This document discusses configuring and troubleshooting access control lists (ACLs) on Cisco routers. It covers the basics of numbered standard and extended IPv4 ACLs, including configuration examples that permit or deny traffic based on source IP addresses, protocols, and port numbers. Named ACLs and commands for verifying, monitoring, and troubleshooting ACLs are also examined. The document provides guidance on implementing ACLs to control network access and troubleshooting common ACL errors.
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
1
SEC450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that
you need to learn in order to configure ACL in CLI. This tutorial does not intend by any
mean to cover all ACL applications, but only those scenarios used in then SEC450
iLabs.
Introduction to Access Control List
A host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and
routers. Basically, firewalls in routers filter packets through interfaces to permit
or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify
networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI
commands access-list and access-group are used to create and apply ACL on
an interface.
ACL can be named by number ID or a name. Naming ACL is useful to identify
ACL’s purpose.
ACL are classified in Standard ACL, and Extended ACL.
Standard ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number
IDs are from 100 to 199.
Standard ACL only uses source IP address in an IP packet to filter through an
interface. Hence, standard ACL denies or permits all packets (IP) with the same
source IP regardless upper protocols, destination IP address, etc. Example 1:
Router(config)#access-list 8 deny host 172.12.3.5
Extended ACL does filtering packets based on protocol, source IP address,
source port number, destination IP address and destination port number.
Example 2: Router(config)#access-list 102 deny tcp host 10.0.3.2 host
2
172.129.4.1 Deny tcp packets with source IP address 10.0.3.2 and destination IP
address 172.129.4.1.
Since, Standard ACLs only have source IP address; the rule is to apply them in
an interface as closer as possible to the concerning destination network.
For the contrary, the rule for Extended ACLs is to apply them in an interface as
closer as possible to the source IP address.
Use Extended ACL in all iLabs as they are more granular on packets to filter.
Create Extended ACL in global configuration
You can use access-list command options lt, gt, eq, neq, range (less than,
greater than, equal, not equal, range of ports) to do operation with port numbers.
Example 3: access-list 102 deny tcp any host 11.23.45.7 gt 20 denies all
packets with any source IP address to destination IP address 11.23.45.7 and
destination tcp port greater than 20.
Example 4: access-list 107 permit udp any any permits all packets with udp
protocol with any source IP address to any destination IP address.
Extended ACL can do packet filtering based on source port number and
destination port number.
Extended ACL Syntax can be as follows:
access-list <#,name> <protocol> ...
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfadityacommunication1
Lab8 Controlling traffic using Extended ACL
Objectives
Perform basic configuration tasks on a router.
Applying Static routes and default route.
Exploring the routing table entry.
Applying Extended (named) access control lists (ACLs).
Testing the access control lists (ACLs).
Required Resources
2 Cisco Routers (1841)
2 Cisco Switches (2950-24)
3 Computers
UTP (straight through and cross over) cables
Tasks:
A. Build up the topology.
B. Perform Basic Router Configurations
Steps:
1. Connect the components as shown in Fig 1.
2. Configure the router hostname to match the topology diagram.
3. Configure IP addresses and masks on all devices.
4. Configure a loopback interface (loopback 0) on R2 to simulate the ISP. (search on the internet
how to configure loopback interface)
C. Enable Static route for all networks.
Steps:
1. For Router 1
R1(config)# ip route 192.168.20.0 255.255.255.0 serial 0/0/0
Default root can be configured as:
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2
2. For Router 2
R2(config)# ip route 192.168.10.0 255.255.255.0 serial 0/0/1
R2(config)# ip route 192.168.11.0 255.255.255.0 serial 0/0/1
D. Verify full IP connectivity using the ping command and the routing table of routers.
Step#1:
For R1 and R2, use the command show ip route, take a snapshot for the resulting routing table,
and discuss the outputs:
*Routing table of R1(Screenshoot)
*Routing table of R2 (Screenshot)
Step#2:
Make sure that the whole network nodes can ping each other.
Before configuring and applying this ACL, be sure to test connectivity from Laptop1 to the
loopback interface (ISP - 209.165.200.225)
E. Configuring an Extended ACL
In this section, you are configuring an extended ACL on R1 that blocks traffic originating from any
device on the 192.168.10.0/24 network to access the 209.165.200.255 host (the simulated ISP).
This ACL will be applied outbound on the R1 Serial 0/0/0 interface.
Steps:
1. Configure a named extended ACL.
R1(config)#ip access-list extended EXTEND-1
R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225
2. Apply the ACL.
With standard ACLs, the best practice is to place the ACL as close to the destination as possible.
Extended ACLs are typically placed close to the source.
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group EXTEND-1 out
3. Test the ACL.
From Laptop1; ping the loopback interface on R2.
R1(config-ext-nacl)#permit ip any any
**Please provide full code and screenshoots from Cisco packet tracer.
Table -1 begin{tabular}{|c|ccc|} hline Device & Interface & IP Address & Default Gateway & & & R1
& Fa0/0 & 192.168.10.1/24 & N/A & Fa0/1 & 192.168.11.1/24 & N/A & So/0/0 & 10.1.1.1/24 & N/A
& Fa0/1 & 192.168.20.1/24 & N/A R2 & So/0/1 & 10.1.1.2/24 & N/A & loopback 0 &
209.165.200.225/8 & N/A & & & & & 192.168.10.10/24 & 192.168 .10 .1 hline Laptop1 & NIC &
192.168.11.10/24 & 192.168 .11 .1 hline Laptop2 & NIC & 192.168.20.254/24 & 192.168 .20 .1
hline hline PC3 & NIC & & hline end{tabular}.
Student Name _________________________________ Date _____________SE.docxemelyvalg9
Student Name _________________________________ Date _____________SEC450 iLab3 Report
Initial Configuration ISP Router
version 12.3(4)T7
!
hostname ISP_Router
!
interface FastEthernet0/0
ip address 200.100.0.1 255.255.255.0
!
interface FastEthernet1/0
ip address 200.100.40.1 255.255.255.0
!
interface Serial0/0
ip address 200.100.10.1 255.255.255.0
!
interface Serial0/1
ip address 200.100.20.1 255.255.255.0
!
router rip
network 200.100.0.0
network 200.100.10.0
network 200.100.20.0
network 200.100.40.0
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
Note: RED text indicates the required questions to answer
Task to Set up Security Policy for Offsite Database Server
#1. Explain the meaning of the "three P's" best practice rule to create ACL in routers
#2. Explain the difference between the following two access-list commands
a) access-list 101 permit tcp any any eq 80
b) access-list 101 permit tcp any eq 80 any
#3. What are well-known, registered, and ephemeral UDP/TCP ports?
#4. What is wrong with ACL 105?
access-list 105 permit tcp any any
access-list 105 deny tcp host 201.141.0.3 any
#5. What well-known TCP port does Oracle Database (sql net) server use?
#6. A company is managing an Oracle Database located in a Public Server to support day-to-day operations in Dallas and Chicago networks. The company has requested its Internet Access Provider (ISP) to create the necessary ACL at the ISP router securing that only responses from Oracle server to certain hosts are allowed to enter Dallas and Chicago LANs.
ISP network engineers decided to use extended ACL, and applies it to F0/0 interface in ISP router. Why did they decide to create an extended ACL and apply it in interface F0/0 for inbound traffic?
#7. Copy below ISP router’s initial running-config file from page 2, and add the commands needed to create and apply the ACL in the ISP router.
Answer all questions in this document and upload it in Week 3 iLab Dropbox.
3
Revision Date: 1103
1
SEC450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that
you need to learn in order to configure ACL in CLI. This tutorial does not intend by any
mean to cover all ACL applications, but only those scenarios used in then SEC450
iLabs.
Introduction to Access Control List
A host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and
routers. Basically, firewalls in routers filter packets through interfaces to permit
or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify
networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI
commands.
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
&lt;number&gt;
Purpose: This graphic gives an overview of the type of TCP/IP packet tests that standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.
&lt;number&gt;
Layer 2 of 2
Purpose: This layer shows the ip access-group command.
Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface, per direction, per protocol is allowed.
The ip access-group field descriptions are as follows:
list—Number of the access list to be linked to this interface.
direction—Default is outbound.
Note: Create the access list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access list may cause most traffic to be blocked on the interface.
To remove an access list, remove it from all the interfaces first, then remove the access list. In older versions of Cisco IOS, removing the access list without removing it from the interface can cause problems.
&lt;number&gt;
Layer 2 of 2
Emphasize: Because of the implicit deny all, all non-172.16.x.x traffic is blocked going out E0 and E1.
Note: The red arrows represent the access list is applied as an outbound access list.
&lt;number&gt;
Layer 3 of 3
Emphasize: Only host 172.16.4.13 is blocked from going out on E0 to subnet 172.16.3.0.
Ask the students what will happen if the access list is placed as an input access list on E1 instead. Host 172.16.4.13 will be blocked from going out to the non-172.16.0.0 cloud, as well as to subnet 172.16.3.0.
Note: The red arrows represent the access list is applied as an outbound access list.
&lt;number&gt;
Layer 2 of 2
Emphasize: All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.
Note: The red arrows represent the access list is applied as an outbound access list.
&lt;number&gt;
Purpose: This example shows how to restrict incoming Telnet sessions to the router’s vty ports.
Emphasize: The access class is applied as an input filter.
Note: Ask the student about the effect of changing the direction of the access class to outbound instead of inbound.
Now the router can accept incoming Telnet sessions to its vty ports from all hosts, but will block outgoing Telnet sessions from its vty ports to all hosts except hosts in network 192.89.55.0.
Once a user is Telneted into a router’s vty port, the outbound access-class filter will prevent the user from Telneting to other hosts as specified by the standard access list.
Remember, when an access list is applied to an interface, it only blocks or permits traffic going through the router, it does not block or permit traffic initiated from the router itself.
&lt;number&gt;
Purpose: This graphic gives an overview of the type of TCP/IP packet tests that extended access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.
&lt;number&gt;
Layer 2 of 2
Purpose: Layer 2—Adds the access-group command for IP.
Emphasize: The list number must match the number (100 to 199) you specified in the access-list command.
&lt;number&gt;
Layer 3 of 3
&lt;number&gt;
Layer 3 of 3
&lt;number&gt;
Layer 3 of 3
Purpose: Layer 3—Finishes with the new form of the access-group command, now able to refer to an IP access list name as well as an access list number.
Emphasize: Introduced with Cisco IOS Release 11.2, named access lists:
Intuitively identify IP access lists using alphanumeric identifiers.
Remove the limit on the number of access lists (previously 99 for IP standard and 100 for IP extended access lists).
Allow per-access-list statement deletions (previously the entire numbered access list needed to be deleted as a single entity).
Require Cisco IOS Release 11.2 or later.
&lt;number&gt;
Layer 2 of 2
Emphasize: All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.
Note: The red arrows represent the access list is applied as an outbound access list.
&lt;number&gt;
Layer 2 of 2
Emphasize: All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.
Note: The red arrows represent the access list is applied as an outbound access list.
&lt;number&gt;
&lt;number&gt;
Purpose: This slide introduces the show access-lists command used to verify access lists.
Emphasize: This is the most consolidated method for seeing several access lists.
Note: The implicit deny all statement is not displayed unless it is explicitly entered in the access list.
&lt;number&gt;
240, 197, 102
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Layer 3 of 3
Purpose: Shows a deny result of the access list test.
Emphasize: Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
&lt;number&gt;
Lab 13 ACL
Note: Refer to the lab setup guide for lab instructions.