Free Play Labs – CCNA Vol 2, Chapter 2
Access Control Lists (ACLs) may be one of the most uncomfortable topics to learn during your first few hours reading about the topic. Getting into lab early in your reading can help, so take advantage of this post and re-live the examples in the CCNA 200-301 Volume 2 Cert Guide, Chapter 2, which introduces standard IP ACLs.
Confused? New to “Free Play” Labs?
The idea is simple: Many students would like to further explore the Examples in the Official Cert Guide. We remove the barriers so you can do just that with the free Cisco Packet Tracer simulator.
The details require some reading. To get your head around what kind of content is here in the blog for these labs, read:
Book: CCNA 200-301 OCG, Volume 2
Title: Basic IPv4 Access Control Lists
What’s in This Post
Chapter Intro: A brief description of the topics in that chapter of the book.
Download Link: Links to a ZIP; the ZIP holds all the .PKT files for this chapter.
Table of PKT files, by Example: A table that lists each example in the chapter, with the files supplied for each. Also lists a note about whether the PKT topology matches the book example exactly or not.
Tips: When we build the files, we come across items that we think might confuse you when trying the examples with PT. We write those notes in this section!
Cisco routers and switches include a variety of tools that match messages during the process of moving that message from entering an interface to exiting an interface. Once matched, the device can perform various actions, like Quality of Service (QoS) to change the performance of the forwarding of the packet, or to even redirect the choice of where to forward the message. However, the most common action happens to be to choose to discard some packets, based on different matching criteria.
Access Control Lists (ACLs) serve as the primary means to define the fields and values to match in a message, along with the logic, so a router or switch can match and filter packets. Cisco has included router-based IPv4 ACLs in the CCNA exam since the very first CCNA exam back in 1998. Chapter 2 of the CCNA 200-301 Cert Guide, Volume 2 introduces these IPv4 ACLs, including:
- How the simplest type of IPv4 ACL – a standard ACL – works
- How to match the source IP address of an IP packet using a wildcard mask
- First match and match any logic
As always in this series, the goal is to help you re-create the examples from the book. Enjoy!
Download the Packet Tracer ZIP File
One .PKT File – But Maybe Two (Duplicate) Toplogies
When building the content for this post, we review the examples in the book and decide whether it makes sense to supply a Packet Tracer (.pkt) file to match the example. If we choose to support an example by supplying a matching .pkt file, the .pkt file includes a topology that matches the example as much as possible. It also includes the device configurations as they should exist at the beginning of the example.
In some cases, the .pkt file shows two instances of the lab topology – one above and one below. We include two such topologies when the book example includes configuration commands, for these purposes:
- Top/Initial: The topology at the top has the configuration state at the beginning of the example.
- Bottom/Ending: The topology at the bottom adds the configuration per the example, so that it mimics the configuration at the end of the example.
Table of .PKT Files, by Example
|.PKT Includes Initial State of Example?||.PKT Also Includes Ending State of Example?||
Exact Match of Interface IDs?
Note that the examples in this chapter use different interface types and interface IDs as compared to the supplied PT files. Comparing the values:
- Book F0/0 = PT G0/0
- Book F0/1 = PT G0/1
- Book F0/0 = PT G0/0
To test to prove the ACL works, consider doing these tests:
- From host A, ping S1 (10.2.2.1). It should work.
- From host B, ping S1. it should fail.
- From host C, ping S1. it should work.
Also, after testing, use the show ip access-list to see updated counters for matched packets.
We do not supply a .pkt file for this example because PT does not support the log option on the access-list command.