Lab 40: Configuring and Applying Extended Numbered ACLs

Sep 17, 2017 Last Updated: Sep 17, 2017 120 Labs CCNA 2 Comments
Tweet Share Pin it

Lab Objective:

The objective of this lab exercise is for you to learn and understand how to create and apply extended numbered access control lists.

Lab Purpose:

Configuring and applying extended ACLs is a fundamental skill. Extended ACLs filter based on source and destination address, as well as Layer 4 protocols TCP and UDP. Extended ACLs should be applied as close to the source as possible. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to create and apply extended numbered ACLs.

Certification Level:

This lab is suitable for CCENT and CCNA certification exam preparation.

Lab Difficulty:

This lab has a difficulty rating of 8/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 20 minutes.

Lab Topology:

Please use the following topology to complete this lab exercise:

Lab 40: Configuring and Applying Extended Numbered ACLs 2

Task 1:

Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Task 2:

Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.

Task 3:

Configure a static default route on R1 pointing to R3 over the Serial connection between the two routers. Also, configure a static default route on R3 pointing to R1 via the Serial connection between the two routers. Configure the Loopback interfaces specified in the diagram on R1 and R3.

Task 4:

To test connectivity, ping R1 from R3 Serial0/0, Loopback10, Loopback20, and Loopback30 interfaces. To ping from the Loopback interfaces, use the ping <ip_address> /source <interface> command.

Task 5:

Configure both R1 and R3 to allow Telnet connections. The password CISCO should be used for Telnet access.

Task 6:

Configure a numbered extended ACL on R3 to allow Telnet from R1 Loopback10 to R3 Loopback20 and Loopback30. Add another line to the extended ACL to only allow ping traffic from R1 Loopback20 to R3 Loopback10. Apply this ACL inbound on R3 Serial0/0.

To test your Telnet ACL configuration, telnet from R1 Loopback10 to R3 Loopback10, Loopback20, and Loopback30. If you have configured your ACL correctly, only Telnet sessions to Loopback20 and Loopback30 will work.

Task 7:

To test your ping ACL configuration, ping from R1 Loopback20 to R3 Loopback10, Loopback20, and Loopback30. If you have configured your ACL correctly, only pings from R1 Loopback10 to R3 Loopback20 should work. Use the ping <ip_address> /source <interface> command to send pings from the Loopback interfaces.

Feel free to try the lab again but blocking/permitting host addresses.

Configuration and Verification

Task 1:

For reference information on configuring hostnames, please refer to earlier labs.

Task 2:

For reference information on configuring DCE clocking, please refer to earlier labs.

Task 3:

For reference information on configuring IP addressing and static routes, please refer to earlier labs.

Task 4:

For reference information on sourcing traffic from other interfaces, please refer to earlier labs.

Task 5:

For reference information on permitting Telnet, please refer to earlier labs.

Task 6:

R3#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
R3(config)#access-list 180 remark “R1 Loop10->R3 Loop20” 
R3(config)#access-list 180 per tcp 172.16.4.0 0.0.0.63 10.20.20.0 0.0.0.15 eq telnet
 R3(config)#access-list 180 remark “R1 Loop10->R3 Loop30” 
R3(config)#access-list 180 per tcp 172.16.4.0 0.0.0.63 10.30.30.0 0.0.0.7 eq telnet
R3(config)#access-list 180 per icmp 172.17.5.0 0.0.0.7 10.10.10.0 0.0.0.127 echo 
R3(config)#access-list 180 per icmp 172.17.5.0 0.0.0.7 10.10.10.0 0.0.0.127 echo-reply R3(config)#int s0/0 
R3(config-if)#ip access-group 180 in 
R3(config-if)#end 
R3# 

R1#telnet 10.10.10.3 /source-interface loopback10 
Trying 10.10.10.3 ... 
% Destination unreachable; gateway or host down 

R1#telnet 10.20.20.3 /source-interface loopback10 
Trying 10.20.20.3 ... Open 

User Access Verification 

Password: 
R3# 

R1#telnet 10.30.30.3 /source-interface loopback10 
Trying 10.30.30.3 ... Open 

User Access Verification 
Password: 
R3#

Task 7:

R1#ping 10.10.10.3 source loopback20 

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds: 
Packet sent with a source address of 172.17.5.1 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 

R1#ping 10.20.20.3 source loopback20

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.20.20.3, timeout is 2 seconds: 
Packet sent with a source address of 172.17.5.1 
U.U.U 
Success rate is 0 percent (0/5) 

R1#ping 10.30.30.3 source loopback20 

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.30.30.3, timeout is 2 seconds: 
Packet sent with a source address of 172.17.5.1 
U.U.U 
Success rate is 0 percent (0/5)
Subscribe
Notify of
guest

2 Comments
Inline Feedbacks
View all comments
Anna
Anna
1 year ago

How can i telnet from loopback address its not working in packet tracer. only port number is allowed not the source interface lo10 command.. help pls how to know the port number

Reply
Daravae
Daravae
7 months ago
Reply to  Anna

I ran into the same issue. I suspect it’s not supported in Packet Tracer.
Re: Telnet to a 1841 from another source address – Cisco Community

The command telnet X.X.X.X /source-interface is available on my Cisco CBS250.
It may not be supported on the routers in Packet Tracer. It also works in GNS3.

Reply
2
0
Would love your thoughts, please comment.x
()
x