Aim :- Create Standard Access Control List (ACL) and apply on interface Cables : 1 Cross over 4 Straight through

cable Devices :

Name
Switch ( 2960 )

Quantity
1

Picture

Router ( 2621XM )

Server (Server PT)

PC

Test : Deny access for PC 2 to Server. Configuration : 1) First create basic physical connection of 1 switch, 1 Router, 1 Server & 3 PC using cabals.

Figure 1 : Physical Connection

2) Assign IP address to each PC. IP address from same network only eg.192.168.1.1 , 192.168.1.2,. 192.168.1.50 3) Double click on PC 1

Figure 2 : Assigning IP address to PC

In same window Click on Tab Desktop & Select IP configuration and assign IP address to particular PC when IP address is complete, press Tab button default subnet mask for that IP address will automatically appear shown in below

Figure 3: IP address & Subnet mask

4) After assigning IP address to all PC scenario will be,

Figure 4 : Assigning IP address

5) Assign IP address to router interface ( FastEthernet 0/0 ) which is connected to switch using straight through cable.

(a) Click on router , under same window select CLI tab.

Figure 5: Selecting CLI tab

(b) Follow sequence of command. Router>enable Router#configure terminal Enter configuration commands, one per line. CNTL/Z. Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address <IP ADDRESS>

End with

<SUBNET MASK>

Router(config-if)#ip address 192.168.10.10 255.255.255.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)# 6) Assigning Default Gateway to every PC. Default gateway is same for all PC that is IP address of router interface Fa 0/0. (a) Click on PC -- > Desktop tab -- > Default Gateway

Figure 6: Assigning Default gateway

(b) Assign Default Gateway to All PC using same method. (c) Link between Router & Switch become up & turn to green. 7) Router use to connect different network so thats why another interface of router is needed different network address. Choose any IP address network other than 192.16.10.0 Class C Network. Eg. Class B network 172.16.0.0 (a) Click on router , under same window select CLI tab (b) Follow sequence of command Router>enable Router#configure terminal Enter configuration commands, one per line. CNTL/Z. Router(config)#interface fastethernet 0/1 Router(config-if)#ip address <IP ADDRESS>

End with

<SUBNET MASK>

Router(config-if)#ip address 172.16.99.100 255.255.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Router(config-if)#

8) Assigning IP address to server. Server is connected to router interface FastEthernet 0/1. So IP address from same class B network ie. Network 172.16.0.0 Lets give IP address to server 172.16.99.99 (a) Click on Server -- > Desktop -- > IP configuration (b) Assign IP address 172.16.99.99 (c) Subnet Mask 255.255.0.0 (d) Default Gateway 172.16.99.100 ( IP address of connecting router interface )

Figure 3 : Server configuration

9) Verify that each PC can Ping to Server. (a) Click on PC1-- > Desktop -- >Command Prompt (b) Type command Ping <Server IP Address> PC>ping 172.16.99.99 Pinging 172.16.99.99 with 32 bytes of data: Reply Reply Reply Reply from from from from 172.16.99.99: 172.16.99.99: 172.16.99.99: 172.16.99.99: bytes=32 bytes=32 bytes=32 bytes=32 time=94ms time=78ms time=94ms time=80ms TTL=127 TTL=127 TTL=127 TTL=127

Ping statistics for 172.16.99.99: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 78ms, Maximum = 94ms, Average = 86ms

( c ) Follow above procedure for each PC.

10) Creating Standard Access List. (a) Click Router -- > CLI (b) Follow sequence of command Router> Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list <access-list type> <ACL No> Router(config)#ip access-list standard 1 Router(config-std-nacl)#deny host 192.168.10.2 Router(config-std-nacl)#permit host 192.168.10.1 Router(config-std-nacl)#permit host 192.68.10.3 Router(config-std-nacl)#exit Router(config)# 11) Applying Access List on interface of router. Standard access list applies close to destination. So destination is Server & closest interface is FastEthernet 0/1. (a) Click on Router -- > CLI tab (b) Follow sequence of command Router> Router> Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet 0/1 Router(config-if)#ip access-group <access-list number> <in or out direction of packet> Router(config-if)#ip access-group 1 out Router(config-if)# (c)Access list number 1 applies on FastEthernet 0/1 in out direction. 12) verify access-list by using command show access-list Router#show access-lists Standard IP access list 1 deny host 192.168.10.2 permit host 192.168.10.1 permit host 192.68.10.3 Router#

13) Ping from host 192.168.10.2 to server 172.16.99.99 not possible. Packet Tracer PC Command Line 1.0 PC>ping 172.16.99.99 Pinging 172.16.99.99 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.10.10: 192.168.10.10: 192.168.10.10: 192.168.10.10: Destination Destination Destination Destination host host host host unreachable. unreachable. unreachable. unreachable.

Ping statistics for 172.16.99.99: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), PC> 14) Ping from host 192.168.10.1 to server possible PC>ping 172.16.99.99 Pinging 172.16.99.99 with 32 bytes of data: Reply Reply Reply Reply from from from from 172.16.99.99: 172.16.99.99: 172.16.99.99: 172.16.99.99: bytes=32 bytes=32 bytes=32 bytes=32 time=81ms time=94ms time=93ms time=94ms TTL=127 TTL=127 TTL=127 TTL=127

Ping statistics for 172.16.99.99: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 81ms, Maximum = 94ms, Average = 90ms PC> 15) Ping from host 192.168.10.3 to server possible

Mayur M.Jadhav SAOE (BEIT) jadhavmayurm@gmail.com 2010-11