Standard and extended ACL experiments

A standard access Control List experiment:

Experimental topology:

Experimental Purpose: Mastering the configuration of standard and extended ACLs

Experimental requirements: Reject all traffic from R1 to R3

Experimental steps:

Step 1 do the bottom-level configuration as above topology and detect connectivity between neighboring devices

Step 2 static routing, so that the entire network interoperability

R1 (config) #ip Route 10.1.1.64 255.255.255.252 10.1.1.2

R3 (config) #ip Route 10.1.1.0 255.255.255.252 10.1.1.65

Step 3 do a standard ACL on R3 to make R1 inaccessible R3

R3 (config) #access-list 1 deny 10.1.1.1 0.0.0.0

or use the command

R3 (config) #access-list 1 deny host 10.1.1.1

Because the access control list has a default rejection of all implied entries, you need to add a last one:

R3 (config) #access-list 1 Permit any

The standard ACL is placed near the target, so it is configured on the S1 of the R3 :

R3 (config) #int s1

R3 (config-if) #ip Access-group 1 in

Two extended access control List experiments:

Experimental topology:

Experimental Purpose: Mastering the configuration of Extended access control lists

Learn how to use extended access control lists for network security

Experimental requirements: Deny any ICMP traffic from the 192.168.1.0 network

Only PC1 can access the FTP server

Experimental steps: Step 1 as above topology at the bottom of the configuration, on three routers to start the RIPv2 protocol, so that the interoperability

R1 (config) #router rip

R1 (config-router) #version 2

R1 (config-router) #no auto-summary

R1 (config-rotuer) #network 10.0.0.0

R1 (config-rotuer) #network 172.16.0.0

R2 (config) #router rip

R2 (config-router) #version 2

R2 (config-router) #no auto-summary

R2 (config-rotuer) #network 10.0.0.0

R3 (config) #router rip

R3 (config-router) #version 2

R3 (config-router) #no auto-summary

R3 (config-rotuer) #network 10.0.0.0

R3 (config-router) #network 192.168.1.0

Step 3 do an extended ACLon R3 , denying ICMP traffic from the 192.168.1.0 Network

R3 (config) #access-list 102 deny ICMP 192.168.1.0 0.0.0.255 any

R3 (config) #access-list 102 permit IP any

R3 (config) #int E0

R3 (config-if) IP Access-group 102 in

Step 4 do an extended ACL on R1 so that only PC1 can access the FTP server

Note that FTP uses two port numbers:

R1 (config) #access-list permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 21

R1 (config) #access-list permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 20

R1 (config) #int S0

R1 (config-if) #ip Access-group

Three-named access Control List experiment:

Experimental requirements and topology diagram, the Access control list is converted to a named ACL:

R3 (config) #ip Access-list extended deny_icmp

R3 (CONFIG-EXT-NACL) #deny ICMP 192.168.1.0 0.0.0.255 any

R3 (config-ext-nacl) #permit IP any any

R3 (config) #int E0

R3 (config-if) #ip Access-group deny_icmp in

R1 (config) #ip Access-list extended deny_ftp

R1 (CONFIG-EXT-NACL) #permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 20

R1 (CONFIG-EXT-NACL) #permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 21

R1 (config) #int S0

R1 (config-if) #ip Access-group deny_ftp in

The biggest advantage of naming ACLs is that you can modify any of them, while using a numbered ACL does not.

Four: Use ACLs to restrict vty lines:

Experimental topology:

Experimental requirements: Restrict access via ACLs on Router's vty line

Only PC1 can telnet router

Experimental steps:

Router (config) #access-list 1 Permit host 172.16.1.3

Because the ACL has an implicit deny attribute, you do not need to explicitly deny PC2

Router (config) #line vty 0 15

Router (config-line) #password STSD

Router (Config-line) #login

Router (config-line) #access-class 1 in

Standard and extended ACL experiments