Lab ID: 9.9K1116A059.DHI2.

Advanced Extended Access Lists

Objective
Learn advanced configurations for extended access control lists (ACLs). Verify the ACLs by using show
commands and network connectivity tests.

Lab Topology
The topology diagram below represents the NetMap in the Simulator.

Command Summary
Command Description
access-list access-list-number {deny | permit} defines an extended IP ACL for the traffic type
protocol source source-wildcard [operator [port]] specified by the protocol parameter
destination destination-wildcard [operator [port]] [log]
clock rate clock-rate sets the clock rate for a Data Communications
Equipment (DCE) interface
configure terminal enters global configuration mode from privileged
EXEC mode
description description-text assigns a description to an interface, a class map,
or a policy map
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
hostname host-name sets the device name

1 Boson NetSim Lab Manual

 Command Description
interface type number changes from global configuration mode to
interface configuration mode
ip access-group {access-list-number | access-list- controls access to an interface
name} {in | out}
ip address ip-address subnet-mask assigns an IP address to an interface
network network-address activates the specified routing protocol on the
specified network
no shutdown enables an interface
ping ip-address sends an Internet Control Message Protocol
(ICMP) echo request to the specified address
router rip enables Routing Information Protocol (RIP)
routing
show access-lists [access-list-number | access-list- displays the contents of current ACLs
name]
show ip interface displays IP information for an interface
show ip route displays the IP routing table
show running-config displays the active configuration file
version 2 enables RIP version 2 (RIPv2)

The IP addresses and subnet masks used in this lab are shown in the tables below:

IP Addresses
Device Interface IP Address Subnet Mask
Router1 Serial 0/0 192.168.2.1 255.255.255.0
FastEthernet 0/0 192.168.3.1 255.255.255.0
Router2 Serial 0/0 192.168.2.2 255.255.255.0
FastEthernet 0/0 192.168.1.129 255.255.255.128
FastEthernet 0/1 192.168.1.1 255.255.255.128

Device IP Address Subnet Mask Default Gateway

PC1 192.168.3.2 255.255.255.0 192.168.3.1
PC2 192.168.1.130 255.255.255.128 192.168.1.129
PC3 192.168.1.131 255.255.255.128 192.168.1.129
PC4 192.168.1.2 255.255.255.128 192.168.1.1
PC5 192.168.1.3 255.255.255.128 192.168.1.1

2 Boson NetSim Lab Manual

 Lab Tasks
Task 1: Configure the Routers
This task involves configuring network connectivity between all devices.
1. Configure Router1 with the appropriate host name, IP addresses, and subnet masks; refer to the IP
Addresses table. Enable the interfaces. Configure a clock rate of 64 Kbps on the Serial 0/0 interface.
A clock rate must be configured on Router1 because it is the DCE end of the link to Router2.

2. Configure Router2 with the appropriate host name, IP addresses, and subnet masks; refer to the IP
Addresses table. Enable the interfaces.

3. On Router1 and Router2, configure RIPv2 to advertise each configured interface.

4. On both routers, verify that the routes have been received.

5. Verify the configuration by pinging from PC1 to PC2 (192.168.1.130) and from PC1 to PC4
(192.168.1.2). Both pings should be successful.

Task 2: Configure Network-to-Network ACLs

This task involves configuring an extended ACL to allow only traffic from the Administration network on the
Corporate HQ network.
1. ACLs are used to identify traffic. Once identified, the traffic can then be filtered, analyzed, forwarded,
or influenced in various ways. Which protocol should you specify in the ACL to allow all traffic from
the Administration network to the Corporate HQ network? _________________________________

2. What is the number range that can be used as an ID with extended ACLs? ___________________

3. On what device and interface, and in which direction, should an extended ACL be created to allow
only traffic from the Administration network on the Corporate HQ network? ___________________
______________________________________________________________________________

4. On the appropriate device, create extended ACL 100 that will only allow traffic from the
Administration network on the Corporate HQ network; enable logging.

5. On the device you noted in step 3, apply ACL 100 to the correct interface and in the correct direction.

6. To verify the ACL, ping PC1 (192.168.3.2) from the four workstations on the Administration and
Network Users networks. The pings from PC2 and PC3 to PC1 should fail, but the pings from PC4
and PC5 to PC1 should succeed.

3 Boson NetSim Lab Manual

 Task 3: Configure Host-to-Host ACLs
This task involves configuring an extended ACL to block an individual PC from accessing the central file
server. A new employee whom you do not want to have access to the file server (PC5) is using PC2. In this
lab, you are configuring an access list manually to prevent PC2 from accessing PC5.
1. On what device and interface, and in which direction, should the extended ACL be created and
applied? ________________________________________________________________________

2. On the device you noted in step 1, create extended ACL 101 to block PC2 from accessing PC5;
enable logging.

3. On the device you noted in step 1, apply ACL 101 to the correct interface in the correct direction.

4. Verify the ACL by pinging from PC2 and PC3 to PC5 (192.168.1.3). The ping from PC2 to PC5
should fail, and the ping from PC3 to PC5 should succeed.

Task 4: Remove ACLs

This task involves removing previously configured ACLs; the employee you previously did not want to have
access to the file server (PC5) should now be allowed to access PC5. Additionally, the ACL applied in Task
2 should be removed.
1. Remove the ACLs created in Task 3 so that the new employee can now reach PC5. You should also
issue the commands necessary to remove the ACL created in Task 2 from the interfaces. You do not
need to remove the ACLs entirely from the router.

2. Verify that the ACLs are no longer applied to Router1’s FastEthernet 0/0 interface and Router2’s
FastEthernet 0/0 interface. What line of the output allows you to determine that an ACL is not applied
to the interfaces? ________________________________________________________________

Task 5: Configure Network-to-Host ACLs

This task involves configuring an extended ACL to block all traffic originating from the Network Users area
to PC1.
1. On what device and interface, and in which direction, should the extended ACL be created and
applied? _______________________________________________________________________

2. On the device you noted in step 1, create extended ACL 102 to block all traffic originating from the
Network Users area; enable logging.

3. On the device you noted in step 1, apply ACL 102 to the correct interface in the correct direction.

4. Verify the ACL by pinging from PC2 and PC3 to PC1 (192.168.3.2). Both pings should fail.

5. On Router2, display the log file for ACL 102.

Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

4 Boson NetSim Lab Manual

 Lab Solutions
Task 1: Configure the Routers
1. On Router1, issue the following commands to configure the appropriate host name, IP addresses,
and subnet masks, to enable the interfaces, and to configure a clock rate on Router1’s Serial 0/0
interface:

Router(config)#hostname Router1
Router1(config)#interface serial 0/0
Router1(config-if)#ip address 192.168.2.1 255.255.255.0
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
Router1(config-if)#interface fastethernet 0/0
Router1(config-if)#ip address 192.168.3.1 255.255.255.0
Router1(config-if)#no shutdown

2. On Router2, issue the following commands to configure the appropriate host name, IP addresses,
and subnet masks and to enable the interfaces:

Router(config)#hostname Router2
Router2(config)#interface serial 0/0
Router2(config-if)#ip address 192.168.2.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#interface fastethernet 0/0
Router2(config-if)#ip address 192.168.1.129 255.255.255.128
Router2(config-if)#no shutdown
Router2(config-if)#interface fastethernet 0/1
Router2(config-if)#ip address 192.168.1.1 255.255.255.128
Router2(config-if)#no shutdown

3. You should issue the following commands to configure Router1 and Router2 to configure RIPv2 to
advertise each configured interface:

Router1(config-if)#router rip
Router1(config-router)#version 2
Router1(config-router)#network 192.168.2.0
Router1(config-router)#network 192.168.3.0

Router2(config-if)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 192.168.1.0
Router2(config-router)#network 192.168.2.0

5 Boson NetSim Lab Manual

 4. Issue the show ip route command on both routers to verify that the routes have been received.
Below is sample output:

Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B – BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E – EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route

Gateway of last resort is not set

C 192.168.3.0 is directly connected, FastEthernet0/0

C 192.168.2.0 is directly connected, Serial0/0
192.168.1.0/25 is subnetted, 2 subnets
R 192.168.1.0 [120/1] via 192.168.2.2, 00:05:37, Serial0/0

Router2#show ip route
<output omitted>

Gateway of last resort is not set

192.168.1.0/25 is subnetted, 2 subnets

C 192.168.1.128 is directly connected, FastEthernet0/0
C 192.168.1.0 is directly connected, FastEthernet0/1
C 192.168.2.0 is directly connected, Serial0/0
R 192.168.3.0 [120/1] via 192.168.2.1, 00:09:43, Serial0/0

5. Verify the configuration by pinging from PC1 to PC2 (192.168.1.130) and from PC1 to PC4
(192.168.1.2). Both pings should be successful.

C:>ping 192.168.1.130
C:>ping 192.168.1.2

Task 2: Configure Network-to-Network ACLs

1. You should specify the Internet Protocol (IP) transport protocol in the ACL; this will allow all traffic.

2. A number range of 100 through 199 can be used as an ID with extended ACLs. Numbered access
lists ranging from 1 through 99 are standard access lists and can identify traffic based on only the
source IP address. Extended access lists can identify traffic based on source and destination IP
addresses as well as traffic type. This scenario requires that you identify traffic based on source and
destination IP addresses as well as the type of traffic; therefore, you should use an extended access
list in your configuration.

6 Boson NetSim Lab Manual

 3. Extended ACLs should be placed as close as possible to the source of the traffic you wish to
restrict. In this task, you are planning to create an extended ACL that allows only traffic from the
Administration network on the Corporate HQ network.

Adding an inbound ACL on Router2’s FastEthernet 0/1 interface permitting Administration traffic
destined for Corporate HQ does not meet the requirement of this task, because this location would
not block Network Users traffic destined for Corporate HQ.

Adding an inbound ACL on Router2’s FastEthernet 0/0 interface blocking Network Users traffic
destined for Corporate HQ does not meet the requirement of this task either, because traffic from the
192.168.2.0/24 network would still reach Corporate HQ. If you were required to block Network Users
from reaching Corporate HQ (instead of allowing only traffic from Administration on Corporate HQ),
this would be the best location, direction, and device.

Adding an outbound ACL on Router2’s Serial 0/0 interface or an inbound ACL on Router1’s Serial
0/0 interface also does not meet the requirement, because 192.168.2.0 traffic from Router1 would
still reach Corporate HQ.

4. On Router1, issue the following command to create an extended ACL that only allows traffic from the
Administration network on the Corporate HQ network:

Router1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.127 192.168.3.0 0.0.0.255 log

5. On Router1, issue the following commands to apply ACL 100 to the correct interface and in the
correct direction:

Router1(config)#interface fastethernet 0/0

Router1(config-if)#ip access-group 100 out

6. To verify the ACL, ping PC1 (192.168.3.2) from the four workstations on the Administration and
Network Users networks. The pings from PC2 and PC3 to PC1 should fail, but the pings from PC4
and PC5 to PC1 should succeed.

C:>ping 192.168.3.2

Task 3: Configure Host-to-Host ACLs

1. An extended ACL that blocks an individual PC (PC2) from accessing the central file server (PC5)
should be created on Router2 and applied to the FastEthernet 0/0 interface in the inbound direction
because that is the closest interface and device to the source of the traffic.

2. On Router2, issue the following commands to create extended ACL 101:

Router2(config)#access-list 101 deny ip host 192.168.1.130 192.168.1.3 0.0.0.0 log

Router2(config)#access-list 101 permit ip any any

7 Boson NetSim Lab Manual

 3. On Router2, issue the following commands to apply ACL 101 to the correct interface and in the
correct direction:

Router2(config)#interface fastethernet 0/0

Router2(config-if)#ip access-group 101 in

4. To verify the ACL, ping PC5 (192.168.1.3) from PC2 and PC3. The ping from PC2 to PC5 should fail,
and the ping from PC3 to PC5 should succeed.

C:>ping 192.168.1.3

Task 4: Remove ACLs

1. On Router1 and Router2, issue the following commands to remove the ACLs created in Task 2 and
Task 3:

Router1(config-if)#interface fastethernet 0/0

Router1(config-if)#no ip access-group 100 out

Router2(config-if)#interface fastethernet 0/0

Router2(config-if)#no ip access-group 101 in

2. On Router1 and Router2, issue the show ip interface command to verify that the ACLs are no
longer applied to Router1’s FastEthernet 0/0 interface and Router2’s FastEthernet 0/0 interface.
The lines Outgoing access list is not set and Inbound access list is not set on all
interfaces of both Router1 and Router2 indicate that an ACL is not applied to the interfaces. Below is
sample output:

Router1#show ip interface
<output omitted>
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.3.1/24
Broadcast address is 255.255.255.255
MTU 1500 bytes,
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP Is Enabled
Security Level Is Default
Split horizon Is Enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
<output omitted>

(continued on next page)

8 Boson NetSim Lab Manual

 (continued from previous page)

Router2#show ip interface
<output omitted>
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.129/25
Broadcast address is 255.255.255.128
MTU 1500 bytes,
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP Is Enabled
Security Level Is Default
Split horizon Is Enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
<output omitted>

Task 5: Configure Network-to-Host ACLs

1. An extended ACL that blocks all traffic originating from Network Users to PC1 should be created on
Router2 and applied to the FastEthernet 0/0 interface in the inbound direction because that is the
closest interface and device to the source of the traffic.

2. On Router2, issue the following commands to create and apply ACL 102:

Router2(config)#access-list 102 deny ip 192.168.1.128 0.0.0.127 host 192.168.3.2 log

Router2(config)#access-list 102 permit ip any any

3. On Router2, issue the following commands to apply ACL 102 to the correct interface and in the
correct direction:

Router2(config)#interface fastethernet 0/0

Router2(config-if)#ip access-group 102 in

4. To verify the ACL, ping from PC2 and PC3 to PC1 (192.168.3.2). Both pings should fail.

C:>ping 192.168.3.2

5. On Router2, issue the show access-lists 102 command to display the log file for ACL 102. Below is
sample output:

Router2#show access-lists 102

Extended IP access list 102
10 deny ip 192.168.1.128 0.0.0.127 host 192.168.3.2 log (2 matches)
20 permit ip any any (0 matches)

9 Boson NetSim Lab Manual

 Sample Configuration Scripts
Router1 Router1 (continued)
Router1#show running-config interface FastEthernet0/1
Building configuration... no ip address
Current configuration : 883 bytes no ip directed-broadcast
! shutdown
Version 15.b !
service timestamps debug uptime router rip
service timestamps log uptime version 2
no service password-encryption network 192.168.2.0
! network 192.168.3.0
hostname Router1 !
! ip classless
ip subnet-zero no ip http server
! !
ip cef access-list 100 permit ip 192.168.1.0
no ip domain-lookup 0.0.0.127 192.168.3.0 0.0.0.255 log
! !
interface Serial0/0 line con 0
ip address 192.168.2.1 255.255.255.0 line aux 0
no ip directed-broadcast line vty 0 4
clock rate 64000 login
! !
interface Serial0/1 no scheduler allocate
no ip address end
no ip directed-broadcast
shutdown
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
no ip directed-broadcast
!

10 Boson NetSim Lab Manual

 Router2 Router2 (continued)
Router2#show running-config interface FastEthernet0/1
Building configuration... ip address 192.168.1.1 255.255.255.128
Current configuration : 1038 bytes no ip directed-broadcast
! !
Version 15.b router rip
service timestamps debug uptime version 2
service timestamps log uptime network 192.168.1.0
no service password-encryption network 192.168.2.0
! !
hostname Router2 ip classless
! no ip http server
ip subnet-zero !
! access-list 101 deny ip host
ip cef 192.168.1.130 host 192.168.1.3 log
no ip domain-lookup access-list 101 permit ip any any
! access-list 102 deny ip 192.168.1.128
interface Serial0/0 0.0.0.127 host 192.168.3.2 log
ip address 192.168.2.2 255.255.255.0 access-list 102 permit ip any any
no ip directed-broadcast !
! line con 0
interface Serial0/1 line aux 0
no ip address line vty 0 4
no ip directed-broadcast login
shutdown !
! no scheduler allocate
interface FastEthernet0/0 end
ip address 192.168.1.129
255.255.255.128
no ip directed-broadcast
ip access-group 102 in
!

Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

11 Boson NetSim Lab Manual