Lab 3-3: Using ACLs to filter IP based traffic

Visual Topology

Command Line

Command Description
Interface loopback0 Creates an internal interface
ip access-group acl name [in/out] Binds an access control list to an interface
ip access-list extended acl name Creates and enters the ACL configuration mode
{permit | deny} {test conditions} Creates control statements within an ACL
show access-lists acl name Displays any ACL located on the device
show ip interface type/slot/number Displays any ACL bound to an interface

Task 1: Configuring an ACL (Access Control List).

Step 1: Access the CLI on your router

Step 2: Create a loopback interface using the following commands.

R1 only...
R1(config)#interface loopback0
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#no shut

Note we are using a 32 bit mask.

R2 only...
R2(config)#interface loopback0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#no shut

Step 3: From your PC check that you can ping the IP address of the loopback interface you have just created and also your default gateway.

If two network cards are fitted you will need to type in the following commands.
PC1 only....
c:\>router -p add 1.1.1.1 mask 255.255.255.255 10.1.1.1
PC2 only.....
c:\>router -p add 2.2.2.2 mask 255.255.255.255 10.1.1.2

If the ping fails check the following.

Does your PC have the correct IP address ? hint… ipconfig
Can you ping your default gateway ? If not check that the router interface is up/up

Step 4: Create an extended ACL named PING that will prevent your PC from successfully pinging the default gateway, however you should be allowed to ping the loopback interface and all other IP traffic should be permitted through the router.

Step 5: Test your ACL and use the appropriate show commands to display the content of the configured ACL and write down your results below.

Rx#show access-list PING

Are access-list names case sensitive ?

Step 6: Once you have proved that the ACL works correctly then remove it from your configuration.

Step 7: Save your configuration

Lab Answer Keys:

[sociallocker id=”4139″]

Task 1: Configuring an ACL (Access Control List).

Step 2: Create a loopback interface using the following commands.

R1 only...
R1>en
R1#conf t
R1(config)#interface loopback0
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#no shut

Note we are using a 32 bit mask.

R2 only...
R2>en
R2#conf t
R2(config)#interface loopback0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#no shut

Step 3: From your PC check that you can ping the IP address of the loopback interface you have just created and also your default gateway. This should work!

If the ping fails check the following.

Does your PC have the correct IP address ? hint… ipconfig
Can you ping your default gateway ? If not check that the router interface is up/up

Step 4: Create an extended ACL named PING that will prevent your PC from successfully pinging the default gateway, however you should be allowed to ping the loopback interface and all other IP traffic should be permitted through the router.

R1 only....
R1#conf t
R1(config)#ip access-list extended PING
R1(config-ext-nacl)#deny icmp 10.1.1.101 0.0.0.0 10.1.1.1 0.0.0.0 echo
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#int fa0/0

or

R1(config-ext-nacl)#int gi0/0
R1(config-if)ip access-group PING in
R2 only....
R2#conf t
R2(config)#ip access-list extended PING
R2(config-ext-nacl)#deny icmp 10.1.1.102 0.0.0.0 10.1.1.2 0.0.0.0 echo
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#int fa0/0

or

R2(config-ext-nacl)#int gi0/0
R2(config-if)ip access-group PING in

Step 5: Test your ACL and use the appropriate show commands to display the content of the configured ACL and write down your results below.

Rx#show access-list PING

Are access-list names case sensitive ?

YES

Step 6: Once you have proved that the ACL works correctly then remove it from your configuration.

R(config-if)#no ip access-group PING in
R(config-if)#exit
R(config)#no ip access-list ext PING

Step 7: Save your configuration

R(config)#exit
R#copy run start
[/sociallocker]
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments