This experiment configures and monitors the IP Address Access Control List, including the list of standard, extended, and named IP addresses.
1. Tutorial Purpose
Through this experiment, you can master the following skills:
● Configure the standard IP Address Access Control List;
● Configure the Extended IP Address Access Control List;
● Configure the standard IP Address Access Control List;
● Configure the name of the Extended IP Address Access Control List;
● Reference the IP address access control list on the network interface;
● Reference the IP address access control list on VTY;
● View and monitor the IP address access control list.
2. device requirements
This experiment requires the following devices:
● Three Cisco routers are named R1, R2, and R3 respectively. R1 must have one Ethernet interface, R2 must have one Ethernet interface and one serial interface, and R3 must have one serial interface;
● One twisted pair in the crossover line sequence, or two twisted pairs in the normal line sequence and one Hub;
● One DCE cable, one DTE cable, or one DCE to DTE cable;
● One Terminal Server, such as the Cisco 2509 router, and the corresponding cable used for reverse Telnet;
● One PC with a Super Terminal Program, as well as the Console cable and adapter.
3. topology and Configuration
In this experiment, the E0 interface of R1 is connected to the E0 interface of R2 over Ethernet, And the S0 interface of R2 is connected to the S0 interface of R3 through a serial cable.
The IP address of each vro interface is allocated in 10-1.
4. Experiment configuration and monitoring results
First, configure each vro and achieve IP connectivity of the entire topology through the configuration of the routing protocol. On this basis, configure and monitor the IP address access control list.
Set enable password to cisco and VTY password to ciscol on R1 for Telnet test.
The above configurations have been tested in previous sections, and no configuration list is provided in this experiment.
We mainly configure the access control list on the R2 router. R1 and R3 are used for testing purposes.
Part 1: Configure and reference the standard IP Address Access Control List
Configuration 10-1 lists how to configure and reference the standard IP Address Access Control List on the R2 router.
Configuration list 10-1 configure and reference the standard IP Address Access Control List
R2 # conf t Enter configuration commands, one per line. End with CNTL/Z. R2 (config) # access-list 1 deny 30.1.1.0 0.0.255 R2 (config) # access-Ust 1 permit any R2 (config) # int s0 R2 (config-if) # ip access-group 1 in R2 (config-if) # ^ Z R2 # sh 14: 34: 20:% SYS-5-CONFIG_1: Configured from console by console R2 # sh ip access-list 1 Standard IP access list 1 Deny 30.1.1.0, wukdcard buts 0.0.0.255 check = 2 Permit any (2 matches) R2 # sh ip int s0 Serial0 is up, line protocol is up Internet address is 255.1.1.2/24 Broadcast address is 255.255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default ... (Output omitted) R2 # clear access-list counters R2 # sh ip access-1 1 Standard IP access list 1 Deny30.1. IA wildcard bits 0.0.0.255 Permit any R2 # Term_Server #3 [Resuming connection 3 to R3...] R3 # ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echosto 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). round-tri/min/avg/max =: 32/37/48 MS R3 # ping Protocol [ip]: Target IP address: 10.1.1.1 Repeat count [5]: Datemedisize [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 30.1.1.3 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5,100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: U. U. U Success rate is 0 percent (0/5) R3 # ^ Z Term_Server #2 [Resuming connection 3 to R2...] R2 # sh ip access-1 1 Standard IP access list 1 Deny 30.1.1.0, wildcard bits 0.0.0.255 (5 matches) checks 15 Permit any (5 matches) |
(1) when defining the access control list, pay special attention to the order of statement input, because the router runs the list in top-down order.
Another issue that should be noted is that the router does not filter the IP generated by itself. In the experiment, packets should be sent from other devices for testing.
(2) When configuring standard IP Address Access Control List 1, all network segments except 30.1.1.0/24 are defined to be accepted.
(3) Access Control List 1 is referenced in the Inbound direction of the S0 interface of the R2 router. The objective is to filter packets from the 30.1.1.0/24 network segment and allow all packets from other network segments to pass through.
When you reference the access control list on an interface, use the in or out sub-commands. Here, in and out refer to the router itself as the reference point. Whether a packet enters (in) or leaves (out) the router.
(4) The show ip access-list command lists the definition of the access control list. You can see that "permit any" has two matching packages in one row, this indicates that two packets matching this condition have been received by the S0 interface.
(5) Add the shadow lines in the information listed by the show ip int sO command to indicate the information about the reference of the access control list, indicating the direction (and) referenced Access Control List 1.
(6) run the clear access-list counters command to clear the access control list counters. To observe the experiment results. Clearing a counter is to clear the number of matching rows in the access control list.
Use the show ip access-list command again to view the desired result.
(7) use the ping and extended ping commands to test the definition and reference of Access Control List 1. The result is:
IP packets sent from route 1.1.3 to 10.1.1.1 are received and routed by R2;
IP packets sent from 30.1.1.3 to 10.1.1.1 are filtered out by R2.
The test result conforms to the settings in the access control list.
(8) Check the matching status of the access control list again. You can see that in Access Control List 1, each of the two statements has five matched packages, namely, five ICMP Echo packages.
Part 1: Configure and reference an extended IP Address Access Control List
Next is an experiment on the expanded IP Address Access Control List.
Configuration list 10-2 lists how to configure and reference the Extended IP Address Access Control List on the R2 router.
Configuration list 10-2 configure and reference the Extended IP Address Access Control List
R2 # conft Enter configuration commands, one per line. End with CNTL/Z. R2 (config) # access-list 101 deny Icmp listen 1.1.0 0.0.0.255 10.1.1.0 0.0.255 echo R2 (config) # access-list 101 permit ip any R2 (config) # int e0 R2 (config-if) # ip access-g 101 out R2 (config-if) # int s0 R2 (config-if) # no ipaccess-g 1 in R2 (config-if) # ^ Z R2 # R2 # sh ip access-list Standard IP access list 1 Deny 30.1.1.0, wildcard bits 0.0.0.255 (8 matches) check = 20 Permit any (20 matches) Permit ip any R2 # Term_Server #3 [Resuming connection 3 to R3...] R3 # ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: U. U. U Success rate is 0 percent (0/5) R3 # telnet 10.1.1.1 Trying 10.1.1.1... Open User Access Verification Password: (type cisco1) R1> en Password: (type cisco) R1 # R1 # exit [Connection to 10.1.1.1 closed by foreign host] R3 # Term_Server #2 [Resuming connection 2 to R2...] R2 # sh ip address access-list 101 Extended IP address access list 101 Deny icmp batch 1.1.0 0.0.0.255 10.1.1.0.0.0.255 echo (8 matches) Permit ip any (40 matches) R2 # |
(1) first, an extended IP Address Access Control List 101 is defined.
The first sentence in the List rejects ICMP Echo packets sent from the segment 1.1.0/24 to the segment 10.1.1.0/24, that is, the ping from the segment 1.1.0/24 to the segment 10.1.1.0/24 fails.
The first sentence in the list allows all. (