Free Play Labs – CCNA Vol 2, Chapter 3
CCNA Volume 2’s first ACL chapter gets over the big fundamental Access Control List (ACL) concepts and configuration, with Chapter 3 (the subject of this post) moving on to more detailed ACL topics. In particular, this chapter examines extended ACLs, particularly how to match multiple header fields in one Access Control Entry (ACE) config statement, along with a variety of nooks and crannies of ACL configuration. Check out chapter 3 of the CCNA 200-301 Volume 2 Cert Guide to see examples, and come here for some assistance in re-creating those examples in Cisco Packet Tracer!
Confused? New to “Free Play” Labs?
The idea is simple: Many students would like to further explore the Examples in the Official Cert Guide. We remove the barriers so you can do just that with the free Cisco Packet Tracer simulator.
The details require some reading. To get your head around what kind of content is here in the blog for these labs, read:
Book: CCNA 200-301 OCG, Volume 2
Chapter: 3
Title: Advanced IPv4 Access Control Lists
Part: 3
What’s in This Post
Chapter Intro: A brief description of the topics in that chapter of the book.
Download Link: Links to a ZIP; the ZIP holds all the .PKT files for this chapter.
Table of PKT files, by Example: A table that lists each example in the chapter, with the files supplied for each. Also lists a note about whether the PKT topology matches the book example exactly or not.
Tips: When we build the files, we come across items that we think might confuse you when trying the examples with PT. We write those notes in this section!
Chapter Intro
The CCNA 200-301 Cert Guide, Volume 2, devotes two chapters to IPv4 Access Control Lists (ACLs). Chapter 2 explains the basics of ACLs, focusing on standard IPv4 ACLs, which match only the source IPv4 address in a packet. Chapter 3 then explains extended ACLs, named ACLs, and ACL editing.
Extended ACLs work like standard ACLs in many ways, but with one big difference: one ACL statement (an Access Control Entry, or ACE) can match multiple fields in different message headers. Most importantly, one ACE can match the source and destination IP address, the transport protocol (TCP, UDP), as well as the transport protocol source and destination port numbers. The chapter explains the syntax, as well as the matching logic when one ACE contains multiple matching fields.
The chapter also explains how named IP ACL syntax works. One ACL always exists as an ordered list of ACEs, but one ACL can be identified as a number (numbered ACLs) or by a name (named ACLs.) As it turns out, the numbered ACL syntax differs slightly from named ACL syntax, with some advantages to using named ACLs (which came later in the history of IOS.)
The chapter ends with some examples of how to edit an ACL – a seemingly innocent enough task, but one that could cause problems in production networks.
One .PKT File – But Maybe Two (Duplicate) Toplogies
When building the content for this post, we review the examples in the book and decide whether it makes sense to supply a Packet Tracer (.pkt) file to match the example. If we choose to support an example by supplying a matching .pkt file, the .pkt file includes a topology that matches the example as much as possible. It also includes the device configurations as they should exist at the beginning of the example.
In some cases, the .pkt file shows two instances of the lab topology – one above and one below. We include two such topologies when the book example includes configuration commands, for these purposes:
- Top/Initial: The topology at the top has the configuration state at the beginning of the example.
- Bottom/Ending: The topology at the bottom adds the configuration per the example, so that it mimics the configuration at the end of the example.
Table of .PKT Files, by Example
|
Example |
.PKT Includes Initial State of Example? | .PKT Also Includes Ending State of Example? | Exact Match of Interface IDs? |
| 3-1 | Yes | Yes | No |
| 3-2 | Yes | Yes | No |
| 3-3 | Yes | Yes | No |
| 3-4 | Yes | Yes | N/A |
| 3-5 | Yes | Yes | N/A |
| 3-6 | Yes | Yes | N/A |
| 3-7 | Yes | Yes | N/A |
[/vc_section]
Tips
None of the examples in CCNA 200-301 OCG Volume 2 Chapter 3 can be replicated in Packet Tracer. Generally, throughout the examples, instead:
– Any book example router interface S0 = S0/0/0 in PT
– Any book example router interface S1 = S0/0/1 in PT
– Any book example router interface E0 = G0/0 in PT
This example’s initial state begins with all IP addresses configured, with all endpoint devices able to send and receive IP packets for all applications. The ending configuration adds the configuration show in the example.
To match the supplied PT file with the book’s example:
– Book interface S0 = S0/0/0
– Book interface S1 = S0/0/1
– Book interface E0 = G0/0
To match the supplied PT file with the book’s example:
– Book interface S0 = S0/0/0
– Book interface S1 = S0/0/1
– Book interface E0 = G0/0
Note that for this example in the book, the discussion focuses on what happens in a single router, rather than what packets it filters in a particular topology. We created a topology to use, with the action happening on router R1, but you will not find an equivalent figure in the book.
Note that for this example in the book, the discussion focuses on what happens in a single router, rather than what packets it filters in a particular topology. We created a topology to use, with the action happening on router R1, but you will not find an equivalent figure in the book.
For examples 3-5, 3-6, and 3-7:
You should perform each of these examples from router R1 in the initial part of the topology. The initial state does not include any of the configuration shown in the respective examples. By performing that steps, you can see the process of ACL editing particularly with line numbers.
Note that the PT file does supply an ending state. However, the ending state cannot replicate what the book shows in regards to ACL line numbers. So use the initial state, and add the configuration shown in the examples.
See Example 3-5 for instructions for Examples 3-5, 3-6, and 3-7. Also:
For the show ip access-lists 24 command, PT does not display line numbers, but real Cisco switches do. To overcome, just use the show ip access-lists command (without the ACL name or number) to see line numbers.
IOS supports standard ACL syntax of deny 10.1.1.1 and deny host 10.1.1.1, storing the commands in the config files without the “host”. Cisco Packet Tracer accepts both but stores the commands with the “host” keyword.
This example has the same caveats as Example 3-6 – look at those notes instead.