Final Document Changed

Implementation of standard ACL
CHAPTER 1
INTRODUCTION
1.1 INTRODUCTION TO NETWORKING

Advancements in networking technologies are perhaps the most significant changes in
the world today. They are helping to create a world in which national borders, geographic
distances, and physical limitations become less relevant presenting ever-diminishing
obstacles.
The Internet has changed the manner in which social, commercial, political, and personal
interactions occur. The immediate nature of communications over the Internet encourages
the creation of global communities. Global communities allow for social interaction that
is independent of location or time zone. The creation of online communities for the
exchange of ideas and information has the potential to increase productivity opportunities
across the globe.
NETWORKS SUPPORT THE WAY WE LEARN

Networks have changed the way we learn. Access to high-quality instruction is no longer
restricted to students living in proximity to where that instruction is being delivered.
Online distance learning has removed geographic barriers and improved student
opportunity. Robust and reliable networks support and enrich student learning
experiences. They deliver learning the material in a wide range of formats including
interactive activities, assessments, and feedback.
NETWORKS SUPPORT THE WAY WE COMMUNICATE

The globalization of the Internet has ushered in new forms of communication that
empower individuals to create information that can be accessed by a global audience.
Dept. of ECE, VJIT 1

Some forms of communication include:
● Texting – Texting enables instant real-time communication between two or more

people.
● Social Media – Social media consists of interactive websites where people and
communities create and share user-generated content with friends, family, peers, and the
world.
● Collaboration Tools - Without the constraints of location or time zone, collaboration

tools allow individuals to communicate with each other, often across the real-time
interactive video. The broad distribution of data networks means that people in remote
locations can contribute on an equal basis with people in the heart of large population
centers.
● Blogs - Blogs, which is an abbreviation of the word “weblogs”, are web pages that are
easy to update and edit. Unlike commercial websites, blogs give anyone a means to
communicate their thoughts to a global audience without technical knowledge of web
design.
● Wikis - Wikis are web pages that groups of people can edit and view together.
Whereas a blog is more of an individual, personal journal, a wiki is a group creation. As
such, it may be subject to more extensive review and editing. Many businesses use wikis
as their internal collaboration tool.
● Podcasting - Podcasting allows people to deliver their audio recordings to a wide

audience. The audio file is placed on a website (or blog or wiki) where others can
download it and play the recording on their computers, laptops, and other mobile devices.
● Peer-to-Peer (P2P) File Sharing – Peer-to-Peer file sharing allows people to share files
with each other without having to store and download them from a central server. The
user joins the P2P network by simply installing the P2P software. P2P file sharing has not
been embraced by everyone. Many people are concerned about violating the laws of
copyrighted materials.

NETWORKS SUPPORT THE WAY WE WORK
In the business world, data networks were initially used by businesses to internally record
and manage financial information, customer information, and employee payroll systems.
These business networks evolved to enable the transmission of many different types of
information services, including email, video, messaging, and telephony.
The use of networks to provide efficient and cost-effective employee training is

increasing in acceptance. Online learning opportunities can decrease time-consuming and
costly travel, yet still, ensure that all employees are adequately trained to perform their
jobs in a safe and productive manner.
There are many success stories illustrating innovative ways networks are being used to
make us more successful in the workplace.
NETWORKS SUPPORT THE WAY WE PLAY

The Internet is used for traditional forms of entertainment. We listen to recording artists,
preview or view motion pictures, read entire books, and download material for future
offline access. Live sporting events and concerts can be experienced as they are
happening, or recorded and viewed on demand.
Networks enable the creation of new forms of entertainment, such as online games.
Players participate in any kind of online competition that game designers can imagine.
We compete with friends and foes around the world as if we were all in the same room.
Even offline activities are enhanced using network collaboration services. Global
communities of interest have grown rapidly. We share common experiences and hobbies
well beyond our local neighborhood, city, or region. Sports fans share opinions and facts
about their favorite teams. Collectors display prized collections and get expert feedback
about them.
Whatever form of recreation we enjoy, networks are improving our experience.

NETWORKS OF MANY SIZES

Networks come in all sizes. They can range from simple networks consisting of two
computers to networks connecting millions of devices.
Simple networks installed in homes enable sharing of resources, such as printers,

documents, pictures and music between a few local computers as shown in the below
figure.
Fig 1.1 Small home network
Home office networks and small office networks are often set up by individuals that work
from a home or a remote office and need to connect to a corporate network or other
centralized resources. Additionally, many self-employed entrepreneurs use home office
and small office networks to advertise and sell products, order supplies and communicate
with customers as shown in the below figure.

Fig 1.2 Small office/Home office network
In businesses and large organizations, networks can be used on an even broader scale to
provide consolidation, storage, and access to information on network servers. Networks
also allow for rapid communication such as email, instant messaging, and collaboration
among employees. In addition to internal benefits, many organizations use their networks
to provide products and services to customers through their connection to the Internet as
shown in the below figure.
Fig 1.3 Medium to Large networks

The Internet is the largest network in existence. In fact, the term Internet means a
„network of networks‟. The Internet is literally a collection of interconnected private and
public networks, such as those described above.
Fig 1.4 World Wide network
CLIENTS AND SERVERS

All computers connected to a network that participate directly in network communication
are classified as hosts. Hosts are also called end devices.
Servers are computers with software that enable them to provide information, like email
or web pages, to other end devices on the network. Each service requires separate server
software. For example, a server requires web server software in order to provide web
services to the network. A computer with server software can provide services
simultaneously to one or many clients. Additionally, a single computer can run multiple
types of server software. In a home or small business, it may be necessary for one
computer to act as a file server, a web server, and an email server.
Clients are computers with software installed that enable them to request and display the
information obtained from the server. An example of client software is a web browser,
like Chrome or FireFox. A single computer can also run multiple types of client software.
For example, a user can check email and view a web page while instant messaging and
listening to Internet radio. A computer with server software can provide services

simultaneously to one or many clients. Additionally, a single computer can run multiple
types of server software. In a home or small business, it may be necessary for one
computer to act as a file server, a web server, and an email server.
Fig 1.5 Clients and Servers
PEER-TO-PEER
Client and server software usually runs on separate computers, but it is also possible for
one computer to carry out both roles at the same time. In small businesses and homes,
many computers
function as the servers and clients on the network. This type of network is called a peer-
to-peer network.
Fig 1.6 Peer-to-Peer

IMPORTANCE OF NETWORKING
The path that a message takes from source to destination can be as simple as a single
cable connecting one computer to another, or as complex as a collection of networks that
literally spans the globe. This network infrastructure provides the stable and reliable
channel over which these communications occur.
The network infrastructure contains three categories of network components:
● Devices
● Media
● Services Click each button in the figure to highlight the corresponding network
components.
Devices and media are the physical elements, or hardware, of the network. Hardware is
often the visible components of the network platform such as a laptop, PC, switch, router,
wireless access point, or the cabling used to connect the devices.
Services include many of the common network applications people use every day, like
email hosting services and web hosting services. Processes provide the functionality that
directs and moves the messages through the network. Processes are less obvious to us but
are critical to the operation of networks.
Fig 1.7 Components of a Network – Devices

NETWORK MEDIA
Communication across a network is carried on a medium. The medium provides the
channel over which the message travels from source to destination.
Modern networks primarily use three types of media to interconnect devices and to
provide the pathway over which data can be transmitted.
● Metallic wires within cables - data is encoded into electrical impulses
● Glass or plastic fibers (fiber optic cable) - data is encoded as pulses of light
● Wireless transmission - data is encoded using wavelengths from the electromagnetic

spectrum Different types of network media have different features and benefits. Not all
network media have the same characteristics, nor are they all appropriate for the same
purpose.
Fig 1.8 Network Media

TYPES OF NETWORKS
Network infrastructures can vary greatly in terms of:
● Size of the area covered
● Number of users connected
● Number and types of services available
● Area of responsibility The figure illustrates the two most common types of network
infrastructures:
● Local Area Network (LAN) - A network infrastructure that provides access to users
and end devices in a small geographical area, which is typically an enterprise, home, or
small business network owned and managed by an individual or IT department.
● Wide Area Network (WAN) - A network infrastructure that provides access to other
networks over a wide geographical area, which is typically owned and managed by a
telecommunications service provider.
Other types of networks include:
● Metropolitan Area Network (MAN) - A network infrastructure that spans a physical

area larger than a LAN but smaller than a WAN (e.g., a city). MANs are typically
operated by a single entity such as a large organization.
● Wireless LAN (WLAN) - Similar to a LAN but wirelessly interconnects users and end
points in a small geographical area.
● Storage Area Network (SAN) - A network infrastructure designed to support file

servers and provide data storage, retrieval, and replication.

Fig 1.9 Types of Networks
THE INTERNET
The Internet is a worldwide collection of interconnected networks (internetworks or
internet for short).
The Internet is not owned by any individual or group. Ensuring effective communication
across this diverse infrastructure requires the application of consistent and commonly
recognized technologies and standards as well as the cooperation of many network
administration agencies. There are organizations that have been developed for the
purpose of helping to maintain structure and standardization of Internet protocols and
processes. These organizations include the Internet Engineering Task Force (IETF),
Internet Corporation for Assigned Names and Numbers (ICANN), and the Internet
Architecture Board (IAB), plus many others.

Fig 1.10 Collection of interconnected LANs and WANs
INTRANETS AND EXTRANETS

There are two other terms which are similar to the term Internet:
● Intranet
● Extranet An intranet is a term often used to refer to a private connection of LANs and
WANs that belongs to an organization and is designed to be accessible only by the
organization's members, employees, or others with authorization.
An organization may use an extranet to provide secure and safe access to individuals who
work for a different organization but require access to the organization‟s data. Examples
of extranets include:
● A company that is providing access to outside suppliers and contractors.
● A hospital that is providing a booking system to doctors so they can make

appointments for their patients.
● A local office of education that is providing budget and personal information to the
schools in its district.

Fig 1.11 Overview of the Internet, Intranet, and Extranet
1.2 OBJECTIVES
• Configure standard IPv4 ACLs.
• Explain the purpose and operation of ACLs in small to medium-sized business

networks.
• Compare standard and extended IPv4 ACLs.
• Configure standard IPv4 ACLs to filter traffic in a small to medium-sized business

network.
• Configure IPv6 ACLs.
• Compare IPv4 and IPv6 ACL creation.
• Configure IPv6 ACLs to filter traffic according to networking requirements.

• Explain how a router processes packets when an ACL is applied.
• Troubleshoot common ACL errors using CLI commands.

CHAPTER 2
LITERATURE REVIEW
One of the most important skills a network administrator needs is mastery of access
control lists (ACLs). ACLs provide security for a network.
Network designers use firewalls to protect networks from unauthorized use. Firewalls are
hardware or software solutions that enforce network security policies. Consider a lock on
a door to a room inside a building. The lock allows only authorized users with a key or
access card to pass through the door. Similarly, a firewall filters unauthorized or
potentially dangerous packets from entering the network.
On a Cisco router, you can configure a simple firewall that provides basic traffic filtering
capabilities using ACLs. Administrators use ACLs to stop traffic or permit only specified
traffic on their networks. Network traffic can be permitted or denied.
Fig 2.1 Scenario of ACL

2.1ACCESS CONTROL LIST

An ACL is a series of IOS commands that control whether a router forwards or drops
packets based on information found in the packet header. ACLs are among the most
commonly used features of Cisco IOS software.
When configured, ACLs perform the following tasks:
 Limit network traffic to increase network performance. For example, if corporate

policy does not allow video traffic on the network, ACLs that block video traffic
could be configured and applied. This would greatly reduce the network load and
increase network performance.
 Provide traffic flow control. ACLs can restrict the delivery of routing updates to
ensure that the updates are from a known source.
 Provide a basic level of security for network access. ACLs can allow one host to
access a part of the network and prevent another host from accessing the same area.
For example, access to the Human Resources network can be restricted to authorized
users.
 Filter traffic based on traffic type. For example, an ACL can permit email traffic, but
block all Telnet traffic.
 Screen hosts to permit or deny access to network services. ACLs can permit or deny
a user to access file types, such as FTP or HTTP.
By default, a router does not have ACLs configured; therefore, by default a router does
not filter traffic. Traffic that enters the router is routed solely based on information within
the routing table. However, when an ACL is applied to an interface, the router performs
the additional task of evaluating all network packets as they pass through the interface to
determine if the packet can be forwarded.
In addition to either permitting or denying traffic, ACLs can be used for selecting types
of traffic to be analyzed, forwarded, or processed in other ways. For example, ACLs can
be used to classify traffic to enable priority processing. This capability is similar to

having a VIP pass at a concert or sporting event. The VIP pass gives selected guests
privileges not offered to general admission ticket holders, such as priority entry or being
able to enter a restricted area.
Fig 2.2 Working of ACL

2.2 PACKET FILTERING
An ACL is a sequential list of permit or deny statements, known as access control entries
(ACEs). ACEs are also commonly called ACL statements. When network traffic passes
through an interface configured with an ACL, the router compares the information within
the packet against each ACE, in sequential order, to determine if the packet matches one
of the ACEs. This process is called packet filtering.
Packet filtering controls access to a network by analyzing the incoming and outgoing
packets and forwarding them or discarding them based on given criteria. Packet filtering
can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at
Layer 3. Extended ACLs filter at Layer 3 and Layer 4.
Note: Extended ACLs are beyond the scope of this course.
The source IPv4 address is the filtering criteria set in each ACE of a standard IPv4 ACL.
A router configured with a standard IPv4 ACL extracts the source IPv4 address from the
packet header. The router starts at the top of the ACL and compares the address to each
ACE sequentially. When a match is made, the router carries out the instruction, either
permitting or denying the packet. After a match is made, the remaining ACEs in the
ACL, if any, are not analyzed. If the source IPv4 address does not match any ACEs in the
ACL, the packet is discarded.
The last statement of an ACL is always an implicit deny. This statement is automatically
inserted at the end of each ACL even though it is not physically present. The implicit
deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least
one permit statement will block all traffic.

Fig 2.3 Packet Filtering

2.3 ACL OPERATION
ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound interfaces
of the router. ACLs do not act on packets that originate from the router itself.ACLs can
be configured to apply to inbound traffic and outbound traffic.
 Inbound ACLs - Incoming packets are processed before they are routed to the
outbound interface. An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet is discarded. If the packet is permitted by the ACL, it is
then processed for routing. Inbound ACLs are best used to filter packets when the
network attached to an inbound interface is the only source of packets that need to
be examined.
 Outbound ACLs - Incoming packets are routed to the outbound interface, and then
they are processed through the outbound ACL. Outbound ACLs are best used when
the same filter will be applied to packets coming from multiple inbound interfaces
before exiting the same outbound interface.
Fig 2.4 Inbound and Outbound ACLs

2.4 ACL WILD CARD MASKING
Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary
digits used by the router to determine which bits of the address to examine for a match.
As with subnet masks, the numbers 1 and 0 in the wildcard mask identify how to treat the
corresponding IPv4 address bits. However, in a wildcard mask, these bits are used for
different purposes and follow different rules.
Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an
IPv4 address. Wildcard masks use binary 1s and 0s to filter individual IPv4 addresses or
groups of IPv4 addresses to permit or deny access to resources.
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s.
Wildcard masks use the following rules to match binary 1s and 0s:
 Wildcard mask bit 0 - Match the corresponding bit value in the address.
 Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Figure 1 shows how different wildcard masks filter IPv4 addresses. In the example,
remember that binary 0 signifies a bit that must match, and binary 1 signifies a bit that
can be ignored.
Wildcard masks are often referred to as an inverse mask. The reason is that, unlike a
subnet mask in which binary 1 is equal to a match and binary 0 is not a match, in a
wildcard mask the reverse is true.
Using a Wildcard Mask

The table in Figure 2 shows the results of applying a 0.0.255.255 wildcard mask to a 32-
bit IPv4 address. Remember that a binary 0 indicates a value that is matched.

Note: Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-
length is used to indicate how much of an IPv6 source or destination address should be
matched.
Fig 2.5 Wild Card Masking

2.5 GENERAL GUIDELINES FOR CREATING ACLs
Writing ACLs can be a complex task. For every interface there may be multiple policies
needed to manage the type of traffic allowed to enter or exit that interface. The router in
the figure has two interfaces configured for IPv4 and IPv6. If we needed ACLs for both
protocols, on both interfaces and in both directions, this would require eight separate
ACLs. Each interface would have four ACLs; two ACLs for IPv4 and two ACLs for
IPv6. For each protocol, one ACL is for inbound traffic and one for outbound traffic.
Note: ACLs do not have to be configured in both directions. The number of ACLs and
their direction applied to the interface will depend on the requirements being
implemented.
Here are some guidelines for using ACLs:
 Use ACLs in firewall routers positioned between your internal network and an
external network such as the Internet.
 Use ACLs on a router positioned between two parts of your network to control
traffic entering or exiting a specific part of your internal network.
 Configure ACLs on border routers, that is, routers situated at the edges of your
networks. This provides a very basic buffer from the outside network, or between a
less controlled area of your own network and a more sensitive area of your network.
 Configure ACLs for each network protocol configured on the border router
interfaces.
Rules for Applying ACLs
You can configure one ACL per protocol, per direction, per interface:
 One ACL per protocol - To control traffic flow on an interface, an ACL must be
defined for each protocol enabled on the interface.

 One ACL per direction - ACLs control traffic in one direction at a time on an
interface. Two separate ACLs must be created to control inbound and outbound
traffic.
 One ACL per interface - ACLs control traffic for an interface, for example,
GigabitEthernet 0/0
Fig 2.6 ACL Traffic Filtering on Router
2.6 WHERE TO PLACE ACLs
The proper placement of an ACL can make the network operate more efficiently. An
ACL can be placed to reduce unnecessary traffic. For example, traffic that will be denied
at a remote destination should not be forwarded using network resources along the route
to that destination.
Every ACL should be placed where it has the greatest impact on efficiency. As shown in
the figure, the basic rules are:
 Extended ACLs - Locate extended ACLs as close as possible to the source of the
traffic to be filtered. This way, undesirable traffic is denied close to the source
network without crossing the network infrastructure.
 Standard ACLs - Because standard ACLs do not specify destination addresses,

place them as close to the destination as possible. Placing a standard ACL at the
source of the traffic will effectively prevent that traffic from reaching any other
networks through the interface where the ACL is applied.

Placement of the ACL and therefore, the type of ACL used may also depend on:
 The extent of the network administrator’s control - Placement of the ACL can
depend on whether or not the network administrator has control of both the source
and destination networks.
 Bandwidth of the networks involved - Filtering unwanted traffic at the source

prevents transmission of the traffic before it consumes bandwidth on the path to a
destination. This is especially important in low bandwidth networks.
 Ease of configuration - If a network administrator wants to deny traffic coming

from several networks, one option is to use a single standard ACL on the router
closest to the destination. The disadvantage is that traffic from these networks will
use bandwidth unnecessarily. An extended ACL could be used on each router where
the traffic originated. This will save bandwidth by filtering the traffic at the source
but requires creating extended ACLs on multiple routers.
Fig 2.7 ACL Placement

2.7 STANDARD ACL PLACEMENT
The topology in the figure is used to demonstration how a standard ACL can be placed.
The administrator wants to prevent traffic originating in the 192.168.10.0/24 network
from reaching the 192.168.30.0/24 network.
Following the basic placement guidelines of placing the standard ACL close to the
destination, the figure shows two possible interfaces on R3 to apply the standard ACL:
 R3 S0/0/1 interface - Applying a standard ACL to prevent traffic from

192.168.10.0/24 from entering the S0/0/1 interface will prevent this traffic from
reaching 192.168.30.0/24 and all other networks reachable by R3. This includes the
192.168.31.0/24 network. Because the intent of the ACL is to filter traffic destined
only for 192.168.30.0/24, a standard ACL should not be applied to this interface.
 R3 G0/0 interface - Applying the standard ACL to traffic exiting the G0/0 interface
will filter packets from 192.168.10.0/24 to 192.168.30.0/24. This will not affect
other networks reachable by R3. Packets from 192.168.10.0/24 will still be able to
reach 192.168.31.0/24.
Fig 2.8 Standard ACL Placement

2.8 NUMBERED STANDARD IPv4 ACL SYNTAX
To use numbered standard ACLs on a Cisco router, you must first create the standard
ACL and then activate the ACL on an interface.
The access-list global configuration command defines a standard ACL with a number in
the range of 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by
allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798
possible standard ACLs. These additional numbers are referred to as expanded IPv4
ACLs.
The full syntax of the standard ACL command is as follows:
Router(config)# access-list access-list-

number { deny | permit | remark} source [ source-wildcard ][ log ]
Figure 1 provides a detailed explanation of the syntax for a standard ACL.
ACEs can permit or deny an individual host or a range of host addresses. To create a host
statement in numbered ACL 10 that permits a specific host with the IPv4 address
192.168.10.10, you would enter:
R1(config)# access-list 10 permit host 192.168.10.10
As shown in Figure 2, to create a statement that will permit a range of IPv4 addresses in a
numbered ACL 10 that permits all IPv4 addresses in the network 192.168.10.0/24, you
would enter:
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
To remove the ACL, the global configuration no access-list command is used. Issuing
the show access-list command confirms that access list 10 has been removed.
Typically, when an administrator creates an ACL, the purpose of each statement is

known and understood. However, to ensure that the administrator and others recall the
purpose of a statement, remarks should be included. The remark keyword is used for

documentation and makes access lists a great deal easier to understand. Each remark is
limited to 100 characters. The ACL in Figure 3, although fairly simple, is used to provide
an example. When reviewing the ACL in the configuration using the show running-
config command, the remark is also displayed.
Fig 2.9 Standard ACL access-list Command Syntax

Fig 2.10 Removing an ACL
Fig 2.11 Reviewing the ACL

2.9 ROUTING PROCESSES AND ACLs
The figure shows the logic of routing and ACL processes. When a packet arrives at a
router interface, the router process is the same, whether ACLs are used or not. As a frame
enters an interface, the router checks to see whether the destination Layer 2 address
matches its interface Layer 2 address, or whether the frame is a broadcast frame.
If the frame address is accepted, the frame information is stripped off and the router
checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against
the statements in the list.
If the packet matches a statement, the packet is either permitted or denied. If the packet is
accepted, it is then checked against routing table entries to determine the destination
interface. If a routing table entry exists for the destination, the packet is then switched to
the outgoing interface, otherwise the packet is dropped.
Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the
packet is tested against the statements in the list.
If the packet matches a statement, it is either permitted or denied.
If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer
2 protocol and forwarded out the interface to the next device.
Fig 2.12 ACL and Routing Processes in a Router

CHAPTER 3:
METHODOLOGY
3.1 NETWORK DEVICES
3.1.1 Router
A router is a networking device that forwards data packets between computer

networks. Routers perform the traffic directing functions on the Internet. A data packet
is typically forwarded from one router to another router through the networks that
constitute an internetwork until it reaches its destination node. A network device that
forwards data packets from one network to another. Based on the address of the
destination network in the incoming packet and an internal routing table, the router
determines which port (line) to send out the packet (ports typically connect to Ethernet
cables).
Fig 3.1 CISCO Router 2811
Fig 3.2 Back Panel of CISCO Router 2811
The Config tab offers four general levels of configuration: global, routing, switching
(Cisco 1841 and Cisco 2811 only), and interface. To perform a global configuration,
click the GLOBAL button to expand the Settings button (if it has not already been
expanded). To configure routing, click the ROUTING button, and then choose Static or
RIP. To configure switching, click the SWITCHING button to expand the VLAN
Database button. To configure an interface, click the INTERFACE button to expand
the list of interfaces, and then choose the interface. Note that the Config tab provides
an alternative to the Cisco IOS CLI only for some simple, common features; to access
the full set of router commands that have been modeled you must use the Cisco IOS
CLI. Throughout your configurations in the Config tab, the lower window will display
the equivalent Cisco IOS commands for all your actions.
3.1.2 Switch
Fig 3.3 A CISCO Switch 2960
A network switch (also called switching hub, bridging hub, officially MAC bridge) is a
computer networking device that connects devices together on a computer network by
using packet switching to receive, process, and forward data to the destination device.
3.1.3 EndDevices
The network devices that people are most familiar with are called end devices. These
devices form the interface between the human network and the underlying
communication network. Some examples of end devices are:
 Computers, laptops, file servers, webservers.

3.2 CISCO PACKET TRACER
A CISCO packet tracer contains following mail tools.
1 Menu Bar This bar provides the File, Edit, Options, View, Tools,
Extensions, and Help menus. You will find basic
commands suchas Open, Save, Save as Print, and
Settings and Preferences in these menus. You will also
be able to access the ActivityWizard from the
Extensions menu.
2 Main Tool Bar This bar provides shortcut icons to the File
and Edit menu commands. This bar also
provides buttonsfor Copy, Paste, Undo, Redo,
Zoom, the Drawing Palette, and the Custom
Devices Dialog. On the right, you will also
find the Network Information button, which
you can use to enter adescription for the
current network (or any text you wish to
include).
3 Common Tools This bar provides access to these commonly used
Bar workspace tools: Select, Move Layout, Place Note,
Delete, Inspect, ResizeShape, Add Simple PDU,
and Add Complex PDU.
4 Logical/Physical You can toggle between the Physical Workspace and the
Workspace and Logical Workspace with the tabs on this bar. In Logical
Navigation Bar Workspace, this bar also allows you to go back to a
previous level in a cluster, createa New Cluster, Move
Object, Set Tiled Background, and Viewport. In Physical
Workspace, this bar allows you to navigate through
physical locations, create a New City, create a New
Building, create a New Closet, Move Object, apply a

Grid to the background, Set Background, and go to the

Working Closet.
5 Workspace This area is where you will create your network, watch
simulations, and view many kinds of information and
statistics.
6 Real- You can toggle between Real-time Mode and Simulation
time/Simulation Mode with the tabs on this bar. This bar also provides
Bar buttons to Power Cycle Devices and Fast Forward Time
as well as the Play Control buttons and the Event List
toggle button in Simulation Mode. Also, it contains a
clock that displays the relative Time in Real-time Mode
and Simulation Mode.
7 Network This box is where you choose devices and
Component Box connections to put into the workspace. It contains the
Device-Type Selection Box and the Device-Specific
Selection Box. There's a searchable field that allows
you to enter a device name to look for that
specificdevicequickly.
8 Device- This box contains the type of devices and connections

Type available in Packet Tracer. The Device-Specific
Selectio Selection Box will change depending on which type of
n Box device you choose.
9 Device- This box is where you choose specifically which devices
Specific you want to put on your network and which connections
Selection to make. In this box, you'll find devices that may have
Box already been obsolete. You have an option to hide legacy
equipment in the Preferences windowunder Options.

10 User Created This window manages the packets you put in the
Packet network during simulation scenarios. See the
Window* "Simulation Mode" section for more details.
Table 3.1 Components
3.3NETWORK TOPOLOGY
Fig 3.4 Topology

3.4 CONFIGURATION
3.4.1 ROUTER
Global Settings
In global settings, you can change the display name of the router as it appears on the
workspaceandthehostnameasitappearsintheCiscoIOS.Youcanalsomanipulatetherouterco
nfigurations files in these various ways:
 Erase the NVRAM (where the startup configuration is stored).
 Save the current running configuration to the NVRAM.
 Export the startup and running configuration to an external text file.
 Load an existing configuration file (in .txt format) into the startup configuration.
 Merge the current running configuration with another configuration file.
Fig 3.5 Router Global Settings

Algorithm Settings
In the Algorithm Settings, you can override the global Algorithm Settings by removing
the check mark Global Settings and then set your own values for the Half-Open
Session Multiplier, Maximum Number of Connections, Maximum Number of
Opened Sessions, and Maximum Retransmission Timeout in Milliseconds. For the
Cisco 1841 and Cisco 2811, you can also set the Storm Control Multiplier.
Fig 3.6 Router Algorithm Settings

VLAN Database Configuration (Cisco 1841 and Cisco 2811 only)
The Cisco 1841 and 2811 routers support VLAN configuration. You can manage the
VLANs on the router from the VLAN Database sub-panel. You can add VLANs by
entering a name and a VLAN number and pressing the Add button. You can see all
existing VLAN entries in the list below the button. You can remove a VLAN by
selecting it from the list and then pressing the Remove button.
Fig 3.7 Router VLAN Configuration

Interface Configuration
A router can support a wide range of interfaces including serial, modem, copper
Ethernet, and fiber Ethernet. Each interface type may have different configuration
options, but in general, you can set the Port Status (on or off), IP Address, Subnet
Mask, and Tx Ring Limit. For Ethernet interfaces, you can also set the MAC Address,
Bandwidth, and Duplex setting. For serial interfaces, you can set the Clock Rate
setting.
Fig 3.8 Router Interface Configuration

3.4.2 SWITCH
Configuring Switches
The Config tab for the switch offers three general levels of configuration: global,
switching, and interface. The global level offers the same settings as a router. The
routing level also offers the same configuration parameters as a router. The switching
level, however, is where you can manage the VLAN database of the switch. The
interface level configurations also offer access to the VLAN settings of the switch.
Note that the Config tab provides an alternative to the Cisco IOS CLI only for some
simple, common features; to access the full set of switch commands that have been
modeled you must use the Cisco IOS CLI.
Throughout your configurations in the Config tab, the lower window will display the
equivalent Cisco IOS commands for all your actions.
Global Settings
In global settings, you can change the switch display name as it appears on the
workspace and the hostname as it appears in the Cisco IOS. You can also
manipulate the switch configuration files in these various ways:
 Erase the NVRAM (where the startup configuration is stored).

 Save the current running configuration to the NVRAM.
 Export the startup and running configuration to an external text file.
 Load an existing configuration file (in .txt format) into the startup configuration.
 Merge the current running configuration with another configuration file.

Fig 3.9 Switch Global Settings
Algorithm Settings
In the Algorithm Settings, you can override the global Algorithm Settings by removing
the check mark Global Settings and then set your own values for the Maximum
Number of Connections, Maximum Number of Opened Sessions, and Storm Control
Multiplier. For the Cisco Catalyst 3560-24PS, you can also set the Half-Open Session
Multiplier.

Fig 3.10 Switch Algorithm Settings
VLAN Database Configuration

You can manage the VLANs of the switch from the VLAN Database sub-panel.
You can add VLANs by entering a name and a VLAN number and pressing the Add
button. You can see all existing VLAN entries in the list below the button. You can
remove a VLAN by selecting it fromthe list and then pressing the Remove button.
To associate a particular interface with a VLAN, go to the configuration panel of that
interface.

Fig 3.11 Switch VLAN Configuration
Interface Configuration
Switches have only Ethernet-type interfaces. For each interface, you can set the
Port Status (on or off), Bandwidth, Duplex setting, VLAN Switch Mode, and
Tx Ring Limit. By default, an interface is a VLAN access port assigned to VLAN
1. You can use the drop-down menu on the right side of the screen to reassign the
port to another existing VLAN. You can also change an interface into a VLAN
trunk port, and then use the drop-down menu on the right to select the VLANs you
want that trunk to handle.

Fig 3.12 Switch Interface Configuration

CHAPTER 4
RESULTS AND DESCRIPTION
4.1 IP CONFIGURATION OF PCS
4.1.1 IP Configuration of PC0
Fig 4.1 IP Configuration of PC0




4.2 IP CONFIGURATION OF SERVERS
4.2.1 IP Configuration of Server0
Fig 4.9 IP Configuration of Server0


4.3 TOPOLOGY
Fig 4.12 Topology

4.4 SYSTEM DESIGN AND IMPLEMENTATION

4.4.1 TODO
Part 1: Design the Standard ACL Scheme
Part 2: Assign IP Addresses to Devices and Verify Connectivity Background In this

activity, you are given a /24 network address to use to design a Standard ACL scheme.
Based on a set of requirements, you will assign subnets and address, configure devices
and verify connectivity.
Part 1: Design the Standard ACL network Scheme
Step 1: Divide the network based on the number of routers.
 Use the first router to accommodate the switch.
 Use the second router to accommodate the second switch.
 Use the third router to accommodate the third switch.

 Use the first switch to accommodate the PC0 & PC1.
 Use the second switch to accommodate the PC2 & PC3.
 Use the third switch to accommodate the PC4 & PC5.
 Use the fourth switch to accommodate the PC6 & PC7.
 Use the fifth switch to accommodate the Server0, Server1 & Server2.
Step 2: Document the Standard ACL addresses. Complete the addressing table.
Step 3: Document the addressing scheme for Routers.
 Assign the first usable IP addresses to Router 1.
 Assign the second usable IP addresses to Router 2.
 Assign the Third usable IP addresses to Router 3.

Part 2: Assign IP Addresses to Devices and Verify Connectivity Most of the IP

addressing is already configured on this network. Implement the following steps to
complete the addressing configuration.
Step 1: Configure IP addresses on Router interfaces.
Step 2: Configure IP addressing on, including the default gateway.
Step 3: Verify connectivity. You can only verify connectivity from, and. However, you
should be able to ping every IP address listed in the Addressing Table.
Addressing Table
Device Interface IP Address Subnet Mask Default

Gateway
Router 0 S 0/0/0 192.168.1.1 255.255.255.0 NA
F 0/0 192.168.3.1 255.255.255.0 NA
Router 1 S 0/0/0 192.168.1.2 255.255.255.0 NA
S 0/1/0 192.168.2.1 255.255.255.0 NA
F 0/0 192.168.4.1 255.255.255.0 NA
F 0/1 192.168.5.1 255.255.255.0 NA
F 1/0 192.168.6.1 255.255.255.0 NA
Router 2 S 0/0 192.168.2.1 255.255.255.0 NA
F 0/0 192.168.7.1 255.255.255.0 NA
S0 VLAN1 192.168.3.11 255.255.255.0 192.168.3.1

S1 VLAN1 192.168.4.11 255.255.255.0 192.168.4.1
S2 VLAN1 192.168.5.11 255.255.255.0 192.168.5.1
S3 VLAN1 192.168.6.11 255.255.255.0 192.168.6.1
S4 VLAN1 192.168.7.11 255.255255.0 192.168.7.1
PC0 NIC 192.168.3.2 255.255.255.0 192.168.3.1
PC1 NIC 192.168.3.3 255.255.255.0 192.168.3.1
PC2 NIC 192.168.4.2 255.255.255.0 192.168.4.1
PC3 NIC 192.168.4.3 255.255.255.0 192.168.4.1
PC4 NIC 192.168.5.2 255.255.255.0 192.168.5.1
PC5 NIC 192.168.5.3 255.255.255.0 192.168.5.1
PC6 NIC 192.168.6.2 255.255.255.0 192.168.6.1
PC7 NIC 192.168.6.3 255.255.255.0 192.168.6.1
S0 NIC 192.168.7.2 255.255.255.0 192.168.7.1
S1 NIC 192.168.7.3 255.255.255.0 192.168.7.1
S2 NIC 192.168.7.4 255.255.255.0 192.168.7.1
Table 4.1 Addressing Table

4.5 PROGRAM
Router0
Router>enable
Router#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#in
Router(config)#interface fas
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip ad
Router(config-if)#ip address 192.168.3.1 255.255.255.0
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Router(config)#exit
Router#config
Router(config)#ip dh
Router(config)#ip dhcp po
Router(config)#ip dhcp pool college1
Router(dhcp-config)#net
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.3.1
Router(config)#interface serial 0/0/0


Router(config-if)#clo
Router(config-if)#clock rate 64000
Router(config)#exit
Router#
Router 1
Router>en
Router>enable
Router#confi
Router#configure
Router(config)#inter
Router(config)#interface s0/0/0
Router(config)#interface seria
Router(config-if)#ip add
Router(config-if)# exit
Router(config)#clock rat
Router(config)#int
Router(config)#interface .


Router(config-if)#clock ra
Router(config-if)#clock rate 64000
Router(config)#int
Router(config)#interface
% Incomplete command.
Router(config)#int
Router(config)#interface f
Router(config)#ip dhcp
Router(config)#ip dhcp po
Router(dhcp-config)#network 192.168.4.0 255.255./255.0
Router(dhcp-config)#def
Router(config)#ip dhcp
Router(config)#ip dhcp ex
Router(config)#exit

Router#
Router(config)#int
Router(config)#interface fast
% 192.168.6.0 overlaps with FastEthernet1/0
Router(config-if)#interface fastEthernet 0/1
Router(config)#ip dch
Router(config)#ip dhc
Router(config)#exit
Router#con
Router#conf
Router#configure t
Router(config)#in
Router(config)#interface f
Router(config)#interface fastEthernet

Router(config)#ip dh
Router(dhcp-config)#de
Router(dhcp-config)#ip dhc
Router(config)#exit
Router2
Router>en
Router>enable
Router#conf
Router#configure
Router(config)#interface fast

Router(config)#ip dhcp p
Router(config)#ip dhcp poo
Router(dhcp-config)#de
Router(dhcp-config)#ip dhcp ex
Router(config)#ip dhc
Router(config)#exit

4.6 SIMULATION
Fig 4.13 Simulation

4.7 Pinging the PCs

4.7.1 Pinging PC1 to PC4
After pinging the PC1 would not be able send data packets to PC4 but can send to all
other hosts
Fig 4.14 Pinging PC1 to PC4
4.7. 2 Pinging PC4 to PC1

After pinging the PC4 would not be able send data packets to PC1
4.15 Pinging PC4 to PC1

CHAPTER 5
CONCLUSIONS & FUTURE ENHANCEMENTS
5.1 ADVANTAGES OF ACL
 Improve network performance.

 Provides security as administrator can configure the access list according to the
needs and deny the unwanted packets from entering the network.
 Provides control over the traffic as it can permit or deny according to the need of
network.
5.2 APPLICATIONS AND FEATURES ACL

1. Standard Access-list is generally applied close to destination (but not always).
2. In standard access-list, whole network or sub-network is denied.
3. Standard access-list uses the range 1-99 and extended range 1300-1999.
4. Standard access-list is implemented using source IP address only.
5. If numbered with standard Access-list is used then remember rules can‟t be
deleted. If one of the rule is deleted then the whole access-list will be deleted.
6. If named with standard Access-list is used then you have the flexibility to delete a
rule from access-
5.3 CONCLUSION
 ACLs will check packets for certain conditions.
 Standard ACLs test simple conditions.
 Extended ACLs test complex conditions.
 Define ACL –apply to interface.
 Place ACLs sensibly.
 Be sure to order ACLs sensibly too!

REFERENCES
 https://www.netacad.com/
 https://static-course-assets.s3.amazonaws.com/RSE6/en/index.html#7.0.1.1
 https://www.youtube.com/watch?v=FabVhn_HprI
 https://www.youtube.com/watch?v=3cGVILu86GU
 https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v421/com
mand/reference/cmdref/std_acl.html


Final Document Changed

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Final Document Changed

Diunggah oleh

Hak Cipta:

Format Tersedia

Implementation of standard ACL

1.1 INTRODUCTION TO NETWORKING

NETWORKS SUPPORT THE WAY WE LEARN

NETWORKS SUPPORT THE WAY WE COMMUNICATE

Dept. of ECE, VJIT 1

Some forms of communication include:

● Texting – Texting enables instant real-time communication between two or more

● Collaboration Tools - Without the constraints of location or time zone, collaboration

● Podcasting - Podcasting allows people to deliver their audio recordings to a wide

Dept. of ECE, VJIT 2

NETWORKS SUPPORT THE WAY WE WORK

The use of networks to provide efficient and cost-effective employee training is

NETWORKS SUPPORT THE WAY WE PLAY

Whatever form of recreation we enjoy, networks are improving our experience.

Dept. of ECE, VJIT 3

NETWORKS OF MANY SIZES

Simple networks installed in homes enable sharing of resources, such as printers,

Fig 1.1 Small home network

Dept. of ECE, VJIT 4

Fig 1.2 Small office/Home office network

Fig 1.3 Medium to Large networks

Dept. of ECE, VJIT 5

Fig 1.4 World Wide network

CLIENTS AND SERVERS

Dept. of ECE, VJIT 6

Fig 1.5 Clients and Servers

Fig 1.6 Peer-to-Peer

Dept. of ECE, VJIT 7

The network infrastructure contains three categories of network components:

Fig 1.7 Components of a Network – Devices

Dept. of ECE, VJIT 8

● Metallic wires within cables - data is encoded into electrical impulses

● Wireless transmission - data is encoded using wavelengths from the electromagnetic

Fig 1.8 Network Media

Dept. of ECE, VJIT 9

● Size of the area covered

● Number of users connected

● Number and types of services available

Other types of networks include:

● Metropolitan Area Network (MAN) - A network infrastructure that spans a physical

● Storage Area Network (SAN) - A network infrastructure designed to support file

Dept. of ECE, VJIT 10

Fig 1.9 Types of Networks

Dept. of ECE, VJIT 11

Fig 1.10 Collection of interconnected LANs and WANs

INTRANETS AND EXTRANETS

● A company that is providing access to outside suppliers and contractors.

● A hospital that is providing a booking system to doctors so they can make

Dept. of ECE, VJIT 12

Fig 1.11 Overview of the Internet, Intranet, and Extranet

• Explain the purpose and operation of ACLs in small to medium-sized business

• Compare standard and extended IPv4 ACLs.

• Configure standard IPv4 ACLs to filter traffic in a small to medium-sized business

• Configure IPv6 ACLs.

• Compare IPv4 and IPv6 ACL creation.

• Configure IPv6 ACLs to filter traffic according to networking requirements.

Dept. of ECE, VJIT 13

• Explain how a router processes packets when an ACL is applied.

• Troubleshoot common ACL errors using CLI commands.

Dept. of ECE, VJIT 14

Fig 2.1 Scenario of ACL

Dept. of ECE, VJIT 15

2.1ACCESS CONTROL LIST