Friday, March 18, 2016

Lab 3-3: Using ACLs to filter IP based traffic

Previous Lab | Exercises | Next Lab



Lab pre-requisites:

Lab 2-1 Packet Tracer Topology Download.

Topology Diagram


This is continuation of the previous lab related to basic security.
  
Task 1: Configuring an ACL (Access Control List).


In this exercise assumptions have been made:

PC1 (IP Address: 10.1.1.100/24) is allowed to to access Server (172.16.1.100) using any protocol.

PC2 (IP Address: 10.1.1.101/24) CANNOT use telnet Server. All other traffic is allowed.

There are few ways of constructing ACL. Here's one of them:

Step 1
Configure ACL statements:



Branch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Branch(config)#access-list 100 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet

Branch(config)#access-list 100 permit ip any any

Branch(config)#

Step 2
Apply the ACL on Fas0/0 interface blocking incoming packets.

Branch(config)#int f0/0

Branch(config-if)#ip access-group 100 in

Branch(config-if)#

Branch#show access-list 100
Extended IP access list 100
deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
permit ip any any
Branch#

Notice
Packet Tracer does not provide us with index number next the ACL statements (on real equipment they are present and can be used to remove statements using 'named' acl syntax. 

Notice
Packet Tracer does not have 'show ip int f0/0' command implemented properly. This command normally displays whether incoming and/or outgoing ACL is applied on the interface.
  
Notice
Packet Tracer is somewhat limited here. We cannot enable http server (ip http server) on HQ router in order to properly test the ACL.


Also 'named' ACLs are not working in the version of Packet Tracer I am using. This does not allow me to show you how to re-sequence statements, remove statements, and squeeze statements between other ones.

Verification:

Notice
I have tested ACL using PC2 and telnet is NOT being blocked as expected. This proves that version of Packet Tracer I use is NOT working properly.

 


Previous Lab | Exercises | Next Lab

Cisco Is Easy - Main

  Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...