26.1.2
26.1.2
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
R1 S0/1/0 192.168.13.1 255.255.255.252 N/A
R1 G0/0/1 192.168.1.1 255.255.255.0 N/A
R3 S0/1/0 192.168.13.2 255.255.255.252 N/A
G0/0/1 192.168.2.1 255.255.255.0
Loopback0 192.168.3.1 255.255.255.0
D1 VLAN 1 192.168.1.2 255.255.255.0 N/A
D2 VLAN 1 192.168.2.2 255.255.255.0 N/A
A1 VLAN 1 192.168.2.3 255.255.255.0 N/A
PC1 NIC 192.168.1.10 255.255.255.0 192.168.1.1
PC2 NIC 192.168.2.10 255.255.255.0 192.168.2.1
Objectives
Part 1: Build the Network and Configure Basic Device Settings
Part 2: Verify Initial Connectivity
Part 3: Implement Standard ACLs on R3
Part 4: Implement a Named Extended ACL from Area 1 to Area 2
Part 5: Implement a Named Extended ACL from Area 2 to Area 1
Part 6: Implement a Port ACL on D2
Part 7: Implement a VLAN ACL on D2
Background / Scenario
Access control lists (ACLs) are sequential lists of individual access control entries (ACEs) that permit or deny packets based on predefined
conditional matching statements. Finding a match in an ACL starts at the top with the lowest sequence number and proceeds down the list
(higher sequence numbers) until a matching ACE is found. When a match is found, the preset action (permit or deny) is applied and processing
stops. At the end of every ACL is an implicit deny “any” ACE, which denies all packets that did not match prior ACEs.
ACLs can be used for packet classification with quality of service (QoS), Network Address Translations (NAT), and numerous other services.
In this lab, you will configure three different types of ACLs. Router ACL (RACL) is the most common ACL is the IP-based ACL that are applied
to routed interface. The ACL that applies to traffic entering and leaving a VLAN is a VLAN ACL (VACL). The VACLs can filter traffic based on
MAC addresses, IP addresses, and port numbers. A VACL that is applied to an individual port inside a VLAN is a port-based ACL (PACL).
The focus of this lab is using IPv4 ACLs for packet filtering.
Note: This lab is an exercise in configuring various types of access control lists and does not necessarily reflect network troubleshooting best
practices.
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
Router R1 Router R3
hostname R1 hostname R3
username admin privilege 15 algorithm-type scrypt secret cisco123 username admin privilege 15 algorithm-type scrypt secret cisco123
line con 0 line con 0
logging synchronous logging synchronous
interface g0/0/1 interface Loopback0
ip address 192.168.1.1 255.255.255.0 ip address 192.168.3.1 255.255.255.0
no shutdown interface g0/0/1
interface Serial 0/1/0 ip address 192.168.2.1 255.255.255.0
ip address 192.168.13.1 255.255.255.252 no shutdown
no shutdown interface Serial 0/1/0
router ospf 1 ip address 192.168.13.2 255.255.255.252
router-id 0.0.0.1 no shutdown
network 192.168.1.0 0.0.0.255 area 1 router ospf 1
network 192.168.13.0 0.0.0.3 area 0 router-id 0.0.0.3
line vty 0 4 network 192.168.2.0 0.0.0.255 area 2
login local network 192.168.3.0 0.0.0.255 area 0
transport input telnet network 192.168.13.0 0.0.0.3 area 0
end line vty 0 4
login local
transport input telnet
Switch D1 Switch D2
hostname D1
username admin privilege 15 algorithm-type scrypt secret cisco123 hostname D2
line con 0 username admin privilege 15 algorithm-type scrypt secret cisco123
logging synchronous line con 0
interface range f0/1-24 logging synchronous
shutdown interface range f0/1-24
interface range f0/11-23 shutdown
switchport mode access interface range f0/5, f0/11, f0/23
no shutdown switchport mode access
interface vlan 1 no shutdown
ip address 192.168.1.2 255.255.255.0 interface vlan 1
no shut ip address 192.168.2.2 255.255.255.0
ip default-gateway 192.168.1.1 no shut
line vty 0 15 ip default-gateway 192.168.2.1
login local line vty 0 15
transport input telnet login local
end transport input telnet
end
Switch A1
hostname A1
username admin privilege 15 algorithm-type scrypt secret cisco123
ip http authentication local
ip domain name CCNP.ACL.LAB
spanning-tree mode rapid-pvst
line con 0
logging synchronous
line vty 0 15
login local
transport input telnet ssh
interface range f0/1-24, g0/1-2
shutdown
interface range f0/3, f0/23
switchport mode access
no shutdown
interface vlan 1
ip address 192.168.2.3 255.255.255.0
no shut
ip default-gateway 192.168.2.1
crypto key generate rsa modulus 1024
end
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
Step 5: Apply the named standard ACL to the correct interface and in the correct direction.
Use the access-class command to apply the MGMT-TRAFFIC ACL to all inbound vty lines on R3. Outbound Telnet connections from R3 will
still be allowed.
R3(config)# line vty 0 4
R3(config-line)# access-class MGMT-TRAFFIC in
Step 6: Verify that the named standard ACL is working properly.
a. Test the ACL by initiating a Telnet session from PC1 to the Loopback address (192.168.3.1) on R3. The results should be successful.
Repeat the test from PC2. Telnet connectivity from PC2 should be denied.
b. On R3, you should see the console messages shown below. The first message shows a login success and the second message shows
a denial.
R3#
*Feb 28 20:36:29.495: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.1.10] [localport: 23] at 20:36:29 UTC Fri Feb 28 2020
*Feb 28 20:37:10.647: %SEC-6-IPACCESSLOGS: list MGMT-TRAFFIC denied 192.168.2.10 1 packet
c. Issue the show access-lists on R3 to view the packet “matches” from each ACE.
R3# show access-lists
Standard IP access list MGMT-TRAFFIC
10 permit 192.168.1.10 (2 matches)
20 deny any log (3 matches)
Note: During testing, the first packet in a flow will trigger a syslog message. Enabling logging with the log option in the deny any statement
provides insight into the amount of denied traffic. Unfortunately, ACL logging can be CPU-intensive and can negatively affect other functions
of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets
that match log-enabled access control entries (ACEs), and the generation and transmission of log messages. Care should be taken when using
the log option in a production network.
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
Step 2: Verify that the AREA2_TO_AREA1 named extended ACL is working properly.
a. Repeat the tests from Part 4, Step 4. The return traffic permitted in the ACL AREA2_TO_AREA1 should be successful.
b. Issue the show ip access-list AREA2_TO_AREA1 command on R1 to see the matches for the return traffic from area 2.
R1# show access-lists AREA2_TO_AREA1
Extended IP access list AREA2_TO_AREA1
10 permit icmp 192.168.2.0 0.0.0.255 host 192.168.1.10 echo-reply (4 matches)
20 permit tcp host 192.168.2.2 eq telnet host 192.168.1.10 established (36 matches)
30 permit tcp host 192.168.2.3 eq 22 192.168.1.0 0.0.0.255 established (23 matches)
40 permit tcp host 192.168.2.3 eq www host 192.168.1.10 established (13 matches)
50 permit tcp host 192.168.2.3 eq 443 host 192.168.1.10 established (26 matches)
60 deny ip any any log
Note: The established option allows only TCP responses to traffic that originates from area 1 (192.168.1.0/24) to return. A match occurs
if the returning TCP segment has either the ACK or reset (RST) bit set. Either of these bits indicates that the packet belongs to an
established connection. Therefore, when filtering return traffic, the source port number must be checked.
c. To verify that both ACLs are applied to the G0/1 interface on R1, issue the following filtered show ip interface.
R1# show ip interface g0/1 | s AREA
Outgoing access list is AREA2_TO_AREA1
Inbound access list is AREA1_TO_AREA2
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 7 www.netacad.com
Lab - Implement IPv4 ACLs
© 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 7 www.netacad.com