Standard Numbered ACL 1

certskills
By certskills December 30, 2015 12:05

Write a 1-line ACL to match something? Easy. Write a several line ACL with a bunch of requirements? A little harder. Choosing where to put that multi-line ACL, when the ACL requirements span multiple subnets? Yet another bump. Combining all that with Router-as-a-Stick (ROAS) config, choosing the interface can be a challenge. Today’s lab gives you all that! Check it out.

Requirements

This lab gives you a set of relatively straightforward ACL requirements, but with enough flexibility to make you think beyond just making this an access-list command syntax exercise. You will also need to review a pretty detailed initial configuration to get your bearings first. Then you have to think about where to put the ACL, on which interface, and in which direction. So it’s a good thinking lab.

The specific rules for this lab are:

  • Create a standard numbered ACL which performs the following functions:
    • Block all traffic from the 20.0.1.0/24 network to all of the 10.0.0.0 subnets displayed in the figure
    • Block all traffic from host 20.0.2.100 to all of the 10.0.0.0 subnets displayed in the figure
    • Block all traffic from host 20.0.3.100 to all of the 10.0.0.0 subnets displayed in the figure
    • Permit all other traffic
  • You choose the device on which to enable the ACL, the interface, and the direction
  • You may enable the ACL in one place only, in one direction only
  • As seen in the initial configurations:
    • Assume all router interfaces shown in the lab are up, working and have correct IP addresses assigned
    • Assume routing between all devices is configured and operational
    • Assume that at least one host exists on each VLAN with an IP address ending in .100 with correct gateways configured.

Figure 1: Two  Router ROAS Topology

 

Initial Configuration

Examples 1, 2, 3 and 4 show the initial configuration state of R1, R2, SW1 and SW2.

 

Example 1: R1 Config

 

Example 2: R2 Config

 

Example 3: SW1 Config

 

Example 4: SW2 Config

 

 

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can check by verifying it with the show ip access-lists  and show ip interfaces commands. If possible you could also configure additional hosts to the topology and use some ping and traceroute commands. Because all the requirements mention IP packets only, and not specific applications, you can use any command to drive traffic to test the ACL.

 

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

Network Device Info

All interfaces in topology match the lab figure.

 

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address Mac Address User/password
PC1 10.0.1.100 02:00:11:11:11:11 cisco/cisco
PC2 10.0.2.100 02:00:22:22:22:22 cisco/cisco
PC3 10.0.3.100 02:00:33:33:33:33 cisco/cisco
PC4 20.0.1.100 02:00:44:44:44:44 cisco/cisco
PC5 20.0.2.100 02:00:55:55:55:55 cisco/cisco
PC6 20.0.3.100 02:00:66:66:66:66 cisco/cisco

 

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1

Answers: HSRP 1
Answers: Standard Numbered ACL 1
certskills
By certskills December 30, 2015 12:05
Write a comment

7 Comments

  1. Ady April 2, 21:09

    Aren’t you missing network 20.0.0.0 in your RIP statement? I thought we should be able to ping from subnet 20.0.x.0 to subnet 10.0.x.0 before applying the ACL statemnt.
    Thx

    Reply to this comment
  2. Paolo July 12, 09:42

    I think R2’s configuration line 24 “network 10.0.0.0” should be “network 20.0.0.0”.
    And maybe both routers miss “network 192.168.1.0” to be able to exchange RIP updates, right?

    Reply to this comment
    • Bastien August 31, 05:32

      You are right, it’s a mistake.
      R2 should RIP for network 20.0.0.0 not 10.0.0.0

      Reply to this comment
    • Bastien August 31, 06:05

      Hello, again i agree with you also on the fact that RIP is not enable for 192.168.1.0 network …
      So no routes can be exchanged between R1 & R2.

      So 2 mistakes in that initial conf.

      Reply to this comment
  3. CCENTSkills September 7, 09:24

    Paolo and Bastien,
    Yep, I agree, the RIP config was way off. Just fixed it. Thanks for the heads up!
    Wendell

    Reply to this comment
  4. Bav November 19, 10:44

    Should VLANS not be in the same subnet? i.e VLAN 10 on both sides. Or for this task should we have VLANs 10 – 30 and then 40-60 ect..?

    Reply to this comment
    • CCENTSkills November 21, 13:12

      Hi Bav,
      VLAN 10 on the top is a different VLAN than VLAN 10 on the bottom. EG, you could have a retail company with thousands of small sites. You could use VLAN 10 as a VLAN at every one of those sites, as defined on the local switch at those thousands of sites. They’re all separated by at least one router (or layer 3 switch), so they’re separate VLANs. Just happen to use the same number.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories