Scribd Logo
Upload

Welcome to Scribd!

  • A1 - Lab 3 - Access Control List in Packet Tracer

    Uploaded by

    anjanneupane479
    11 views7 pages

    Original Title

    A1 - Lab 3 - Access control list in Packet Tracer

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views7 pages

    A1 - Lab 3 - Access Control List in Packet Tracer

    Uploaded by

    anjanneupane479

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Lab 3: Configuring Access Control Lists (ACLs)

    Lab 3: Access Control Lists (ACL) in Packet Tracer

    Objectives of this Lab:

    The goal of this lab is to become familiar with the configuration of Access Control Lists (ACLs)
    in Packet Tracer.

    Instructions:

    • Read carefully before starting the lab.

    • These exercises are to be done individually.

    • You are supposed to provide the answers to the questions listed at the end of this document and
    upload the completed report to Moodle.

    • Avoid plagiarism by copying from the Internet or from your peers. You may refer to source/ text but
    you must paraphrase the original work. Your submitted work should be written by yourself.

    • Total Marks = 10

    • Weightage = 10%

    • You must submit a word document that provides answers to the questions given at the end. Do not
    submit a Packet Tracer File.

    Access Control Lists (ACLs):

    In order to filter network traffic, ACLs control whether routed packets are forwarded or blocked
    at the router interface. Your router examines each packet in order to determine whether to
    forward or drop the packet based on the criteria that you specify within the ACL.

    ACL criteria include:


    • Source address of the traffic
    • Destination address of the traffic
    • Upper-layer protocol

    Complete these steps in order to construct an ACL as the examples in this document show:
    1. Create an ACL.
    2. Apply the ACL to an interface.
    Lab 3: Configuring Access Control Lists (ACLs)

    The IP ACL is a sequential collection of permit and deny conditions that apply to an IP packet.
    The router tests packets against the conditions in the ACL one at a time.
    The first match determines whether the Cisco IOS Software accepts or rejects the packet.
    Because the Cisco IOS Software stops testing conditions after the first match, the order of the
    conditions is critical. If no conditions match, the router rejects the packet because of an implicit
    deny all clause.

    Types of ACL:
    There are two main different types of Access-list namely:

    1. Standard Access-list – These are the Access-list which are made using the source IP
    address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish
    between the IP traffic such as TCP, UDP, HTTPs etc. By using numbers 1-99 or
    13001999, router will understand it as a standard ACL and the specified address as source
    IP address.

    2. Extended Access-list – These are the ACL which uses both source and destination IP
    address. In this type of ACL, we can also mention which IP traffic (for example TCP/UDP
    etc) should be allowed or denied. These use range 100-199 and 2000-2699.

    Advantages of ACL:

    • Improve network performance.

    • Provides security as administrator can configure the access list according to the needs
    and deny the unwanted packets from entering the network.

    • Provides control over the traffic as it can permit or deny according to the need of
    network.

    Important ACL configuration commands:

    1. access-list command

    A standard ACL provides the ability to match traffic based on the source address of the traffic
    only. This is, of course, rather limiting, but in many situations is all that is required. The
    command syntax of a standard ACL is as follows:

    router(config)#access-list access-list-number {permit | deny} {source[source-wildcard] |


    host hostname | any}

    2. ip access-group command

    To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, we use the
    ip access-group command. To remove an IPv4 ACL from an interface, we use the no form of
    this command.
    ip access-group access-list-number {in | out} no
    Lab 3: Configuring Access Control Lists (ACLs)

    ip access-group access-list-number {in | out}


    Syntax Description
    access-list- number Access-list Number
    in Specifies that the ACL applies to inbound traffic.
    out Specifies that the ACL applies to outbound traffic.

    Today’s Lab:

    In this lab, we will learn how to configure ACLs on the router.

    Create the network topology below in Packet Tracer and follow the steps below to configure
    the static routes for the remote networks.

    1. Assign the IP addresses (provided in the topology diagram) to all the end hosts with the
    subnet mask of 255.255.255.0. Also configure the default gateways accordingly.

    2. Configure the IP addresses on router interfaces

    Following are the commands to configure the Student_Router1

    Student_Router1(config)#int Gig0/0

    Student_Router1(config-if)#ip address 192.168.1.1 255.255.255.0

    Student_Router1(config-if)#no shutdown

    Student_Router1(config-if)#exit
    Lab 3: Configuring Access Control Lists (ACLs)

    Student_Router1(config)#int Gig0/1

    Student_Router1(config-if)#ip address 192.168.10.1 255.255.255.0


    Student_Router1(configif)#no shutdown

    Student_Router1(config-if)#exit

    Following are the commands to configure the Student_Router2

    Student_Router2(config)#int Gig0/0

    Student_Router2(config-if)#ip address 192.168.10.2 255.255.255.0

    Student_Router2(config-if)#no shutdown

    Student_Router2(config-if)#exit

    Student_Router2(config)#int Gig0/1

    Student_Router2(config-if)#ip address 192.168.20.1 255.255.255.0

    Student_Router2(config-if)#no shutdown

    Student_Router2(config-if)#exit

    Now, we will configure the routers with the static routing command

    3. Configure a Static Route Using a Next-Hop Address.

    Following are the commands to configure the static routes on Student_Router1.

    Student_Router1>enable

    Student_Router1#config terminal

    Student_Router1(config)#ip route 192.168.20.0 255.255.255.0 192.168.10.2

    Following are the commands to configure the static routes on Student_Router2.

    Student_Router2>enable

    Student_Router2#config terminal
    Lab 3: Configuring Access Control Lists (ACLs)

    Student_Router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.1

    4. Configure the standard access list

    Student_Router1(config)#access-list 1 deny 192.168.20.4 0.0.0.0

    Student_Router1(config)#access-list 1 permit any

    In the wildcard entry, we use the “0.0.0.0” address because we only wanted to block that
    particular host. This will deny any communication from the source IP address of
    “192.168.20.4”. In the next command, parameter “any” permits the communication for all the
    other hosts.

    Note: The order of statements is critical to the operation of an ACL. If the order of the entries
    is reversed above, the ACL will fail to block host 192.168.20.4.

    5. Apply the standard access list to the interface.

    Student_Router1(config)#int gig0/0

    Student_Router1(config-if)#ip access-group 1 out

    Student_Router1(config-if)#exit

    In the command, we specify “out” which corresponds to the outbound traffic (any traffic going
    out of the interface).

    This will apply the access list to the interface giga ethernet 0/0. Now, “192.168.20.4” will not
    be able to send traffic to the “Student_Router1” interface gig 0/0 (to the corresponding network
    “192.168.1.0” i.e neither to 192.168.1.2 nor to 192.168.1.3).

    6. See the configured access list of the router.

    “show access-lists” is the command to see the configured access list of the router.
    Lab 3: Configuring Access Control Lists (ACLs)

    7. To add a new host to deny communication in existing ACL.


    If we want to add a new host AdminPC2 with IP address “192.168.20.3”, we have to do the
    following configuration. First, we have to delete the command permit any with the following
    command.

    Student_Router1(config)#no access-list 1 permit any

    Then we have to run the following commands.

    Student_Router1(config)#access-list 1 deny 192.168.20.4 0.0.0.0

    Student_Router1(config)#access-list 1 deny 192.168.20.3 0.0.0.0

    Student_Router1(config)#access-list 1 permit any


    Lab 3: Configuring Access Control Lists (ACLs)

    Answer the following Questions.

    Question 1: Write the exact commands to configure access-list to deny communication


    from host 192.168.20.3 on Student_Router1. Set the enable password as your first
    name and show the running configuration of the router. (Snapshot/s Required)
    [2 Marks]

    Question 2: (In CLI, change the Student_Router1 hostname to your first


    name_Router1). With “show access-lists”, show the output of the given command on
    Student_Router1. What is the use of this command? (Snapshot/s Required)
    [2 Marks]

    Question 3: How will you ensure that AttackerPC1 is unable to access StudentPC1?
    Provide screenshots of the commands in CLI and the ping command in CMD.
    (Snapshot/s Required)
    [3 Mark]

    Question 4: How will you ensure that StudentPC2 is still able to access StudentPC1?
    Provide screenshots of the commands in CLI and the ping command in CMD.
    (Snapshot/s Required)
    [3 Marks]

    Important points:
    • Labs are in-class activities. Therefore, submitting outside of class and the defined hours is
    an example of unethical behaviour (academic misconduct). For any late submission, you
    MUST apply for special consideration before or on the assessment date. ONLY upon getting
    the approval of the special consideration, a second attempt will be arranged.
    • The submitted Doc/PDF file should contain at least 20 words. Otherwise, Turnitin will reject
    it.
    • Only Doc/PDF files are acceptable. Images (screenshots) or other formats (i.e. Packet Tracer
    file) will not be marked.
    • Do not crop the screenshots.
    • Once you submitted a report, please ensure Turnitin has accepted your file. The rejected
    submissions will not be graded.
    • If instructed in the assignment, the screenshots MUST show your name. The answers which
    do not meet the defined criteria will receive 0 mark, even if the answer is correct.

    You might also like