Are you comfortable matching packets with extended ACLs? How about with TCP and UDP ports in those ACLs? Here’s a 10-minute lab exercise to practice; all you need is the time and a piece of paper or a place to type!
Config Lab: Extended Named ACLs 1
By certskills
The Lab Exercise
Requirements
Configure an extended access list to control that traffic as detailed in the following rules:
- Create an extended named ACL, with the name “ThisACL”, which performs the following functions:
- Permit all traffic coming from the telnet, SSH, and SNMP server at address 10.0.3.100, going to the 20.0.2.0/24 subnet displayed in the figure
- Block all other traffic coming from telnet, SSH, and SNMP servers in the 10.0.3.0/24 subnet, going to the 20.0.2.0/24 subnet
- Permit all other traffic
- Apply the ACL on the appropriate device per the figure
- Assume all router interfaces shown in the lab are up, working, and have correct IP addresses assigned
- Assume routing between all devices is configured and operational
Figure 1: Topology Used in Extended ACL Lab
Initial Configuration
Examples 1, 2, 3, and 4 show the beginning configuration state of R1, R2, SW1, and SW2.
hostname R1
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 10.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 20.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 20.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 20.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 2: R2 Config
hostname SW1
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
Example 3: SW1 Config
hostname SW2
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30Example 4: SW2 Config
Host device info:
Although not required for this lab, the .pkt file includes one PC per subnet, preconfigured as per the following table, for easier testing.
| Device | IP Address |
| PC1 | 10.0.1.11 |
| PC2 | 10.0.2.12 |
| PC3 | 10.0.3.13 |
| PC4 | 20.0.1.14 |
| PC5 | 20.0.2.15 |
| PC6 | 20.0.3.16 |
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
| Device | Lab Port | CML Port |
| SW1 | G1/0/1 | G0/1 |
| SW1 | G1/0/2 | G0/2 |
| SW1 | G1/0/3 | G0/3 |
| SW1 | G1/0/4 | G1/0 |
| SW2 | G1/0/1 | G0/1 |
| SW2 | G1/0/2 | G0/2 |
| SW2 | G1/0/3 | G0/3 |
| SW2 | G1/0/4 | G1/0 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
| Device | IP Address | User/password |
| S1 | 10.0.1.11 | cisco/cisco |
| S2 | 10.0.2.12 | cisco/cisco |
| S3 | 10.0.3.13 | cisco/cisco |
| S4 | 20.0.1.14 | cisco/cisco |
| S5 | 20.0.2.15 | cisco/cisco |
| S6 | 20.0.3.16 | cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Topology Used in Extended ACL Lab
interface GigabitEthernet0/2.3
ip access-group ThisACL in
!
ip access-list extended ThisACL
permit tcp host 10.0.3.100 eq telnet 20.0.2.0 0.0.0.255
permit tcp host 10.0.3.100 eq 22 20.0.2.0 0.0.0.255
permit udp host 10.0.3.100 eq snmp 20.0.2.0 0.0.0.255
deny tcp 10.0.3.0 0.0.0.255 eq telnet 20.0.2.0 0.0.0.255
deny tcp 10.0.3.0 0.0.0.255 eq 22 20.0.2.0 0.0.0.255
deny udp 10.0.3.0 0.0.0.255 eq snmp 20.0.2.0 0.0.0.255
permit ip any anyExample 1: R1 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
The primary use of access-lists is to control which traffic is allowed to come in and go out of the interfaces of a device. On Cisco devices, you can use either standard or extended ACLs. Standard ACLs use simple matching logic based solely on the source IP address of the packet. Extended ACLs use more complex matching based on multiple header fields, including the source and destination host or network, and matching based on the protocol in use. However, it is important to note that ACLs are not limited to the blocking or permitting of specific traffic. They are also used in several features, from Network Address Translation (NAT) to route maps.
With this lab, you were tasked with configuring an extended named ACL that would be used to block specific traffic. In particular, the two requirements ask that you match packets coming from servers, which means that the source TCP or UDP port in those packets will be used to match the well-known ports used by those servers. The first requirement asked you to match packets from a specific server, while the second requirement asked that you match packets coming from an entire subnet.
For that first requirement, you needed to match the specific server address (10.0.3.100) with the host 10.0.3.100 parameters and the destination subnet with the 20.0.2.0 0.0.0.255 parameters. Beyond that, for three consecutive commands, the ACL needed a separate statement to match each service noted in the requirements, for the well-known port used by Telnet (23), SSH (22), and SNMP (161), and for the correct transport protocols (see example 1).
The logic works the same for the second requirement, except that the source field in each case matches the source subnet with the 10.0.3.0 0.0.0.255 parameters.
The last step is to apply the ACL to the appropriate interface. Generally, Cisco suggests applying standard ACLs to the interface closest to the destination and applying extended ACLs to the interface closest to the source. In this case, you are configuring an extended ACL, so you are looking for the closest interface to the source. Because R1 is configured with a Router-on-a-Stick (ROAS) configuration, the closest interface would be a sub-interface, not a physical interface. The source network is 10.0.3.0/24, which is located off R1’s G0/2.3 sub-interface, so the answer applies the ACL inbound on this interface using the ip access-group ThisACL in command.
Finally, note that this lab glossed over one SNMP issue. As worded, the lab exercise requirements mentioned Telnet, SSH, and SNMP server. As it turns out, SNMP does not often use client and server terms. However, the device using well-known UDP port 161, which is matched by an IOS ACL with the snmp keyword, is the SNMP agent running on the networking device. So, in the literal sense, the ACL listed here is correct. However, many people incorrectly think of the Network Management Station as the server; if that was your intent, note that the NMS would not send packets with source UDP port 161, but rather with destination UDP port 161 when communicating to SNMP agents throughout the network.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
| # | Summary | Detail |
| 1 | Limited port number keywords in CPT | Real Cisco IOS supports a larger number of text keywords that identify well-known TCP and UDP port numbers. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without owning real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps:
- Issue the show ip access-lists and show access-lists commands to display the access-lists.
- Issue the show ip interfaces commands and look for the lines on each interface that identify if any ACLs are enabled, and if so, which ACLs and in what direction.
- Add some hosts to the topology and use some ping and traceroute commands to generate traffic and test the ACLs. Because all the requirements mention IP packets only and not specific applications, you can use any command to drive traffic to test the ACL.
More Labs with Related Content!
By certskills
Hi Wendell,
I think there is a mistake, because the access-list and the ip access-group are configured on R1 and not on R2 as is commented in “Lab Configuration” answer: Spoiler Alert
Hi Mac,
Yep, config should be on R1. I just updated the lab config section to correct that fact. Thanks for the heads up.
My question is in regards to CHAP:3 Table 3-6 (Building one-line extended ACL practice, specifically problem 4. The answer is as follows: access-list 104 permit tcp 10.2.2.0 0.0.1.255 eq www 10.4.4.0 0.0.3.255.
My issue is that I don’t understand why the SOURCE addresses can be 10.4.4.0 and the other 10.2.2.0? I do understand how the subnets are created by this simple math: 255.255.255.255 – 255.255.254.0 = 0.0.1.255 then for the second subnet the math is simply 255.255.255.255 – 255.255.252.0 = 0.0.3.255
I understand the subnets but how did we get to those source IP addresses being different from the original?
Hi Ricardo,
I’m a little confused by what you’re asking, so let me take a shot, and follow up to clarify.
First, the “10.2.2.0 0.0.1.255” represents the range of source addresses. The “10.4.4.0 0.0.1.255” represents the range of destination addresses. Is that the logic issue? You asked why 10.4.4.0… could be the SOURCE addresses. They are not – that range is for destination addresses.
If that’s not what you’re getting at, let me rephrase the problem:
Use an ACL statement to match source addresses in the subnet where 10.2.3.4/22 resides, and also match destination addresses where address 10.4.5.6/22 resides. Does that clarify?
Or I’m just confused! 🙂 Feel free to ask again.
Wendell
Am I wrong to set the ACL inbound on R2 Gi0/2.2?
Does it matters?
Hi JP,
I think you could test it in PT if you wanted to add some devices in the 10.0.3.0/24 subnet and 20.0.2.0/24 subnet, by the way. I think the servers in PT would allow telnet.
But to answer your question, it has to be somewhere in the path from the 10.0.3.0/24 subnet to the 20.0.2.0/24 subnet, and that doesn’t include the R1 G0/2.2 subinterface. That R1 G0/2.2 subinterface, per the drawing, supports VLAN 20 (10.0.2.0/24 subnet), so packets from the VLAN 30 10.0.3.0/24 subnet would not enter the R1 G0/2.2 subinterface, but rather the G0/2.3 subinterface.
Hey,
I could not use telnet because the servers in the packet tracert do not support telnet service(or I just don’t know how). I used www instead and it worked flawlessly.
I understand the logic why we should choose R1 to apply the ACL. First, the servers are located inside R1’s LAN, so it would make sense to apply the ACL inbound there (as close as possible to source). Secondly, perhaps, in the real world we do not have access to R2’s LAN (or other network). Third, if there was multiple LAN subnets that wanted to gain access to the server 10.0.3.100, it would be a pain to ask to configure an ACL on each router; however, just using R1 router would make things easier. I think it’s easier when you think about it, topology wise.
I didn’t think about it when I did the exercise.
Just curious as to why this lab has a link for it in chapter 3 of Vol 1 CCNA 200-301?
There are no configuration commands of any kind in chapter 3 nor in the previous CCNA1 book.
Thanks,
James
Because we made a mistake. The content is in Chapter 3 of Volume 2, not Volume 1. I just changed the tags. Thanks for the heads up.
Wendell
Hello Odom,
I hope all is well.
May I ask instead of the eq keyword could we not use the range keyword instead which make the configuration on separate lines shorter.
So instead of using eq telnet on one line and eq snmp on another line. You could use the range keyword.
Sorry if I am not making sense
Hi Joe,
Thanks for the note!
Yep, you can indeed combine two sets of two lines with the range 22 23 or range 22 telnet parameters.
Wendell
Sir,
It is provided in the instructions here that “routing between all devices is configured and operational”. Also, as per Cisco recommendations, before editing an ACL, it should be disabled on the interface to avoid issues. So, is it correct to enable “ThisACL” on interface “g0/2.3” first and then adding ACEs to it later?
Hi Varun,
Yes, when adding the commands, the sequence should be as you describe. FYI, the answer shows the resulting new configuration, which per “show run” lists the interfaces earlier and the ACLs towards the end.