- Packet Filtering Using Standard ACL.
- Standard ACL Examples.
- Packet Filtering with Extended ACL.
- Extended ACL Examples.
Lab 2-1 Packet Tracer Topology Download.
This is continuation of the previous lab related to basic security.
Task 1: Configuring an ACL (Access Control List).
In this exercise assumptions have been made:
PC1 (IP Address: 10.1.1.100/24) is allowed to to access Server (172.16.1.100) using any protocol.
PC2 (IP Address: 10.1.1.101/24) CANNOT use telnet Server. All other traffic is allowed.
There are few ways of constructing ACL. Here's one of them:
Configure ACL statements:
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#access-list 100 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
Branch(config)#access-list 100 permit ip any any
Apply the ACL on Fas0/0 interface blocking incoming packets.
Branch(config-if)#ip access-group 100 in
Branch#show access-list 100
Extended IP access list 100
deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
permit ip any any
Packet Tracer does not provide us with index number next the ACL statements (on real equipment they are present and can be used to remove statements using 'named' acl syntax.
Packet Tracer does not have 'show ip int f0/0' command implemented properly. This command normally displays whether incoming and/or outgoing ACL is applied on the interface.
Packet Tracer is somewhat limited here. We cannot enable http server (ip http server) on HQ router in order to properly test the ACL.
Also 'named' ACLs are not working in the version of Packet Tracer I am using. This does not allow me to show you how to re-sequence statements, remove statements, and squeeze statements between other ones.
I have tested ACL using PC2 and telnet is NOT being blocked as expected. This proves that version of Packet Tracer I use is NOT working properly.