Scribd
Upload
75 views9 pages

Configuring IP ACLs in ACL Lab

1. The document describes configuring IP addresses and routing on routers R1, R2, R3, and R4 to establish basic connectivity. Standard and extended ACLs are then configured to selectively permit or deny traffic between the routers. 2. Extended ACL 101 is configured on R1 to deny Telnet and HTTP access from R3 to R1. Named extended ACL "cns-acl" is later configured to deny SSH, HTTP, and Telnet from R2 to R1. 3. A mock lab task is described to configure ACL 102 on R1 to deny ICMP ping traffic to R1 but permit all other traffic.

Uploaded by

md.sahilkhan7270
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
75 views9 pages

Configuring IP ACLs in ACL Lab

1. The document describes configuring IP addresses and routing on routers R1, R2, R3, and R4 to establish basic connectivity. Standard and extended ACLs are then configured to selectively permit or deny traffic between the routers. 2. Extended ACL 101 is configured on R1 to deny Telnet and HTTP access from R3 to R1. Named extended ACL "cns-acl" is later configured to deny SSH, HTTP, and Telnet from R2 to R1. 3. A mock lab task is described to configure ACL 102 on R1 to deny ICMP ping traffic to R1 but permit all other traffic.

Uploaded by

md.sahilkhan7270
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

ACL LAB-

1. STEP 1- ASSIGN IP'S

R1-

conf t

int f0/0

ip add [Link] [Link]

no sh

int lo 1

ip add [Link] [Link]

int lo 2

ip add [Link] [Link]

int lo 3

ip add [Link] [Link]

int lo 4
ip add [Link] [Link]

ip route [Link] [Link] f0/0

R2-

conf t

int f0/0

ip add [Link] [Link]

no sh

int f0/1

ip add [Link] [Link]

no sh

int f1/0

ip add [Link] [Link]

no sh

ip route [Link] [Link] f0/0

ip route [Link] [Link] f0/1

R3-

conf t

int f0/0

ip add [Link] [Link]

no sh

int lo 1

ip add [Link] [Link]

ip route [Link] [Link] f0/0


R4-

conf t

int f1/0

ip add [Link] [Link]

no sh

ip route [Link] [Link] f1/0

2. STEP 2- STANDARD ACL (TO STOP [Link] FROM REACHING R1)

*** FOR THIS ACL CAN BE APPLIED ON R1 OR R2 ANYONE CAN PERFORM THE TASK.

R2-

access-list 1 deny ho [Link]

int f0/1

ip access-group 1 in

R3-

do ping [Link] ( U- UNREACHABLE i.e ADMINISTRATIVELY PROHIBITTED )

do ping [Link] so [Link] ( IT SHOULD HAVE PINGGED BUT DUE TO IMPLICIT DENY THIS COULDN'T
WORK.)

R2-

access-list 1 permit any ( TO PERMIT ALL OTHER IP'S OR NETWORKS)

* DO SH ACCESS-LIST 1- TO CHECK ACCESS LIST


2.1. TO CONVERT TRAFFIC UNREACHABLE TO DOT-DOT WHEN PINGGED FROM R3 SO [Link]

R2-

int f0/1

no ip unreachables

R3-

do ping [Link] (U- DOTS WILL APPEAR IN PLACE OF U)

2.2 R1 COULD BE ACCESSED THROUGH R2 USING TELNET [Link] FROM R3.

R2-

no access-list 1 deny ho [Link] ( TO CLOSE COMPLETE STANDARD ACL )

R1-

line vty 0 4

pass akki

login

R3-

telnet [Link]
2.3. TO DENY THIS TELNET ACCESS ONLY, ACL NEEDS TO BE RUN ON R1 IN VTY

R1-

access-list 1 deny ho [Link]

line vty 0 4

access-class 1 in

R3-

telnet [Link]

## TASK 1- IF R2 TRY TO TELNET OF HTTP TO R1 IT SHOULD BE DENIED.

3. STEP 3- EXTENDED NUMBERED ACL

R1-

no access-class 1 in

ip http server

R3-

telnet [Link] ( THIS WOULD WORK AND THIS SHOULDN'T BE THE CASE )
telnet [Link] 80 ( TO TELNET THROUGH HTTP SERVER- THIS WOULD ALSO WORK )

R1-

access-list 101 deny tcp ho [Link] ho [Link] eq 23/telnet

access-list 101 deny tcp ho [Link] ho [Link] eq 80

do sh ip access-list

int f0/0

ip access-group 101 in

access-list 101 permit ip any any ( CONFIG MODE )

R3-

telnet [Link] (NONE OF THEM WOULD WORK)

telnet [Link] 80

R1-

ip access-list extended 101

21 deny icmp any any ( 21- TO PROVIDE PRIORITY, ICMP- THE PROTOCOL USED WHEN PINGGED.)

( ICMP COMMAND IS USED TO STOP PING )

R3-

do ping [Link]

**ip access-list extended 101

no 21 ( TO REMOVE THIS COMMAND )


## TASK 2- IF R2 TRY TO TELNET OF SSH TO R1 IT SHOULD BE DENIED.

** For ssh key need to be generated.

R1-

ip domain-name [Link]

crypto key generate rsa modulus 1024

line vty 0 4

login local ( SO IT COULD BE ACCESSED BY LOCAL )

username admin pass admin ( CONFIG MODE )ssh

R3-

ssh -l admin [Link] ( l- FOR LOGIN )

( PRESS ENTER OR TYPE ADMIN AT THE PLACE OF PASSWORD IF PRESSING ENTER DOESN'T WORK )

R1-

ip access-list extended 101

21 deny tcp ho [Link] ho [Link] eq 22 ( 22- PORT NO. OF SSH )

R3-

ssh-l admin [Link]

R1-
no ip access-group 101 in

R3-

telnet [Link]

telnet [Link] 80

ssh-l admin [Link]

4. STEP 4- EXTENDED NAMED ACL ( DENY SSH,HTTP,TELNET FROM R2 TO R1 )

R1-

ip access-list extended cns-acl

deny tcp ho [Link] ho [Link] eq 23

deny tcp ho [Link] ho [Link] eq 80

deny tcp ho [Link] ho [Link] eq 22

permit ip any any

int f0/0

ip access-group cns-acl in
MOCK LAB-

TASK 1- R1 PINGS ALL AND NON PINGS R1.

R1-

access-list 102 deny icmp ho [Link] echo

int f0/0

ip access-group 102 in

ping [Link] (.....)

do sh ip acces-1

access-list 102 permit ip any any

ping [Link].

You might also like