Lab Objective:
The objective of this lab exercise is for you to learn and understand how to create and apply standard named access control lists.
Lab Purpose:
Configuring and applying standard ACLs is a fundamental skill. Standard ACLs filter based on source address, and they should be applied as close to the destination as possible. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to create and apply standard numbered ACLs.
Certification Level:
This lab is suitable for CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 20 minutes. Lab
Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure the hostnames on routers R1 and R3 as illustrated in the topology.
Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology. Configure a static default route on R1 pointing to R3 over the Serial connection between the two routers. Also, configure a static default route on R3 pointing to R1 via the Serial connection between the two routers. Configure the Loopback interfaces specified in the diagram on R3.
Task 3:
To test connectivity, ping R1 from R3 Serial0/0, Loopback10, Loopback20, and Loopback30 interfaces. To ping from the Loopback interfaces, use the ping <ip_address> source <interface> command.
Task 4:
On R1, create a standard named ACL to prevent inbound traffic from the Loopback10 and Loopback30 subnets on R3, but explicitly allow all inbound traffic from Serial0/0 and Loopback20 subnets on R3. This ACL should be named LOOPBACK- LOOPBACK-10-30-ACL. Apply this ACL inbound on Serial0/0. Now try to ping R1 from R3 Serial0/0, Loopback10, Loopback20, and Loopback30 using the ping <ip_address> source <interface> command. If you have configured this correctly, only the ping from Serial0/0 and Loopback20 will work.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on configuring IP addresses and static routes, please refer to earlier labs.
Task 3:
For reference information on pinging IP addresses, please refer to earlier labs.
Task 4:
R1#conf t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#ip access-list standard LOOPBACK-10-30-ACL R1(config-std-nacl)#remark “Deny Traffic From R3 Loopback10” R1(config-std-nacl)#deny 10.10.10.0 0.0.0.127 R1(config-std-nacl)#remark “Permit Traffic From R3 Loopback20” R1(config-std-nacl)#permit 10.20.20.0 0.0.0.15 R1(config-std-nacl)#remark “Deny Traffic From R3 Loopback30” R1(config-std-nacl)#deny 10.30.30.0 0.0.0.7 R1(config-std-nacl)#remark “Permit Traffic From Serial0/0 Subnet” R1(config-std-nacl)#permit 172.16.1.0 0.0.0.63 R1(config-std-nacl)#exit R1(config)#int s0/0 R1(config-if)#ip access-group LOOPBACK-10-30-ACL in R1(config-if)#end R1# R3#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3#ping 172.16.1.1 source loop10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 10.10.10.3 U.U.U Success rate is 0 percent (0/5) R3#ping 172.16.1.1 source loop20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 10.20.20.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms R3#ping 172.16.1.1 source loop30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 10.30.30.3 U.U.U Success rate is 0 percent (0/5)
NOTE: Take note of the different syntax for creating a named ACL versus a numbered ACL. Named ACLs perform the same way as numbered ACLs but allow for easier identification of what the ACL is used for because they can be assigned a name. You can view named ACLs using the same commands as you would for numbered ACLs:
R1#show ip access-lists LOOPBACK-10-30-ACL Standard IP access list LOOPBACK-10-30-ACL 10 deny 10.10.10.0, wildcard bits 0.0.0.127 (11 matches) 20 permit 10.20.20.0, wildcard bits 0.0.0.15 (15 matches) 30 deny 10.30.30.0, wildcard bits 0.0.0.7 (11 matches) 40 permit 172.16.1.0, wildcard bits 0.0.0.63 (15 matches)
To view ACLs applied to an interface, you can use either the show run interface <name> command or the show ip interface <name> command as illustrated below:
R1#show running-config interface serial 0/0 Building configuration... Current configuration : 139 bytes ! interface Serial0/0 ip address 172.16.1.1 255.255.255.192 ip access-group LOOPBACK-10-30-ACL in clock rate 768000 no fair-queue end R1#show ip interface serial 0/0 Serial0/0 is up, line protocol is up Internet address is 172.16.1.1/26 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is LOOPBACK-10-30-ACL