong order using numbered ACL, and we want to correct that.

R1(config)#access-list 1 permit host 10.0.0.2

R1(config)#access-list 1 deny 11.0.0.0 0.0.0.255

R1(config)#access-list 1 permit host 11.0.0.3

R1(config)#access-list 1 deny any log

R1(config)#do show access-list 1

Standard IP access list 1

10 permit 10.0.0.2

30 permit 11.0.0.3

20 deny 11.0.0.0, wildcard bits 0.0.0.255

40 deny any log

We can correct that order using named ACL:

R1(config)#ip access-list standard 1

R1(config-std-nacl)#no 30

R1(config-std-nacl)#15 permit host 11.0.0.3

R1(config-std-nacl)#do show access-list 1


Standard IP access list 1

10 permit 10.0.0.2

15 permit 11.0.0.3

20 deny 11.0.0.0, wildcard bits 0.0.0.255

40 deny any log

R1(config-std-nacl)#int f0/0

R1(config-if)#ip access-group 1 in

To test:

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/77/172 ms

R2#ping 10.0.0.1 source f0/1 (To simulate that the pings are coming from 11.0.0.2).

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 11.0.0.2

UUUUU

Success rate is 0 percent (0/5)

Lab 5 (Filter debugging using ACL):


R1(config)#no access-list 1

R1(config)#access-list 2 permit 10.0.0.0 0.0.0.255

R1(config)#end

R1#debug ip packet 2
R1#ping 10.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/106/164 ms

*Mar 1 01:27:07.307: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.2 (FastEthernet0/0), routed via
FIB

*Mar 1 01:27:07.311: IP: s=10.0.0.1 (local), d=10.0.0.2 (FastEthernet0/0), len 100, sending

*Mar 1 01:27:07.315: IP: s=10.0.0.2 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2

< Output Omiited >

R1(config)#int loop 1

R1(config-if)#ip add 1.1.1.1 255.255.255.255

R1(config-if)#router eigrp 1

R1(config-router)#net 1.0.0.0

R1#ping 11.0.0.3 source loop 1 (Doesn’t match the ACL).

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 11.0.0.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/78/140 ms

Lab 6 (Access-class):
Since configuring ACL affects all kind of traffic, we can configure the ACL under the line vty to
just affect the telnet process not the whole traffic.

R2(config)#access-list 1 permit 10.0.0.0 0.0.0.255

R2(config)#line vty 0 4

R2(config-line)#access-class 1 in
To test:

R1#10.0.0.2

Trying 10.0.0.2 ... Open

R3#11.0.0.2

Trying 11.0.0.2 ...

% Connection refused by remote host

But if we want to control connecting to other routers using telnet, the access-class command
must be configured under the line console.

R1(config)#line vty 0 4

R1(config-line)#password 123

R1(config-line)#login

R3(config)#line vty 0 4

R3(config-line)#password 123

R3(config-line)#login

R2#10.0.0.1

Trying 10.0.0.1 ... Open

R2#11.0.0.3

Trying 11.0.0.3 ... Open

We will configure the access-class now under the line console.

R2(config)#line con 0

R2(config-line)#access-class 1 out

To test:

R2#10.0.0.1

Trying 10.0.0.1 ... Open

R2#11.0.0.3
Trying 11.0.0.3 ...

% Connections to that host not permitted from this terminal

Lab 7 (IPV6 ACL):

IPV6 ACL only supports extended named ACL.

Objective:

1- Configure IPV6 addresses on the routers and client.


2- Configure routing using EIGRP for IPV6.
3- Permit telnet only from R1 to R2.

1- R1(config-if)#ipv6 address 2001:12::1/64


R1(config-if)#no shut
R2(config)#int f0/0
R2(config-if)#ipv6 address 2001:12::2/64
R2(config-if)#no shut
R2(config-if)#int f0/1
R2(config-if)#ipv6 address 2001:23::2/64
R2(config-if)#no shut
R3(config)#int f0/0
R3(config-if)#ipv6 address 2001:23::3/64
R3(config-if)#no shut
R3(config-if)#int f0/1
R3(config-if)#ipv6 address 2001:3::3/64
R3(config-if)#no shut

2- R1(config)#ipv6 unicast-routing
R1(config)#ipv6 router eigrp 1
R1(config-rtr)#no shut
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 eigrp 1
R2(config)#ipv6 unicast-routing
R2(config)#ipv6 router eigrp 1
R2(config-rtr)#no shut
R2(config-rtr)#router-id 2.2.2.2
R2(config-rtr)#int f0/0
R2(config-if)#ipv6 eigrp 1
R2(config-if)#int
R2(config-if)#int f0/1
R2(config-if)#ipv6 eigrp 1
R3(config)#ipv6 unicast-routing
R3(config)#ipv6 router eigrp 1
R3(config-rtr)#no shut
R3(config-rtr)#router-id 3.3.3.3
R3(config-rtr)#int f0/0
R3(config-if)#ipv6 eigrp 1
R3(config-if)#int f0/1
R3(config-if)#ipv6 eigrp 1
To test:
R1#ping 2001:3::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:3::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/88/136 ms
R1#show ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
D 2001:3::/64 [90/332800]
via FE80::C001:2FF:FE88:0, FastEthernet0/0
C 2001:12::/64 [0/0]
via ::, FastEthernet0/0
L 2001:12::1/128 [0/0]
via ::, FastEthernet0/0
D 2001:23::/64 [90/307200]
via FE80::C001:2FF:FE88:0, FastEthernet0/0
L FF00::/8 [0/0]
via ::, Null0

C:\Users\abeer>ping 2001:12::1
Pinging 2001:12::1 with 32 bytes of data:
Reply from 2001:12::1: time=117ms
Reply from 2001:12::1: time=93ms
Reply from 2001:12::1: time=78ms
Reply from 2001:12::1: time=78ms

3- R2(config)#ipv6 access-list R1_TO_R2


R2(config-ipv6-acl)#permit tcp host 2001:12::1 host 2001:12::2 eq 23
R2(config-ipv6-acl)#line vty 0 4
R2(config-line)#password 123
R2(config-line)#login
R2(config-line)#ipv6 access-class R1_TO_R2 in

To Test:
R1#2001:12::2
Trying 2001:12::2 ... Open

R3#2001:23::2
Trying 2001:23::2 ...
% Connection refused by remote host

R3#2001:12::2
Trying 2001:12::2 ...
% Connection refused by remote host

To Verify:
R2#show access-list
IPv6 access list R1_TO_R2
permit tcp host 2001:12::1 host 2001:12::2 eq telnet (2 matches) sequence 10

Hint1)
If we want to configure the ACL under the interface, we will use the command:
R2(config-if)#ipv6 traffic-filter R1_TO_R2

Hint2)
Standard ACL must be configured nearest to the destination. Extended ACL should
be configured nearest to the source.

Hint3)
Only one ACL can be applied at the interface level at a direction.

Best Wishes
Abeer 

You might also like