Packet Tracer $-$ Configure Numbered Standard IPv$4$ ACLs Addressing Table

Objectives

Part $1$: Plan an ACL Implementation

Part $2$: Configure, Apply, and Verify a Standard ACL

Background $/$ Scenario

Device

Interface

R$1$

G$0/0$

IP Address $192\mathrm{.}168\mathrm{.}10\mathrm{.}1$

Subnet Mask

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

Default Gateway N$/$A

G$0/1$

$192\mathrm{.}168\mathrm{.}11\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

S$0/0/0$

$10\mathrm{.}1\mathrm{.}1\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

S$0/0/1$

$10\mathrm{.}3\mathrm{.}3\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

R$2$

G$0/0$

$192\mathrm{.}168\mathrm{.}20\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

N$/$A

S$0/0/0$

$10\mathrm{.}1\mathrm{.}1\mathrm{.}2$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

S$0/0/1$

$10\mathrm{.}2\mathrm{.}2\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

R$3$

G$0/0$

$192\mathrm{.}168\mathrm{.}30\mathrm{.}1$

S$0/0/0$

$10\mathrm{.}3\mathrm{.}3\mathrm{.}2$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

N$/$A

S$0/0/1$

$10\mathrm{.}2\mathrm{.}2\mathrm{.}2$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}252$

PC$1$

NIC

$192\mathrm{.}168\mathrm{.}10\mathrm{.}10$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

$192\mathrm{.}168\mathrm{.}10\mathrm{.}1$

PC$2$

NIC

PC$3$

NIC

WebServer

NIC

$192\mathrm{.}168\mathrm{.}11\mathrm{.}10192\mathrm{.}168\mathrm{.}30\mathrm{.}10192\mathrm{.}168\mathrm{.}20\mathrm{.}254$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

$192\mathrm{.}168\mathrm{.}11\mathrm{.}1$

$255\mathrm{.}255\mathrm{.}255\mathrm{.}0255\mathrm{.}255\mathrm{.}255\mathrm{.}0$

$192\mathrm{.}168\mathrm{.}30\mathrm{.}1$

$192\mathrm{.}168\mathrm{.}20\mathrm{.}1$

Standard access control lists $($ACLs$)$ are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation. The routers are already configured, including IP addresses and Enhanced Interior Gateway Routing Protocol $($EIGRP$)$ routing.

Instructions

Part $1$: Plan an ACL Implementation

Step $1$: Investigate the current network configuration.

Before applying any ACLs to a network, it is important to confirm that you have full connectivity. Verify that the network has full connectivity by choosing a PC and pinging other devices on the network. You should be able to successfully ping every device.

Step $2$: Evaluate two network policies and plan ACL implementations.

a

The following network policies are implemented on R$2$:

The $192\mathrm{.}168\mathrm{.}11\mathrm{.}0/24$ network is not allowed access to the WebServer on the $192\mathrm{.}168\mathrm{.}20\mathrm{.}0/24$ network. All other access is permitted.

To restrict access from the $192\mathrm{.}168\mathrm{.}11\mathrm{.}0/24$ network to the Web Server at $192\mathrm{.}168\mathrm{.}20\mathrm{.}254$ without interfering with other traffic, an ACL must be created on R$2.$ The access list must be placed on the outbound interface to the WebServer. A second rule must be created on R$2$ to permit all other traffic.

b$.$ The following network policies are implemented on R$3$:

The $192\mathrm{.}168\mathrm{.}10\mathrm{.}0/24$ network is not allowed to communicate with the $192\mathrm{.}168\mathrm{.}30\mathrm{.}0/24$ network. All other access is permitted.

To restrict access from the $192\mathrm{.}168\mathrm{.}10\mathrm{.}0/24$ network to the $192\mathrm{.}168\mathrm{.}30/24$ network without interfering with other traffic, an access list will need to be created on R$3.$ The ACL must be placed on the outbound interface to PC$3.$ A second rule must be created on R$3$ to permit all other traffic. Part $2$: Configure, Apply, and Verify a Standard ACL

Step $1$: Configure and apply a numbered standard ACL on R$2.$

a$.$ Create an ACL using the number $1$ on R$2$ with a statement that denies access to the $192\mathrm{.}168\mathrm{.}20\mathrm{.}0/24$ network from the $192\mathrm{.}168\mathrm{.}11\mathrm{.}0/24$ network.

R$2($config$)$# access$-$list $1$ deny $192\mathrm{.}168\mathrm{.}11\mathrm{.}00\mathrm{.}0\mathrm{.}0\mathrm{.}255$

b$.$ By default, an access list denies all traffic that does not match any rules. To permit all other traffic, configure the following statement:

R$2($config$)$# access$-$list $1$ permit any

c$.$ Before applying an access list to an interface to filter traffic, it is a best practice to review the contents of the access list, in order to verify that it will filter traffic as expected.

R$2$# show access$-$lists

Standard IP access list $1$

$10$ deny $192\mathrm{.}168\mathrm{.}11\mathrm{.}00\mathrm{.}0\mathrm{.}0\mathrm{.}25520$ permit any

d$.$ For the ACL to actually filter traffic, it must be applied to some router operation. Apply the ACL by placing it for outbound traffic on the GigabitEthernet $0/0$ interface. Note: In an actual operational network, it is not a good practice to apply an untested access list to an active interface. R$2($config$)$# interface GigabitEthernet$0/0$

R$2($config$-$if$)$# ip access$-$group $1$ out

Step $2$: Configure and apply a numbered standard ACL on R$3.$

a$.$ Create an ACL using the number $1$ on R$3$ with a statement that denies access to the $192\mathrm{.}168\mathrm{.}30\mathrm{.}0/24$ network from the PC$1(192\mathrm{.}168\mathrm{.}10\mathrm{.}0/24)$ network.

R$3($config$)$# access$-$list $1$ deny $192\mathrm{.}168\mathrm{.}10\mathrm{.}00\mathrm{.}0\mathrm{.}0\mathrm{.}255$

b$.$ By default, an ACL denies all traffic that does not match any rules. To permit all other traffic, create a second rule for ACL $1.$

R$3($config$)$# access$-$list $1$ permit any

c$.$ Verify that the access list is configured correctly.

R$3$# show access$-$lists

Standard IP access list $1$

$10$ deny $192\mathrm{.}168\mathrm{.}10\mathrm{.}00\mathrm{.}0\mathrm{.}0\mathrm{.}255$

$20$ permit any

d$.$ Apply the ACL by placing it for outbound traffic on the GigabitEthernet $0/0$ interface.

R$3($config$)$# interface GigabitEthernet$0/0$

R$3($config$-$if$)$# ip access$-$group $1$ out

Step $3$: Verify ACL configuration and functionality.

a$.$ Enter the show run or show ip interface gigabitethernet $0/0$ command to verify the ACL placements.

b$.$ With the two ACLs in place, network traffic is restricted according to the policies detailed in Part $1.$ Use the following tests to verify the ACL implementations:

A ping from $192\mathrm{.}168\mathrm{.}10\mathrm{.}10$ to $192\mathrm{.}168\mathrm{.}11\mathrm{.}10$ succeeds.

A ping from $192\mathrm{.}168\mathrm{.}10\mathrm{.}10$ to $192\mathrm{.}168\mathrm{.}20\mathrm{.}254$ succeeds.

A ping from $192\mathrm{.}168\mathrm{.}11\mathrm{.}10$ to $192\mathrm{.}168\mathrm{.}20.$