Scribd
Upload
713 views

Lab 6-.Access Control List in Packet Tracer

The document describes configuring access control lists (ACLs) in Packet Tracer. It provides instructions to create a network topology, configure IP addresses and static routes on routers, create a standard ACL to deny access from specific hosts, and apply the ACL to an interface outbound. It asks questions about configuring ACLs to deny certain hosts, showing the running configuration and ACL, and ensuring certain devices can or cannot access others while using the ACL.

Uploaded by

Muhammad Basim
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
713 views

Lab 6-.Access Control List in Packet Tracer

The document describes configuring access control lists (ACLs) in Packet Tracer. It provides instructions to create a network topology, configure IP addresses and static routes on routers, create a standard ACL to deny access from specific hosts, and apply the ACL to an interface outbound. It asks questions about configuring ACLs to deny certain hosts, showing the running configuration and ACL, and ensuring certain devices can or cannot access others while using the ACL.

Uploaded by

Muhammad Basim
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Lab 6: Configuring Access Control Lists (ACLs)

Lab Title: Access control lists in packet tracer


Total Marks= 10
Objectives of this Lab:

The goal of this lab is to become familiar with the configuration of Access Control Lists (ACLs)
in Packet Tracer.

Instructions:

• Read carefully before starting the lab.

• These exercises are to be done individually.

• You are supposed to provide the answers to the questions listed at the end of this document
and upload the completed report to the Moodle.

• Avoid plagiarism by copying from the Internet or from your peers. Your submitted work
should be written by yourself.

• Deadline for submission on Moodle is by 5pm Friday 22nd May, 2020. You must submit a
word document that provides answers to the questions given at the end.

• This lab carried 2.5% weightage.

Access control lists:

In order to filter network traffic, ACLs control whether routed packets are forwarded or blocked
at the router interface. Your router examines each packet in order to determine whether to
forward or drop the packet based on the criteria that you specify within the ACL.

ACL criteria include:


• Source address of the traffic
• Destination address of the traffic
• Upper-layer protocol

Complete these steps in order to construct an ACL as the examples in this document show:
1. Create an ACL.
2. Apply the ACL to an interface.

The IP ACL is a sequential collection of permit and deny conditions that apply to an IP packet.
The router tests packets against the conditions in the ACL one at a time.
The first match determines whether the Cisco IOS Software accepts or rejects the packet.
Because the Cisco IOS Software stops testing conditions after the first match, the order of the
conditions is critical. If no conditions match, the router rejects the packet because of an implicit
deny all clause.

Types of ACL:
There are two main different types of Access-list namely:
Lab 6: Configuring Access Control Lists (ACLs)

1. Standard Access-list – These are the Access-list which are made using the source IP
address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish
between the IP traffic such as TCP, UDP, HTTPs etc. By using numbers 1-99 or 1300-
1999, router will understand it as a standard ACL and the specified address as source IP
address.

2. Extended Access-list – These are the ACL which uses both source and destination IP
address. In this type of ACL, we can also mention which IP traffic (for example TCP/UDP
etc) should be allowed or denied. These use range 100-199 and 2000-2699.

Advantages of ACL:

• Improve network performance.

• Provides security as administrator can configure the access list according to the needs
and deny the unwanted packets from entering the network.

• Provides control over the traffic as it can permit or deny according to the need of
network.

Important ACL configuration commands:

1. access-list command

A standard ACL provides the ability to match traffic based on the source address of the traffic
only. This is, of course, rather limiting, but in many situations is all that is required. The
command syntax of a standard ACL is as follows:

router(config)#access-list access-list-number {permit | deny} {source[source-wildcard]


| host hostname | any}

2. ip access-group command

To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, we use the ip
access-group command. To remove an IPv4 ACL from an interface, we use the no form of this
command.
ip access-group access-list-number {in | out}
no ip access-group access-list-number {in | out}

Syntax Description
access-list-
number Access-list Number

in Specifies that the ACL applies to inbound traffic.

out Specifies that the ACL applies to outbound traffic.


Lab 6: Configuring Access Control Lists (ACLs)

Today’s Lab:

In this lab, we will learn how to configure ACLs on the router.

Create the network topology below in Packet Tracer and follow the steps below to configure
the static routes for the remote networks.

1. Assign the IP addresses (provided in the topology diagram) to all the end hosts with the
subnet mask of 255.255.255.0. Also configure the default gateways accordingly.

2. Configure the IP addresses on router interfaces

Following are the commands to configure the Student_Router1

Student_Router1(config)#int Gig0/0

Student_Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Student_Router1(config-if)#no shutdown

Student_Router1(config-if)#exit

Student_Router1(config)#int Gig0/1

Student_Router1(config-if)#ip address 192.168.10.1 255.255.255.0

Student_Router1(config-if)#no shutdown

Student_Router1(config-if)#exit
Lab 6: Configuring Access Control Lists (ACLs)

Following are the commands to configure the Student_Router2

Student_Router2(config)#int Gig0/0

Student_Router2(config-if)#ip address 192.168.10.2 255.255.255.0

Student_Router2(config-if)#no shutdown

Student_Router2(config-if)#exit

Student_Router2(config)#int Gig0/1

Student_Router2(config-if)#ip address 192.168.20.1 255.255.255.0

Student_Router2(config-if)#no shutdown

Student_Router2(config-if)#exit

Now, we will configure the routers with the static routing command

3. Configure a Static Route Using a Next-Hop Address.

Following are the commands to configure the static routes on Student_Router1.

Student_Router1>enable

Student_Router1#config terminal

Student_Router1(config)#ip route 192.168.20.0 255.255.255.0 192.168.10.2

Following are the commands to configure the static routes on Student_Router2.

Student_Router2>enable

Student_Router2#config terminal

Student_Router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.1

4. Configure the standard access list

Student_Router1(config)#access-list 1 deny 192.168.20.4 0.0.0.0


Lab 6: Configuring Access Control Lists (ACLs)

Student_Router1(config)#access-list 1 permit any

In the wildcard entry, we use the “0.0.0.0” address because we only wanted to block that
particular host. This will deny any communication from the source IP address of
“192.168.20.4”. In the next command, parameter “any” permits the communication for all the
other hosts.

Note: The order of statements is critical to the operation of an ACL. If the order of the entries
is reversed above, the ACL will fail to block host 192.168.20.4.

5. Apply the standard access list to the interface.

Student_Router1(config)#int gig0/0

Student_Router1(config-if)#ip access-group 1 out

Student_Router1(config-if)#exit

In the command, we specify “out” which corresponds to the outbound traffic (any traffic going
out of the interface).

This will apply the access list to the interface giga ethernet 0/0. Now, “192.168.20.4” will not
be able to send traffic to the “Student_Router1” interface gig 0/0 (to the corresponding network
“192.168.1.0” i.e neither to 192.168.1.2 nor to 192.168.1.3).

6. See the configured access list of the router.

“show access-lists” is the command to see the configured access list of the router.

7. To add a new host to deny communication in existing ACL.

If we want to add a new host AdminPC2 with IP address “192.168.20.3”, we have to do the
following configuration. First, we have to delete the command permit any with the following
command.
Lab 6: Configuring Access Control Lists (ACLs)

Student_Router1(config)#no access-list 1 permit any

Then we have to run the following commands.

Student_Router1(config)#access-list 1 deny 192.168.20.4 0.0.0.0

Student_Router1(config)#access-list 1 deny 192.168.20.3 0.0.0.0

Student_Router1(config)#access-list 1 permit any

Answer the following Questions.

Question 1: Write the exact commands to configure access-list to deny communication


from host 192.168.20.3 on Student_Router1. Set the enable password as your first
name and show the running configuration of the router. (Snapshot/s Required) [3
Marks]

Question 2: (Change the Student_Router1 hostname as your first name_Router1). With


“show access-lists”, show the output of the given command on Student_Router1.
What is the use of this command? (Snapshot/s Required) [3 Marks]

Question 3: How will you ensure that AttackerPC1 is unable to access StudentPC1?
(Snapshot/s Required) [2 Mark]

Question 4: How will you ensure that StudentPC2 is still able to access StudentPC1?
(Snapshot/s Required) [2 Marks]

You might also like