Objective: configure extended access lists to filter out network-to-network traffic, host-to-host traffic, and network-to-host traffic.
Lab Equipment: Router 1 and Router 2 from the eRouters menu and PC 1, PC 2, PC 3, PC 4, and PC 5 from the eStations menu
Background Reading: Lab Primer Lesson 10: Access Lists
Lab Equipment: Router 1 and Router 2 from the eRouters menu and PC 1, PC 2, PC 3, PC 4, and PC 5 from the eStations menu
Background Reading: Lab Primer Lesson 10: Access Lists
1. Establish the configurations outlined in the tables below.
Router1:
Router2:
PC1:
PC2:
PC3:
PC4:
PC5:
2. configure RIP on the two routers. Be sure to use the proper network statements.
Router1#conf t
Router1(config)#router rip
Router1(config-router)#network 192.168.2.0
Router1(config-router)#network 192.168.3.0
Router2#conf t
Router2(config)#router rip
Router2(config-router)#network 192.168.1.0
Router2(config-router)#network 192.168.2.0
3. Use the show ip route command on each router to make sure that the routes have been received.
Router1#show ip route
Router2#show ip route
4. Verify that you can ping PC 1 from PC 2.
C:>ping 192.168.3.2
Network-to-Network Access List
5. Examine the network diagram below. The first access list you create should allow only traffic from the Administration network (PC 4 and PC 5) destined for PC 1 on the Corporate HQ network. To accomplish this, use an extended access list. Because you are allowing all traffic, you should use IP as the protocol. The access list should look something like the following:
Router1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.127
192.168.3.0 0.0.0.255 log
Router1(config)#access-list 100 permit ip 192.168.2.0 0.0.0.0 any
This access list is very simple because you are only allowing two types of traffic and denying all other traffic. Because there is an implicit deny statement at the end of all access lists, you only need a permit statement for the pings and a permit statement for the RIP broadcasts.
6. Now you need to apply the access list to the interface. Because the traffic is coming from Router2 and going to Router1, you should place the access list on Router1’s serial 0 interface. The access list will check all inbound traffic.
Router1#conf t
Router1(config)#interface serial 0
Router1(config-if)#ip access-group 100 in
7. To test the access list, try to ping PC 1 from PC 2, PC 3, PC 4, and PC 5. PC 2 and PC 3 should not be able to ping PC 1, but PC 4 and PC 5 should be able to. If this access list works, continue on to the next step.
C:>ping 192.168.3.2
PC2&PC3:
PC4:
PC5:
Host-to-Host Access List
8. In this portion of the lab, you will block an individual PC from accessing the central file server. PC 2 is being used by a new employee whom you do not want to have access to the file server (PC 5) for 30 days. To accomplish this, you decide to implement an access list on Router2 that will block access to PC 5 only from PC 2. In this instance, you are setting the access list manually. The list must be manually removed after 30 days.For lab scenario purposes, you should use the log keyword. This will show logging output on the screen of Router2 when the access list is invoked. For this part of the lab, the log will show up on the screen only when you deny access from PC 2.
Router2(config)#access-list 101 deny ip host 192.168.1.130 192.168.1.3
0.0.0.0 log
Router2(config)#access-list 101 permit ip any any
9. Apply the access list to Router2’s Fast Ethernet 0/0 interface.
Router2#conf t
Router2(config)#interface FastEthernet 0/0
Router2(config-if)#ip access-group 101 in
10. Connect to PC 2, and verify that you cannot ping PC 5. Connect to PC 3, and verify that you can ping PC 5.
C:>ping 192.168.1.3
11. Finally, connect to Router2, and verify that the log statements displayed on the console match the corresponding pings sent from the PCs.
Network-to-Host Access List
12. Before you create this access list, remove the preceding access lists from Router1 and Router2.
Router1(config)#interface serial 0
Router1(config-if)#no ip access-group 100 in
Router1(config)#interface serial 0
Router1(config-if)#no ip access-group 100 in
Router2(config)#interface FastEthernet 0/0
Router2(config-if)#no ip access-group 101 in
13. Create an extended access list that blocks all traffic to PC 1 from the Network Users area in the topology. The access list should look something like the following:
Router2(config)#access-list 102 deny ip 192.168.1.128 0.0.0.127 host
192.168.3.2 log
Router2(config)#access-list 102 permit ip any any
14. Apply this access list to outbound traffic on the serial 0 interface of Router2.
Router2(config)#interface serial 0
Router2(config-if)#ip access-group 102 out
15. To test this access list, try to ping PC 1 from PC 2 or PC 3. The pings should fail. You can also view the log file on Router2.
C:>ping 192.168.3.2
PC2&PC3:
*******************************************************
Next:
