Lab Objective:
The objective of this lab exercise is for you to learn and understand how to create and apply extended numbered access control lists.
Lab Purpose:
Configuring and applying extended ACLs is a fundamental skill. Extended ACLs filter based on source and destination address, as well as Layer 4 protocols TCP and UDP. Extended ACLs should be applied as close to the source as possible. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to create and apply extended ACLs in the outbound direction.
Certification Level:
This lab is suitable for CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 8/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 20 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure hostnames on R1, R3, and Sw1 as illustrated in the topology.
Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.
Task 3:
Configure a static default route on R1 pointing to R3 over the Serial connection between the two routers. Also, configure a static default route on R3 pointing to R1 via the Serial connection between the two routers.
Task 4:
Configure VLAN50 on Sw1 and assign it the name ACL-VLAN. Assign port FastEthernet0/2 to this VLAN. Configure interface VLAN50 with the IP address 10.50.50.130/25 and configure a default gateway on the switch to 10.50.50.129.
Also, configure interface F0/0 on R3 with the IP address 10.50.50.129 and enable this interface.
Task 5:
Create an extended named ACL called SWITCH-ACL on R3. This ACL should:
- Permit all ICMP traffic from 10.50.50.128/25 to the interface address of R1 S0/0 (172.16.1.1);
- Deny all www traffic from 10.50.50.128/25 to the 172.16.1.0/26 subnet;
- Permit all Telnet traffic from the interface address of Sw1 (10.50.50.130) to the interface address of R1 S0/0;
- Permit all IP traffic from 10.50.50.128/25 to the interface address of R1 S0/0; and
- Deny all IP traffic from the interface address of Sw1 to the 172.16.1.0/26 subnet.
Apply this ACL outbound on R3 S0/0.
Task 6:
Test your ACL configurations by performing ping and telnet exercises as we have done in previous labs, and verify matches against your ACL using the show ip access-list SWITCH-ACL command.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on configuring DCE clocking, please refer to earlier labs.
Task 3:
For reference information on configuring static routes, please refer to earlier labs.
Task 4:
For reference information on configuring IP addressing and verifying VLANs, please refer to earlier labs.
Task 5:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#ip access-list extended SWITCH-ACL R3(config-ext-nacl)#permit icmp 10.50.50.128 0.0.0.127 host 172.16.1.1 R3(config-ext-nacl)#deny tcp 10.50.50.128 0.0.0.127 172.16.1.0 0.0.0.63 eq www R3(config-ext-nacl)#permit tcp host 10.50.50.130 host 172.16.1.1 eq telnet R3(config-ext-nacl)#permit ip 10.50.50.128 0.0.0.127 host 172.16.1.1 R3(config-ext-nacl)#deny ip host 10.50.50.130 172.16.1.0 0.0.0.63 R3(config-ext-nacl)#exit R3(config)#int s0/0 R3(config-if)#ip access-group SWITCH-ACL out R3(config-if)#end R3#
Task 6:
R3#show ip access-lists SWITCH-ACL Extended IP access list SWITCH-ACL 10 permit icmp 10.50.50.128 0.0.0.127 host 172.16.1.1 (15 matches) 20 deny tcp 10.50.50.128 0.0.0.127 172.16.1.0 0.0.0.63 eq www (2 matches) 30 permit tcp host 10.50.50.130 host 172.16.1.1 eq telnet (75 matches) 40 permit ip 10.50.50.128 0.0.0.127 host 172.16.1.1 (30 matches) 50 deny ip host 10.50.50.130 172.16.1.0 0.0.0.63 (5 matches)
Now please test the ACL.