Professional Documents
Culture Documents
CVM Lab 12
CVM Lab 12
Access Lists
This CCNA Video Mentor lab shows how to configure access control lists (ACLs), focusing on how ACLs can match applications based on TCP and UDP port numbers. The objectives of this lab are as follows:
Configure extended IP ACLs Describe how to match both the source and destination port numbers with an IP ACL See counters for the number of packets that match each ACL statement
Scenario
This lab contains a single step, as follows:
Step 1.
Initial Configurations
Examples 12-1 and 12-2 show the pertinent initial configurations of routers R1 and R2 in the lab video. The lab begins with a working network with IP addresses and the RIP routing protocol, but with no ACLs configured. As usual, the parts of the configurations not relevant to this lab have been omitted.
Example 12-1
hostname R1 ! interface FastEthernet 0/0 ip address 172.16.1.251 255.255.255.0 ! interface serial 0/1/0 ip address 172.16.2.251 255.255.255.0 ! router rip network 172.16.0.0
60
Example 12-2
hostname R2 !
interface FastEthernet 0/0 ip address 172.16.3.252 255.255.255.0 ! interface serial 0/1/0 ip address 172.16.2.252 255.255.255.0 ! router rip network 172.16.0.0
Ending Configurations
This lab ends with R1 having a new ACL configured and enabled. Example 12-3 shows the ending configuration for R1.
Example 12-3
hostname R1 ! interface FastEthernet 0/0 ip address 172.16.1.251 255.255.255.0 ip access-group 101 in ! interface serial 0/1/0 ip address 172.16.2.251 255.255.255.0 ! router rip network 172.16.0.0 ! access-list 101 permit tcp host 172.16.1.1 172.16.3.0 0.0.0.255 eq www access-list 101 permit tcp 172.16.1.0 0.0.0.255 gt 1023 172.16.3.0 0.0.0.255 eq telnet
61
Step 1 Reference
Figure 12-1 Lab 12 IP Address Reference
PC1
172.16.1.1
S3
172.16.3.3
PC2
172.16.1.2
S4
172.16.3.4
Fa0/0
172.16.1.251
172.16.2.251
R1
S0/1/0
172.16.2.252
Fa0/0
S0/1/0
R2
172.16.3.252
Figure 12-2
Clients
PC1
Servers
S3
172.16.1.1
Subnet 172.16.3.0/24 S4
172.16.3.4
172.16.3.3
R1
S0/1/0
Subnet 172.16.2.0/24
172.16.2.252
S0/1/0
R2
Figure 12-3
Clients PC1 172.16.1.1 PC2 172.16.1.2 Fa0/0 172.16.1.251
IP Header
TCP Header
Source IP Dest. IP Src. port Dest. port 172.16.1.0/24 172.16.3.0/24 >1023 = 23 (telnet)
R1
R2
172.16.3.252
Permit: from PC1 to web servers in subnet 172.16.3.0/24 Permit: from subnet 172.16.1.0/24 to Telnet servers in subnet 172.16.3.0/24 Deny: all else