Scribd Logo
Upload

Welcome to Scribd!

  • 20 views

    Extended Acl Lab

    Uploaded by

    Ally Shabani
    The document describes how to configure extended access control lists (ACLs) to control connectivity between different network sections in a packet tracer lab topology. Four extended ACLs are created - two on Router0 and two on Router2. The ACLs allow each section to only access its designated server and allow the Sales section to access the Marketing section but not the Production or Development sections. The ACL configurations are verified using ping tests between PCs in different sections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Extended Acl Lab

    Uploaded by

    Ally Shabani
    20 views7 pages
    The document describes how to configure extended access control lists (ACLs) to control connectivity between different network sections in a packet tracer lab topology. Four extended ACLs are created - two on Router0 and two on Router2. The ACLs allow each section to only access its designated server and allow the Sales section to access the Marketing section but not the Production or Development sections. The ACL configurations are verified using ping tests between PCs in different sections.

    Original Description:

    For networking configuration

    Original Title

    EXTENDED ACL LAB

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes how to configure extended access control lists (ACLs) to control connectivity between different network sections in a packet tracer lab topology. Four extended ACLs are created - two on Router0 and two on Router2. The ACLs allow each section to only access its designated server and allow the Sales section to access the Marketing section but not the Production or Development sections. The ACL configurations are verified using ping tests between PCs in different sections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    20 views7 pages

    Extended Acl Lab

    Uploaded by

    Ally Shabani
    The document describes how to configure extended access control lists (ACLs) to control connectivity between different network sections in a packet tracer lab topology. Four extended ACLs are created - two on Router0 and two on Router2. The ACLs allow each section to only access its designated server and allow the Sales section to access the Marketing section but not the Production or Development sections. The ACL configurations are verified using ping tests between PCs in different sections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 7

    EXTENDED ACL LAB

    Setting up a practice lab

    Create a packet tracer lab as shown in the following image.

    Configure IP addresses as shown in the above image, enable RIPv2 routing, and test connectivity between
    sections. If all Sections can access each other, the lab is ready for practice.

    The following image shows the connectivity tests performed from PC0.
    Requirements
    The Server section contains four servers: Server0, Server1, Server2, and Server3. These servers respectively
    belong to the Sales, Marketing, Production, and Development sections. Currently, all Sections can access all
    servers. You need to create an access list that allows a Section to access only its server.

    Currently, all Sections can access each other. You need to create an access list that allows the Sales section to
    access the Marketing section but does not allow to access the Production section and Development section.

    Understanding requirements
    Our first requirement says every section must access its server only. It should not be able to access other
    sections’ servers.

    Since there are four sections, we need four access lists for this requirement. In each access list, we will create a
    statement that allows a packet only if it has the allowed server's IP address in the destination address field.

    After creating an allowed statement, we will create a deny statement that will block a packet if it has other servers'
    IP address in the destination address field.

    Access lists have a default deny statement at the end. This statement drops all unmatched traffic. To deal with
    this default behavior, we have to create a permit statement for all allowed traffic.

    Our second requirement says the Sales section should be allowed to access only the Marketing section. It
    should not be allowed to access the Development and Production sections.

    To fulfill this requirement, we need two more statements in the ACL that filter the incoming traffic from the Sales
    section. We will create the first statement to allow a packet if it has the Marketing section's IP address in the
    destination address field. We will create the second statement to deny a packet if it has an IP address of other
    sections in the destination address field.

    For the above requirements, we will create four extended ACLs. The following image shows the location,
    direction, and statements of these ACLs.
    Creating extended ACLs

    We have two commands to create an extended access list. These commands are 'access-list' and 'ip access-list'.
    In this tutorial, we will use the 'access-list' command. To filter all traffic from a host, the 'access-list' command
    uses the following syntax.

    Router(config)# access-list 100-199|2000-2699 permit|deny IP_protocol source_address


    source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask
    [protocol_information] [log]

    In our example, we need four ACLs; two ACLs on Router0 and two ACLs on Router2. Let's create ACLs on
    Router0. Access the command prompt of Router0 and run the following commands.

    Router>enable
    Router#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 host
    50.0.0.10
    Router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 50.0.0.0
    0.255.255.255
    Router(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 20.0.0.0
    0.255.255.255
    Router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    Router(config)#interface gigabitethernet 0/0
    Router(config-if)#ip access-group 101 in
    Router(config-if)#exit
    Router(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 host
    50.0.0.20
    Router(config)#access-list 102 deny ip 20.0.0.0 0.255.255.255 50.0.0.0
    0.255.255.255
    Router(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 any
    Router(config)#interface gigabitethernet 0/1
    Router(config-if)#ip access-group 102 in
    Router(config-if)#exit
    Router(config)#exit
    Router#

    The above commands create two extended access lists: ACL 101 and ACL 102, and respectively apply them to
    Gig0/0 and Gig0/1.

    The ACL 101 contains four statements. The following table lists these statements and their meanings.

    Statement Description/Action
    permit ip 10.0.0.0 0.255.255.255 Allow a packet if its source address is from the network 10.0.0.0/8 and
    host 50.0.0.10 the destination address is 50.0.0.10.
    deny ip 10.0.0.0 0.255.255.255 Deny a packet if its source address is from the network
    50.0.0.0 0.255.255.255 10.0.0.0/8 and the destination address is from the network 50.0.0.0/8.
    permit ip 10.0.0.0 0.255.255.255 Allow a packet if its source address is from the network
    20.0.0.0 0.255.255.255 10.0.0.0/8 and the destination address is from the network 20.0.0.0/8.
    deny ip 10.0.0.0 0.255.255.255 any Deny a packet if its source address is from the network 10.0.0.0/8 and
    the destination address is from any network.
    For every packet, ACL statements are checked from top to bottom in sequential order until a match is found. Once
    a match is found, no further statements are checked for the packet. To learn how ACL statements are checked,
    you can check the previous parts of this tutorial.

    The ACL 102 contains three statements. The following table lists their meanings.

    Statement Description/Action
    permit ip 20.0.0.0 0.255.255.255 Allow a packet if its source address is from the network 20.0.0/8 and the
    host 50.0.0.20 destination address is the host 50.0.0.20.
    deny ip 20.0.0.0 0.255.255.255 Deny a packet if its source address is from the network 20.0.0.0/8 and
    50.0.0.0 0.255.255.255 the destination address is from the network 50.0.0.0/8
    permit ip 20.0.0.0 0.255.255.255 Allow a packet if its source address is from the network 20.0.0.0/8 and
    any the destination address is from any network.

    The following image shows how to create and verify extended access lists on Router0.

    We have created ACLs on Router0. Now, let’s create ACLs Router2. Access the command prompt of Router2
    and run the following commands.

    Router>enable
    Router#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#access-list 101 permit ip 30.0.0.0 0.255.255.255 host
    50.0.0.30
    Router(config)#access-list 101 deny ip 30.0.0.0 0.255.255.255 50.0.0.0
    0.255.255.255
    Router(config)#access-list 101 permit ip 30.0.0.0 0.255.255.255 any
    Router(config)#interface gigabitethernet 0/0
    Router(config-if)#ip access-group 101 in
    Router(config-if)#exit
    Router(config)#access-list 102 permit ip 40.0.0.0 0.255.255.255 host
    50.0.0.40
    Router(config)#access-list 102 deny ip 40.0.0.0 0.255.255.255 50.0.0.0
    0.255.255.255
    Router(config)#access-list 102 permit ip 40.0.0.0 0.255.255.255 any
    Router(config)#interface gigabitethernet 0/2
    Router(config-if)#ip access-group 102 in
    Router(config-if)#exit
    Router(config)#exit
    Router#

    The above commands create two extended access lists: ACL 101 and ACL 102, and respectively apply them to
    Gig0/0 and Gig0/2.

    The ACL 101 contains three statements. The following table lists these statements and their meanings.

    Statement Description/Action
    permit ip 30.0.0.0 Allow a packet if its source address is from the network 30.0.0/8 and the
    0.255.255.255 host 50.0.0.30 destination address is the host 50.0.0.30.
    deny ip 30.0.0.0 Deny a packet if its source address is from the network 30.0.0.0/8 and the
    0.255.255.255 50.0.0.0 destination address is from the network 50.0.0.0/8
    0.255.255.255
    permit ip 30.0.0.0 Allow a packet if its source address is from the network 30.0.0.0/8 and the
    0.255.255.255 any destination address is from any network.

    The ACL 102 contains three statements. The following table lists these statements and their meanings.

    Statement Description/Action
    permit ip 40.0.0.0 Allow a packet if its source address is from the network 40.0.0/8 and the
    0.255.255.255 host 50.0.0.40 destination address is the host 50.0.0.40.
    deny ip 40.0.0.0 Deny a packet if its source address is from the network 40.0.0.0/8 and the
    0.255.255.255 50.0.0.0 destination address is from the network 50.0.0.0/8
    0.255.255.255
    permit ip 40.0.0.0 Allow a packet if its source address is from the network 40.0.0.0/8 and the
    0.255.255.255 any destination address is from any network.

    The following image shows how to create and verify extended access lists on Router2.
    Verifying/testing ACL implementation

    To verify the ACL implementation, you can test connectivity between sections again. To test connectivity, you
    can use the ping command. The following image shows the testing from PC0 of the Sales section.
    As you can see in the above image,

    PC0 can access the Sales section's server, but it can't access the Marketing section's server. It verifies that the
    ACL is allowing a device to access only its assigned server.

    PC0 can access the Marketing section, but it can't access the Production section and Development section. It
    verifies that the ACL is allowing the Sales section to access the Marketing section, but it is not allowing the Sales
    section to access the Production section and Development section.

    The following image shows the testing from Laptop0 of the Production section.

    As you can see in the above image: -

    The Laptop0 can access the Production section's server, but it can't access the Marketing section's server. It
    verifies the following requirement.

    You need to create an access list that allows a section to access only its server.

    The Laptop0 can access the Marketing section and Development section. It verifies that the ACL is not blocking
    any allowed traffic.

    You might also like