Part $0$: Set Up the Topology and InitAddressing Table

Objectives

Part $1$: Configure and Apply a Named Standard ACL

Part $2$: Configure and Apply a Numbered Standard ACL

Scenario

This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router

interfaces, and verifying and testing the ACL implementation.

Required Resources

$1$ Router $($Cisco $4221$ with Cisco IOS XE Release $16\mathrm{.}9\mathrm{.}4$ universal image or comparable$)$

$2$ Switches $($Cisco $2960$ with Cisco IOS Release $15\mathrm{.}2(2)$ lanbasek$9$ image or comparable$)$

$2$ PCs $($Windows with a terminal emulation program, such as Putty or Tera Term$)$

Console cables to configure the Cisco IOS devices via the console ports

Ethernet cables as shown in the topologyialize Devices

$$ Connect the device according to the given network topology.

$$ Assign IP addresses according to the given addressing table.

Part $1$: Configure and Apply a Named Standard ACL

Step $1$: Verify connectivity before the ACL is configured and applied.

Both workstations should be able to ping to each other and all loopback interfaces.

Step $2$: Configure a named standard ACL.

Open configuration window

a$.$ Configure an ACL on R$1$ named Network$\_$Restrictions. The ACL should only allow PC$1$ to connect with PC$2$

Note: For scoring purposes, the ACL name is case$-$sensitive$,$ and the statements must be in the same order as shown.

b$.$ Use the show access$-$lists command to verify the contents of the access list before applying it to an interface. Make sure you have not mistyped any IP addresses and that the statements are in the correct order.

R$1$# show access$-$lists

Standard IP access list Network$\_$Restrictions

$10$ permit host $192\mathrm{.}168\mathrm{.}10\mathrm{.}3$

$20$ deny any

Step $3$: Apply the named ACL.

a$.$ Apply the ACL outbound on the G$0/0/1$ interface.

Note: In an actual operational network, applying an access list to an active interface is not a good practice and should be avoided if possible.

Step $4$: Verify the ACL configuration and application to the interface.

Open configuration window

Use the show access$-$lists command to verify the ACL configuration. Use the show run or show ip interface G$0/0/1$ command to verify that the ACL is applied correctly to the interface.

Step $5$: Verify that the ACL is working properly.

PC$1$ should still be able to ping the PC$2.$

But what happens if you change the IP address of PC$1$ to any other available address in the same network. Will the ping still work. Why?

Repeat the show access$-$lists command to see the number of packets that matched each statement.

Close configuration window

Part $2$: Configure and Apply a Numbered Standard ACL

Remove the named ACL configuration of Part $1$ from the router R$1.$

R$1($config$)$# no ip access$-$list standard Network$\_$Restrictions

R$1($config$)$# interface G$0/0/1$

R$1($config$-$if$)$# no ip access$-$group Network$\_$Restrictions out

Step $1$: Verify connectivity before the ACL is configured and applied.

Both workstations should be able to ping to each other and all loopback interfaces.

Step $2$: Configure and apply a numbered standard ACL on R$1.$

a$.$ Create an ACL using the number $1$ on R$1$ with a statement that denies access to the PC$1$ from the $192\mathrm{.}168\mathrm{.}20\mathrm{.}0/24$ network.

Open configuration window

b$.$ By default, an access list denies all traffic that does not match any rules. Configure a statement to permit all other traffic.

c$.$ Before applying an access list to an interface to filter traffic, it is a best practice to review the contents of the access list, in order to verify that it will filter traffic as expected.

R$1$# show access$-$lists

Standard IP access list $1$

$10$ deny $192\mathrm{.}168\mathrm{.}20\mathrm{.}00\mathrm{.}0\mathrm{.}0\mathrm{.}255$

$20$ permit any

Step $3$: Apply the named ACL.

a$.$ For the ACL to actually filter traffic, it must be applied to some router operation. Apply the ACL by placing it for outbound traffic on the G$0/0/0$ interface. Note: In an actual operational network, it is not a good practice to apply an untested access list to an active interface.

Step $4$: Verify the ACL configuration and application to the interface.

a$.$ Enter the show run or show ip interface Loopback$1$ command to verify the ACL placements.

Step $5$: Verify that the ACL is working properly.

PC$2$ should not be able to ping the PC$1.$