Scribd
Upload
64 views9 pages

Network ACL Configuration Guide

1. The document describes configuring IP addresses and routing on routers R1, R2, R3, and R4 to establish basic connectivity. Standard and extended ACLs are then configured to selectively permit or deny traffic between the routers. 2. Extended ACL 101 is configured on R1 to deny Telnet and HTTP access from R3 to R1. Named extended ACL "cns-acl" is later configured to deny SSH, HTTP, and Telnet from R2 to R1. 3. A mock lab task is described to configure ACL 102 on R1 to deny ICMP ping traffic to R1 but permit all other traffic.

Uploaded by

md.sahilkhan7270
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
64 views9 pages

Network ACL Configuration Guide

1. The document describes configuring IP addresses and routing on routers R1, R2, R3, and R4 to establish basic connectivity. Standard and extended ACLs are then configured to selectively permit or deny traffic between the routers. 2. Extended ACL 101 is configured on R1 to deny Telnet and HTTP access from R3 to R1. Named extended ACL "cns-acl" is later configured to deny SSH, HTTP, and Telnet from R2 to R1. 3. A mock lab task is described to configure ACL 102 on R1 to deny ICMP ping traffic to R1 but permit all other traffic.

Uploaded by

md.sahilkhan7270
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

ACL LAB-

1. STEP 1- ASSIGN IP'S

R1-

conf t

int f0/0

ip add 10.11.11.1 255.255.255.0

no sh

int lo 1

ip add 1.1.1.1 255.255.255.255

int lo 2

ip add 1.1.1.2 255.255.255.255

int lo 3

ip add 1.1.1.3 255.255.255.255

int lo 4
ip add 1.1.1.4 255.255.255.255

ip route 0.0.0.0 0.0.0.0 f0/0

R2-

conf t

int f0/0

ip add 10.11.11.2 255.255.255.0

no sh

int f0/1

ip add 20.11.11.2 255.255.255.0

no sh

int f1/0

ip add 30.11.11.2 255.255.255.0

no sh

ip route 1.1.1.0 255.255.255.0 f0/0

ip route 0.0.0.0 0.0.0.0 f0/1

R3-

conf t

int f0/0

ip add 20.11.11.3 255.255.255.0

no sh

int lo 1

ip add 2.2.2.2 255.255.255.255

ip route 0.0.0.0 0.0.0.0 f0/0


R4-

conf t

int f1/0

ip add 30.11.11.4 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 f1/0

2. STEP 2- STANDARD ACL (TO STOP 20.11.11.3 FROM REACHING R1)

*** FOR THIS ACL CAN BE APPLIED ON R1 OR R2 ANYONE CAN PERFORM THE TASK.

R2-

access-list 1 deny ho 20.11.11.3

int f0/1

ip access-group 1 in

R3-

do ping 10.11.11.1 ( U- UNREACHABLE i.e ADMINISTRATIVELY PROHIBITTED )

do ping 10.11.11.1 so 2.2.2.2 ( IT SHOULD HAVE PINGGED BUT DUE TO IMPLICIT DENY THIS COULDN'T
WORK.)

R2-

access-list 1 permit any ( TO PERMIT ALL OTHER IP'S OR NETWORKS)

* DO SH ACCESS-LIST 1- TO CHECK ACCESS LIST


2.1. TO CONVERT TRAFFIC UNREACHABLE TO DOT-DOT WHEN PINGGED FROM R3 SO 20.11.11.3

R2-

int f0/1

no ip unreachables

R3-

do ping 10.11.11.1 (U- DOTS WILL APPEAR IN PLACE OF U)

2.2 R1 COULD BE ACCESSED THROUGH R2 USING TELNET 10.11.11.1 FROM R3.

R2-

no access-list 1 deny ho 20.11.11.3 ( TO CLOSE COMPLETE STANDARD ACL )

R1-

line vty 0 4

pass akki

login

R3-

telnet 10.11.11.1
2.3. TO DENY THIS TELNET ACCESS ONLY, ACL NEEDS TO BE RUN ON R1 IN VTY

R1-

access-list 1 deny ho 20.11.11.3

line vty 0 4

access-class 1 in

R3-

telnet 10.11.11.1

## TASK 1- IF R2 TRY TO TELNET OF HTTP TO R1 IT SHOULD BE DENIED.

3. STEP 3- EXTENDED NUMBERED ACL

R1-

no access-class 1 in

ip http server

R3-

telnet 10.11.11.1 ( THIS WOULD WORK AND THIS SHOULDN'T BE THE CASE )
telnet 10.11.11.1 80 ( TO TELNET THROUGH HTTP SERVER- THIS WOULD ALSO WORK )

R1-

access-list 101 deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 23/telnet

access-list 101 deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 80

do sh ip access-list

int f0/0

ip access-group 101 in

access-list 101 permit ip any any ( CONFIG MODE )

R3-

telnet 10.11.11.1 (NONE OF THEM WOULD WORK)

telnet 10.11.11.1 80

R1-

ip access-list extended 101

21 deny icmp any any ( 21- TO PROVIDE PRIORITY, ICMP- THE PROTOCOL USED WHEN PINGGED.)

( ICMP COMMAND IS USED TO STOP PING )

R3-

do ping 10.11.11.1

**ip access-list extended 101

no 21 ( TO REMOVE THIS COMMAND )


## TASK 2- IF R2 TRY TO TELNET OF SSH TO R1 IT SHOULD BE DENIED.

** For ssh key need to be generated.

R1-

ip domain-name cns.com

crypto key generate rsa modulus 1024

line vty 0 4

login local ( SO IT COULD BE ACCESSED BY LOCAL )

username admin pass admin ( CONFIG MODE )ssh

R3-

ssh -l admin 10.11.11.1 ( l- FOR LOGIN )

( PRESS ENTER OR TYPE ADMIN AT THE PLACE OF PASSWORD IF PRESSING ENTER DOESN'T WORK )

R1-

ip access-list extended 101

21 deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 22 ( 22- PORT NO. OF SSH )

R3-

ssh-l admin 10.11.11.1

R1-
no ip access-group 101 in

R3-

telnet 10.11.11.1

telnet 10.11.11.1 80

ssh-l admin 10.11.11.1

4. STEP 4- EXTENDED NAMED ACL ( DENY SSH,HTTP,TELNET FROM R2 TO R1 )

R1-

ip access-list extended cns-acl

deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 23

deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 80

deny tcp ho 20.11.11.3 ho 10.11.11.1 eq 22

permit ip any any

int f0/0

ip access-group cns-acl in
MOCK LAB-

TASK 1- R1 PINGS ALL AND NON PINGS R1.

R1-

access-list 102 deny icmp ho 10.11.11.1 echo

int f0/0

ip access-group 102 in

ping 20.11.11.3 (.....)

do sh ip acces-1

access-list 102 permit ip any any

ping 20.11.11.3.

You might also like