Packet tracer 5.2 Lab (12) configuration of the standard IP Address Access Control List

I. Lab Objectives

• Understand the principles and functions of the standard IP Address Access Control List;
• Measure the test taker's knowledge about how to configure the serial number of the standard IP Address Access Control List;

Ii. Lab background

The company's manager department, Finance Department, and sales department belong to three different network segments, and information is transmitted between the three departments using routers. For security reasons, the company's leadership asked the sales department not to access the finance department, however, the management department can access the finance department.

Iii. Technical Principles

ACLS is called access control lists, also known as access list, and also known as firewall. In some documents, ACLS is also called packet filtering. ACLS controls data packets on network device interfaces by defining rules: Allow or discard data packets to improve network manageability and security;

There are two types of IP ACLs: The standard IP address access list and the Extended IP address access list, with the numbers ranging from 1 ~ 99, 1300 ~ 1999,100 ~ 199, 2000 ~ 2699;

The standard IP address access list can be used to filter data packets according to the rule defined by the source IP address of the data packet;

The Extended IP address access list can define rules based on the source IP address, destination IP address, source port, destination port, and Protocol of data packets to filter data packets;

Ip acl rules-based applications are divided into inbound and outbound applications;

Iv. Experiment steps

Lab Topology

1. The vrouters are connected through a serial port of V.35 cable, and the DCE end is connected to R1. The configured time frequency is 64000. The host and router are connected through a crossover line;

2. Configure the IP address of the router interface;

3. Configure the OSPF routing protocol on the vro so that the three PCs can ping each other, because the access control list can be involved only when the two PCs are connected;

4. Configure the IP standard access control list on R1;

5. Apply the standard IP address access list to the interface;

6. Verify the interconnectivity between hosts;

R1:

Router> enrouter # conf tenter configuration commands, one per line. end with cntl/Z. router (config) # hostname r1r1 (config) # interface fa1/0r1 (config-If) # IP address 192.168.1.1 255.255.255.0r1 (config-If) # No shut % link-5-changed: interface fastethernet1/0, changed state to up % LINEPROTO-5-UPDOWN: Line protocol on interface fastethernet1/0, changed state to upr1 (config-If) # exitr1 (config) # int fa0/0r1 (config-If) # IP add 192.168.2.1 255.255.255.0r1 (config-If) # No shut % link-5-changed: interface fastethernet0/0, changed status to up % LINEPROTO-5-UPDOWN: Line protocol on interface fastethernet0/0, changed state to upr1 (config-If) # exitr1 (config) # int se2/0r1 (config-If) # clock rate 64000r1 (config-If) # IP add 192.168.3.1 255.255.255.0r1 (config-If) # No shut % link-5-changed: interface serial/0, changed state to downr1 (config-If) # exitr1 (config) # r1 (config) # router OSPF 1r1 (config-router) # network 192.168.1.0 0.0.255 area 0r1 (config-router) # network 192.168.2.0 0.0.0.255 area 0r1 (config-router) # network 192.168.3.0 0.0.0.255 area 0r1 (config-router) # endr1 # % SYS-5-CONFIG_ I: configured from console by consoler1 # Show IP Route codes: c-connected, S-static, I-IGRP, R-rip, M-mobile, B-BGP D-VPN, ex-VPN external, o-OSPF, IA-OSPF Inter Area N1-ospf nssa external type 1, n2-ospf nssa external type 2 E1-OSPF external type 1, E2-OSPF external type 2, e-EGP I-is, L1-is level-1, L2-is level-2, Ia-Is Inter Area *-candidate default, u-per-user static route, o-ODR p-periodic downloaded static routegateway of last resort is not SETC 192.168.1.0/24 is directly connected, fastethernet1/0C 192.168.2.0/24 is directly connected, fastethernet0/0r1 # R1 #
R1 # Show IP Route // route information after the two routers are configured
Codes: C-connected, S-static, I-IGRP, R-rip, M-mobile, B-BGP
D-OSPF, ex-VPN external, o-OSPF, Ia-OSPF Inter Area
N1-ospf nssa external type 1, n2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2, E-EGP
I-Is, L1-is level-1, L2-is level-2, Ia-Is Inter Area
*-Candidate default, U-per-user static route, o-ODR
P-periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, fastethernet1/0
C 192.168.2.0/24 is directly connected, fastethernet0/0
C 192.168.3.0/24 is directly connected, serial/0
O 192.168.4.0/24 [110/782] via 192.168.3.2, 00:00:15, serial/0
R1 #
R1 # conf t
Enter configuration commands, one per line. End with cntl/Z.
R1 (config) # Ip?
Access-list named access-list
Default-network flags networks as candidates for default routes
DHCP configure DHCP server and relay Parameters
Domain ip dns resolver
Domain-lookup enable IP Domain Name System hostname Translation
Domain-Name define the default domain name
Forward-Protocol controls forwarding of physical and directed IP broadcasts
Host Add an entry to the IP hostname table
Name-server specify address of name server to use
Nat NAT configuration commands
Route establish static routes
TCP global TCP Parameters
R1 (config) # IP AC
R1 (config) # IP Access-list?
Extended extended access list
Standard access list
R1 (config) # IP Access-list sta
R1 (config) # IP Access-list standard?
<1-99> standard IP Access-list number
Word access-list name
R1 (config) # IP Access-list standard David?
<CR>
R1 (config) # IP Access-list standard David // configure the IP standard access control list named David
R1 (config-STD-NaCl )#?
Default set a command to its defaults
Deny specify packets to reject
Exit exit from access-list Configuration Mode
No negate a command or set its defaults
Permit specify packets to forward
Remark access list entry comment
R1 (config-STD-NaCl) # permit 192.168.1.0?
A. B .c.d wildcard bits
<CR>
R1 (config-STD-NaCl) # permit 192.168.1.0 0.0.255?
<CR>
R1 (config-STD-NaCl) # permit 192.168.1.0 0.0.255 // permit access through the 192.168.1.0 network segment
R1 (config-STD-NaCl) # deny?
A. B .c.d address to match
Any any source host
Host a single host address
R1 (config-STD-NaCl) # deny 192.168.2.0?
A. B .c.d wildcard bits
<CR>
R1 (config-STD-NaCl) # deny 192.168.2.0 0.0.255?
<CR>
R1 (config-STD-NaCl) # deny 192.168.2.0 0.0.255 // Disable access through the 192.168.2.0 CIDR Block 
R1 (config-STD-NaCl) # exit
R1 (config) # inter
R1 (config) # interface se2/0
R1 (config-If )#?
Bandwidth set bandwidth informational Parameter
CDP interface subcommands
Clock configure serial interface clock
Crypto encryption/Decryption commands
Custom-queue-list assign a custom queue list to an interface
Delay specify interface throughput Delay
Description Interface specific description
Encapsulation set encapsulation type for an Interface
Exit exit from Interface Configuration Mode
Fair-queue enable fair queuing on an interface
Frame-relay set frame relay Parameters
Hold-queue set hold queue depth
IP interface Internet Protocol config commands
Keepalive enable keepalive
MTU set the interface maximum transmission unit (MTU)
No negate a command or set its defaults
PPP Point-to-Point Protocol
Priority-group assign a priority group to an interface
Service-policy configure QoS service policy
Shutdown the selected interface
TX-ring-limit configure PA level transmit ring limit
Zone-member apply zone name
R1 (config-If) # Ip?
Access-Group specify access control for packets
Address set the IP address of an interface
Hello-interval configures IP-EIGRP Hello Interval
Helper-address specify a destination address for UDP broadcasts
Inspect apply inspect name
IPS create IPS rule
MTU set IP maximum transmission unit
Nat interface commands
OSPF interface commands
Split-horizon perform split horizon
Summary-address perform address Summarization
Virtual-reassembly virtual reassembly
R1 (config-If) # IP AC
R1 (config-If) # IP Access-group?
<1-199> IP access list (standard or extended)
Word access-list name
R1 (config-If) # IP Access-group David?
In inbound packets
Out outbound packets
R1 (config-If) # IP Access-group David out?
<CR>
R1 (config-If) # IP Access-group David out // Apply the IP standard access control list named David to port se2/0 
R1 (config-If) # End
R1 #
% SYS-5-CONFIG_ I: configured from console by the Console
R1 # Show running-config
Building configuration...

Current configuration: 928 bytes
!
Version 12.2:
No service timestamps log datetime msec
No service timestamps debug datetime msec
No service password-Encryption
!
Hostname r1
!
...
!
Interface fastethernet0/0
IP address 192.168.2.1 255.255.255.0
Duplex auto
Speed auto
!
Interface fastethernet1/0
IP address 192.168.1.1 255.255.255.0
Duplex auto
Speed auto
!
Interface serial/0
IP address 192.168.3.1 255.255.255.0
IP Access-group David out
Clock rate 64000
!
Interface seri_3/0
No IP Address
Shutdown
!
Interface fastethernet4/0
No IP Address
Shutdown
!
Interface fastethernet5/0
No IP Address
Shutdown
!
Router OSPF 1
Log-adjacency-Changes
Network 192.168.1.0 0.0.255 area 0
Network 192.168.2.0 0.0.255 area 0
Network 192.168.3.0 0.0.255 area 0
!
IP classless
!
!
IP Access-list standard David
Permit 192.168.1.0 0.0.255
Deny 192.168.2.0 0.0.255
!
...
!
Line con 0
Line vty 0 4
Login
!
!
!
End


R1 #

R2:

Router> enrouter # conf tenter configuration commands, one per line. end with cntl/Z. router (config) # hostname r2r2 (config) # int fa0/0r2 (config-If) # IP add 192.168.4.1 255.255.255.0r2 (config-If) # No shut % link-5-changed: interface fastethernet0/0, changed state to up % LINEPROTO-5-UPDOWN: Line protocol on interface fastethernet0/0, changed state to upr2 (config-If) # exitr2 (config) # int se2/0r2 (config-If) # IP add 192.168.3.2 255.255.255.0r2 (config-If) # No shut % link-5-changed: interface serial/0, changed state to upr2 (config-If) # exitr2 (config) # router OSPF 1r2 (config-router) # % LINEPROTO-5-UPDOWN: Line protocol on interface serial/0, changed state to up
R2 (config-router) # network 192.168.3.0 0.0.255 area 0r2 (config-router) # network 192.168.4.0 0.0.0.255 area 000: 11: 23: % OSPF-5-ADJCHG: Process 1, NBR 192.168.3.1 on serial/0 from loading to full, loading dor2 (config-router) # endr2 # % SYS-5-CONFIG_ I: configured from console by consoler2 # Show IP routecodes: C-connected, s-static, I-IGRP, R-rip, M-mobile, B-BGP D-VPN, ex-VPN external, o-OSPF, IA-OSPF Inter Area N1-ospf nssa external type 1, n2-ospf nssa external type 2 E1-OSPF external type 1, E2-OSPF external type 2, e-EGP I-is, L1-is level-1, L2-is level-2, Ia-Is Inter Area *-candidate default, u-per-user static route, o-ODR p-periodic downloaded static routegateway of last resort is not Seto 192.168.1.0/24 [110/782] via 192.168.3.1, 00:00:09, serial/0o 192.168.2.0/24 [110/782] via 192.168.3.1, 00:00:09, serial/0C 192.168.3.0/24 is directly connected, serial/0C 192.168.4.0/24 is directly connected, fastethernet0/0r2 #

V. Test

PC1:

Packet tracer PC command line 1.0 Pc> ipconfigip address ......................: 192.168.1.2subnet mask .....................: 255.255.255.0default gateway .................: 192.168.1.1pc> Ping 192.168.4.2 // Before ACL Pinging 192.168.4.2 with 32 bytes of data: Request timed out. reply from 192.168.4.2: bytes = 32 time = 15 ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 9 ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 15 ms TTL = 126 Ping statistics for 192.168.4.2: Packets: Sent = 4, stored ED = 3, lost = 1 (25% loss ), approximate round trip times in Milli-seconds: Minimum = 9 ms, maximum = 15 ms, average = 13 mspc> Ping 192.168.4.2// After ACL Pinging 192.168.4.2 with 32 bytes of data: reply from 192.168.4.2: bytes = 32 time = 10 ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 9 ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 16 Ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 13 Ms TTL = 126 Ping statistics for 192.168.4.2: Packets: Sent = 4, received = 4, lost = 0 (0% loss), approximate round trip times in Milli-seconds: Minimum = 9 ms, maximum = 16 ms, average = 12 mspc>

PC2:

Packet tracer PC command line 1.0 Pc> ipconfigip address ......................: 192.168.2.2subnet mask .....................: 255.255.255.0default gateway .................: 192.168.2.1pc> Ping 192.168.4.2 // Before ACL Pinging 192.168.4.2 with 32 bytes of data: reply from 192.168.4.2: bytes = 32 time = 17 Ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 10 ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 11 Ms TTL = 126 reply from 192.168.4.2: bytes = 32 time = 9 ms TTL = 126 Ping statistics for 192.168.4.2: Packets: Sent = 4, received = 4, lost = 0 (0% loss), approximate round trip times in Milli-seconds: Minimum = 9 ms, maximum = 17 ms, average = 11 mspc> Ping 192.168.4.2 // After ACL Pinging 192.168.4.2 with 32 bytes of data: reply from 192.168.2.1: destination host unreachable. reply from 192.168.2.1: destination host unreachable. reply from 192.168.2.1: destination host unreachable. reply from 192.168.2.1: destination host unreachable. ping statistics for 192.168.4.2: Packets: Sent = 4, encrypted ED = 0, lost = 4 (100% loss), Pc>