Lab Test 2: Access Control Lists

Muhammad Faiz Bin Zakariah

Universiti Kuala Lumpur British Malaysian Institute (UniKL-BMI), Batu 8, Sungai Pusu, 53100 Kuala
Lumpur.

faiz_zack12@yahoo.com

Abstract This Lab presents the overview of type, source or destination IP address, source or
configuring a network by using Access Control destination of TCP or UDP ports. Both ACLs types
Lists for network connectivity. This includes can be Numbered or Named. In table below
about how to configure standard ACLs, shows what numbers are used for both IP ACLs
configure extended ACLs and how to verify ACLs types.
by using packet tracer. Through this lab, the
Standard
simulation of the network connectivity is 1 to 99 1300 to 1999
ACLs
presented and the results of all part in this lab
Extended
was successfully obtained. 100 to 199 2000 to 2699
ACLs
I. INTRODUCTION Table 1: Numbers Used by ACLs

Access Control Lists are used to control traffic II. DISCUSSION

into and out of your network based on given In this lab test, a network needed to be
criteria. ACL consists of a sequence of permit or configured. By using Cisco Packet Tracer, the
deny statements that apply to network layer or simulation of the network was conducted and
upper layer protocols. Most often Access Control the network design is as shown as shown in a
Lists are used for security reasons to filter traffic. figure below:
Access lists are applied per interface as inbound
ACL and outbound ACL. Inbound ACL where
packets are processed before they are routed
while outbound ACL where packets are routed to
outbound interface and then processed by ACL.

ACLs do not also act on packets that were

originated from the router itself. At the end of
every access list is an implicit deny any
statement. Therefore, if a packet doesnt match
any of the ACL statements, it is automatically
denied or dropped.

In ACLs, there can be of two types which are

standard and extended. Standard ACLs enable
you to permit or deny traffic from source IP
addresses. The destination of the packet and the
port doesnt matter. But in extended ACLs, there
are more advanced and IP packets are filtered Figure 1: Network Design
based on several criteria, for example, protocol
For task 1 in this lab test, all devices need to be
configured such as configure the router
hostname, IP address, and also password for an
encrypted privileged EXEC, console and VTY lines
for each of the routers. After that, a message
banner need to be configured as well. This
message will pop-up when router is started. This
is also known as the basic configuration for all
routers. In this configuration, OSPF is used with
process ID 1 on all routers for all networks in
order to connect all IP connectivity successfully
by using the Ping command.
Next, for task 2, router 1 or R1 and router 3 or R3
must be configured with standard ACLs. The
standard ACLs have been configured with
standard name ACLs configuration which have
been applied on the R1 and R3 vty lines. The ACLs
have to permit hosts connected directly to their
Fast Ethernet subnets to gain Telnet access and
explicitly deny all other connection attempts. All
of the standard ACLs that have been configured
need to be named with VTY-Local and applied to
all telnet lines.
Figure 2: Command to Configure Standard
Named ACLs
The above figure shows that the command that
was used to create or configure named ACLs
which only permitting hosts that had connected
directly to their Fast Ethernet which for R1
10.1.1.0 and for R3 10.3.1.0 followed by their
wildcard mask. After that, all other hosts were
unable or not be allowed to gain Telnet access to
R1 and R3 excepts for their Fast Ethernet.
Figure 3: Command for VTY Lines
As shown in a figure above, this was the
command applied to R1 and R3 vty virtual
interfaces.
For task 3, only router 2 or R2 need to be
configured with ACLs. However, on R2 extended
named ACLs were used. The name that was given
as stated in the lab sheet is block.
Figure 4: Command to Configure Extended
Named ACLs
The above figure shows the command that was
used to configure extended named ACLs. In
extended ACLs, there must be IP addresses of
source and destination to be compared to in
order to deny certain IP addresses from access
into router. From the above figure, Telnet
packets with those IP addresses will be dropped
as they are trying to travel through R2.
Figure 5: Apply an Extended ACL to an Interface
The figure above shows the command that was
used to apply an extended ACL to an interface.
This command will take all access list lines that
are defined as being part of group block and
applies them in an inbound manner. Packet that
are going out Serial0/0/0 and Serial0/0/1 will be
checked.
 III. RESULTS & ANALYSIS
After all the devices in the network was
configured. The ACLs need to be verified by using
Telnet command.
Figure 6: Telnet from PC1 to R1
From the lab sheet, PC1 should be able to telnet
R1. Therefore, this is the right result as stated in
the lab sheet for the telnet from PC1 to R1.
Figure 7: Telnet from PC2 to R3
From the lab sheet, PC2 should also be able to
telnet R3. As the results shown above, the
correct result have been obtained as the lab
sheet wanted.
Figure 8: Denied Telnet to R1 and R3
Figure 9: Denied Telnet from R1 to R3
From the 2 above figures, it shows that the R2
successfully denied telnet access to R1 and R3.
This means the ACLs on R2 have been configured
correctly as the results are as stated by the lab
sheet.
Figure 10: Failed Ping Between PC1 and PC2
The above figure shows that the ping between
PC1 and PC2 was failed. This is due to R2 ACL
configuration. On R2, the ACL have been
configured to block or denied traffic from R1 LAN
from reaching the R3 LAN. This is why PC1 cannot
ping PC2. The connection has been denied by R2.
So the result from the above figure is correct as
the lab sheet stated that pings between PC1 and
PC2 should be fail.
 IV. CONCLUSION 5. How to Configure Cisco Extended
Named Access Control List in Router.
As the conclusion, this lab has thought me on
(2014, July 13). Retrieved May 24, 2017,
how to be able to configure the Access Control
from
Lists (ACLs) correctly by using a Packet Tracer
http://www.smartpctricks.com/2014/0
Software. This lab also helps me to differentiate
7/cisco-extended-named-acl.html
on how to block a certain or any IP addresses
from enter our network. As the results, all of
them were obtained as the lab sheet asked for.
However, before the correct result can be
obtained. There are some difficulties that must
be faced. For instance, the ACL at VTY-Local did
not successful configured. After a few
troubleshooting has been done. Finally, the ACL
can be configured. From this kind of difficulties
helps me to understand more about ACL.

Lastly, it is important to know and learn about

ACL so that a network can be protected from any
attacks or cybercrime such as ransomware and
others.

REFERENCES

1. What is access control list (ACL)? -

Definition from WhatIs.com. (n.d.).
Retrieved May 24, 2017, from
http://searchsoftwarequality.techtarget
.com/definition/access-control-list
2. Creating Standard Access Control Lists
(ACLs). (n.d.). Retrieved May 24, 2017,
from
http://www.dummies.com/programmi
ng/networking/cisco/creating-standard-
access-control-lists-acls/
3. Extended Access Control Lists (ACLs).
(n.d.). Retrieved May 24, 2017, from
http://www.dummies.com/programmi
ng/networking/cisco/extended-access-
control-lists-acls/
4. A. (2011, May 28). How to configure a
Named Extended Access List on a Cisco
Router. Retrieved May 24, 2017, from
http://www.youtube.com/watch?v=qW
oUPIRlrMM