CCNA RSE Lab: 7.2.2.6 Configuring and Modifying Standard IPv4 ACL.s

CCNA RSE Lab: 7.2.2.6 Configuring and Modifying Standard IPv4 ACL.s

Topology

Addressing Table

Objectives

Part 1: Set Up the Topology and Initialize Devices

  • Set up equipment to match the network topology.
  • Initialize and reload the routers and switches.

Part 2: Configure Devices and Verify Connectivity

  • Assign a static IP address to PCs.
  • Configure basic settings on routers.
  • Configure basic settings on switches.
  • Configure OSPF routing on R1, ISP, and R3.
  • Verify connectivity between devices.

Part 3: Configure and Verify Standard Numbered and Named ACLs

  • Configure, apply, and verify a numbered standard ACL.
  • Configure, apply, and verify a named ACL.

Part 4: Modify a Standard ACL

  • Modify and verify a named standard ACL.
  • Test the ACL.

Background / Scenario
Network security is an important issue when designing and managing IP networks. The ability to configure proper rules to filter packets, based on established security policies, is a valuable skill.

In this lab, you will set up filtering rules for two offices represented by R1 and R3. Management has established some access policies between the LANs located at R1 and R3, which you must implement. The ISP router sitting between R1 and R3 will not have any ACLs placed on it. You would not be allowed any administrative access to an ISP router because you can only control and manage your own equipment.

Note: The routers used with CCNA hands-on labs are Cisco 1 941 Integrated Services Routers (ISRs) with Cisco IOS Release 1 5.2(4)M3 (universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release 1 5.0(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used.

Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.

Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure, contact your instructor.

Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.

Required Resources

  • 3 Routers (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
  • 2 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
  • 2 PCs (Windows 7, Vista, or XP with terminal emulation program, such as Tera Term)
  • Console cables to configure the Cisco IOS devices via the console ports
  • Ethernet and serial cables as shown in the topology
Part 1: Set Up the Topology and Initialize Devices

In Part 1, you set up the network topology and clear any configurations, if necessary.
Cable the network as shown in the topology.
Initialize and reload the routers and switches.

Part 2: Configure Devices and Verify Connectivity

In Part 2, you configure basic settings on the routers, switches, and PCs. Refer to the Topology and Addressing Table for device names and address information.

Configure IP addresses on PC-A and PC-C.
Configure basic settings for the routers.
a. Console into the router and enter global configuration mode.
b. Copy the following basic configuration and paste it to the running-configuration on the router.

c. Configure the device name as shown in the topology.
d. Create loopback interfaces on each router as shown in the Addressing Table.
e. Configure interface IP addresses as shown in the Topology and Addressing Table.
f. Assign a clock rate of 128000 to the DCE serial interfaces.
g. Enable Telnet access.
h. Copy the running configuration to the startup configuration.

(Optional) Configure basic settings on the switches.
a. Console into the switch and enter global configuration mode.
b. Copy the following basic configuration and paste it to the running-configuration on the switch.

c. Configure the device name as shown in the topology.
d. Configure the management interface IP address as shown in the Topology and Addressing Table.
e. Configure a default gateway.
f. Enable Telnet access.
g. Copy the running configuration to the startup configuration.

Configure Rip routing on R1, ISP, and R3.
a. Configure RIP version 2 and advertise all networks on R1, ISP, and R3. The OSPF configuration for R1 and ISP is included for reference.

b. After configuring Rip on R1, ISP, and R3, verify that all routers have complete routing tables, listing all networks. Troubleshoot if this is not the case.

Verify connectivity between devices.

Note: It is very important to test whether connectivity is working before you configure and apply access lists! You want to ensure that your network is properly functioning before you start to filter traffic.

a. From PC-A, ping PC-C and the loopback interface on R3. Were your pings successful? _______ Yes
b. From R1, ping PC-C and the loopback interface on R3. Were your pings successful? _______ Yes
c. From PC-C, ping PC-A and the loopback interface on R1. Were your pings successful? _______ Yes
d. From R3, ping PC-A and the loopback interface on R1. Were your pings successful? _______ Yes

Part 3: Configure and Verify Standard Numbered and Named ACLs

Configure a numbered standard ACL.
Standard ACLs filter traffic based on the source IP address only. A typical best practice for standard ACLs is to configure and apply it as close to the destination as possible. For the first access list, create a standard numbered ACL that allows traffic from all hosts on the 192.168.10.0/24 network and all hosts on the 192.168.20.0/24 network to access all hosts on the 192.168.30.0/24 network. The security policy also states that a deny any access control entry (ACE), also referred to as an ACL statement, should be present at the end of all ACLs.

What wildcard mask would you use to allow all hosts on the 192.168.10.0/24 network to access the 192.168.30.0/24 network?
0.0.0.255

Following Cisco’s recommended best practices, on which router would you place this ACL? ___________ R3

On which interface would you place this ACL? In what direction would you apply it?
G0/1. The ACL should be applied going out. Students may answer with placing the ACL on the S0/0/1

interface on R3 going in. Emphasize to them that this would effectively block the LANs on R1 from getting to the 192.168.40.0/24 network as well!

a. Configure the ACL on R3. Use 1 for the access list number.

b. Apply the ACL to the appropriate interface in the proper direction.

c. Verify a numbered ACL.
The use of various show commands can aid you in verifying both the syntax and placement of your ACLs in your router.
To see access list 1 in its entirety with all ACEs, which command would you use?

What command would you use to see where the access list was applied and in what direction?

3) Test the ACL to see if it allows traffic from the 192.168.10.0/24 network access to the 192.168.30.0/24 network. From the PC-A command prompt, ping the PC-C IP address. Were the
pings successful? _______ Yes

4) Test the ACL to see if it allows traffic from the 192.168.20.0/24 network access to the 192.168.30.0/24 network. You must do an extended ping and use the loopback 0 address on R1 as your source. Ping PC-C’s IP address. Were the pings successful? _______ Yes

d. From the R1 prompt, ping PC-C’s IP address again.

Configure a named standard ACL.
Create a named standard ACL that conforms to the following policy: allow traffic from all hosts on the 192.168.40.0/24 network access to all hosts on the 192.168.10.0/24 network. Also, only allow host PC-C access to the 192.168.10.0/24 network. The name of this access list should be called BRANCH-OFFICEPOLICY.

Following Cisco’s recommended best practices, on which router would you place this ACL? ___________ R1

On which interface would you place this ACL? In what direction would you apply it?
G0/1. The ACL should be applied going out. Students may answer with placing the ACL on the S0/0/0 interface on R1 going in. Emphasize to them that this would effectively block all traffic from the LANs on R3 from getting to the 192.168.20.0/24 network.

a. Create the standard named ACL BRANCH-OFFICE-POLICY on R1.

b. Apply the ACL to the appropriate interface in the proper direction.

c. Verify a named ACL.

Is there any difference between this ACL on R1 with the ACL on R3? If so, what is it?
Although there is no line 30 with a deny any on R1 , it is implied. You may wish to emphasize this to your students. Having them actually configure the deny any ACE is a good practice and reinforces the concept as it shows up in the ACL when issuing a show access-lists command. It is easy to forget the implicit deny any when troubleshooting ACLs. This could easily result in traffic being denied that should have been allowed.

2) On R1 , issue the show ip interface g0/1 command.

3) Test the ACL. From the command prompt on PC-C, ping PC-A’s IP address. Were the pings
successful? _______ Yes

4) Test the ACL to ensure that only the PC-C host is allowed access to the 192.168.10.0/24 network.

You must do an extended ping and use the G0/1 address on R3 as your source. Ping PC-A’s IP
address. Were the pings successful? _______ No

5) Test the ACL to see if it allows traffic from the 192.168.40.0/24 network access to the

192.168.10.0/24 network. You must perform an extended ping and use the loopback 0 address on R3
as your source. Ping PC-A’s IP address. Were the pings successful? _______ Yes

Part 4: Modify a Standard ACL

It is common in business for security policies to change. For this reason, ACLs may need to be modified. In Part 4, you will change one of the previous ACLs you configured to match a new management policy being put in place. Management has decided that users from the 209.165.200.224/27 network should be allowed full access to the 192.168.10.0/24 network. Management also wants ACLs on all of their routers to follow consistent rules. A deny any ACE should be placed at the end of all ACLs. You must modify the BRANCH-OFFICE-POLICY ACL. You will add two additional lines to this ACL. There are two ways you could do this:

OPTION 1: Issue a no ip access-list standard BRANCH-OFFICE-POLICY command in global configuration mode. This would effectively take the whole ACL out of the router. Depending upon the router IOS, one of the following scenarios would occur: all filtering of packets would be cancelled and all packets would be allowed through the router; or, because you did not take off the ip access-group command on the G0/1 interface, filtering is still in place. Regardless, when the ACL is gone, you could retype the whole ACL, or cut and paste it in from a text editor.

OPTION 2: You can modify ACLs in place by adding or deleting specific lines within the ACL itself. This can come in handy, especially with ACLs that have many lines of code. The retyping of the whole ACL or cutting and pasting can easily lead to errors. Modifying specific lines within the ACL is easily accomplished.

Note: For this lab, use Option 2.

Modify a named standard ACL.

a. From R1 privileged EXEC mode, issue a show access-lists command.

b. Add two additional lines at the end of the ACL. From global config mode, modify the ACL, BRANCHOFFICE-POLICY.

c. Verify the ACL.

1) On R1, issue the show access-lists command.

Do you have to apply the BRANCH-OFFICE-POLICY to the G0/1 interface on R1?
No, the ip access-group BRANCH-OFFICE-POLICY out command is still in place on G0/1.

2) From the ISP command prompt, issue an extended ping. Test the ACL to see if it allows traffic from the 209.165.200.224/27 network access to the 192.168.10.0/24 network. You must do an extended ping and use the loopback 0 address on ISP as your source. Ping PC-A’s IP address. Were the pings successful? _______ Yes

Reflection
1. As you can see, standard ACLs are very powerful and work quite well. Why would you ever have the need for using extended ACLs?
Standard ACLs can only filter based on the source address. Also, they are not granular. They allow or deny EVERYTHING (protocols and services). Extended ACLs, while harder to write, are well-suited to complex networks where you may need to allow only certain ports access to networks while denying others.

2. Typically, more typing is required when using a named ACL as opposed to a numbered ACL.
Why would you choose named ACLs over numbered?
Students could list two reasons here. The first reason is that using named ACLs gives you the ability to modify specific lines within the ACL itself, without retyping the whole thing. NOTE: Newer versions of the IOS allows numbered ACLs to be modified just liked named ACLs. Secondly, having a named ACL is a good best practice as it helps to document the purpose of the ACL with a descriptive name.

Router Interface Summary Table

Device Configs
Router R1

Router R3

Router ISP

Switch S1

Switch S3

More Resources

About the author

Prasanna

Leave a Comment