Another thing I forgot to mention is that ACL not only filters traffic on a allow/deny basis, it performs many more functions. For example, ACL is used to encrypt VPN traffic, but to pass the CCNA exam, it is enough to know how it is used to filter traffic. Let's go back to Task #1.
We have found that all accounting and sales traffic can be blocked on the outgoing R2 interface using the above ACL.
Don't worry about the format of this list, it's just there as an example to understand the essence of ACL. We'll move on to the correct format once we get started with Packet Tracer.
Problem #2 is: the server room can communicate with any hosts other than the hosts of the management department. That is, the server room computers can have access to any computers of the sales and accounting department, but should not have access to the computers of the management department. This means that IT personnel in the server room should not have remote access to the computer of the head of the management department, but in case of problems, they should come to his office and fix the problem on the spot. Please note that this task does not make any practical sense, because I do not know the reasons why the server room could not communicate over the network with the management department, so in this case we are just considering a case study.
To solve this problem, you first need to determine the path of traffic transmission. Data from the server room enters the G0/1 input interface of the R1 router and is sent to the management department through the G0/0 output interface.
If we apply the Deny condition 192.168.1.192/27 to the input interface G0/1, and as you remember, the standard ACL is placed closer to the traffic source, we will block all traffic in general, including to the sales and accounting departments.
Since we only want to block traffic directed to the management department, we must apply an ACL to the G0/0 egress interface. This problem can be solved only by placing the ACL closer to the destination. At the same time, traffic from the accounting network and the sales department must reach the management department without hindrance, so the last line of the list will be the Permit any command - allow any traffic, except for the traffic specified in the previous condition.
Let's move on to Task #3: The Laptop 3 from the Sales Department should not be able to access any devices other than those located on the Sales Department's LAN. Let's assume that an intern is working at this computer, who should not leave his LAN.
In this case, you need to apply ACL on the input interface G0/1 of router R2. If we give this computer the IP address 192.168.1.3/25, then the Deny 192.168.1.3/25 condition must be met, and traffic from any other IP address must not be blocked, so the last line in the list will be Permit any.
At the same time, traffic ban will not have any effect on Laptop2.
The next one will be Task #4: only PC0 of the finance department can access the server network, but not the management department.
If you remember, the ACL from Task #1 blocks all outgoing traffic on the S0/1/0 interface of R2, but Task #4 says that only PC0 needs to pass traffic, so we need to make an exception.
All the tasks that we are currently solving should help you in a real situation when setting up an ACL for an office network. For convenience, I used the classic notation, but I advise you to write all the lines manually on paper or print them on a computer so that you can make corrections to your notes. In our case, according to the conditions of Task No. 1, a classic ACL list was compiled. If we want to add an exception to it for PC0 of type Permit , then we can place this line only fourth in the list, after the line Permit Any. However, since the address of this computer is in the Deny condition check address range of 0/192.168.1.128, its traffic will be blocked immediately after this condition is met, and the router will simply not reach the fourth line that allows traffic from this IP address.
Therefore, I will have to completely redo the ACL of Task #1, removing the first line and replacing it with the line Permit 192.168.1.130/26, which allows traffic to the PC0 computer, and then re-enter the lines that prohibit all traffic from the accounting and sales department.
Thus, in the first line we have a command for a specific address, and in the second - a command for the entire network in which this address is located. If you are using a modern ACL type, you can easily modify it by placing the line Permit 192.168.1.130/26 as the first command. If you have a classic ACL, you will need to delete it completely and then re-enter the commands in the correct order.
The solution to Problem #4 is to place the line Permit 192.168.1.130/26 at the top of the ACL from Problem #1, because only in this case the traffic of the PC0 computer will freely leave the output interface of the router R2. The traffic of PC1 will be completely blocked because its IP address is blocked by the ban contained in the second line of the list.
We will now move on to Packet Tracer to make the necessary settings. I have already configured the IP addresses of all devices because the simplified previous diagrams were a little difficult to understand. Also, I set up RIP between the two routers. On the given network topology, communication between all devices of 4 subnets is possible without any restrictions. But as soon as we apply the ACL, the traffic will begin to be filtered.
I'll start on PC1 in the finance department and try to ping the IP address 192.168.1.194, which belongs to Server0 in the server room. As you can see, pinging is successful without any problems. I also successfully ping Laptop0 from the management department. The first packet is dropped due to ARP, the other 3 are freely pinged.
In order to organize traffic filtering, I go into the settings of the R2 router, activate the global configuration mode and I'm going to create a modern-looking ACL. We also have the classic look ACL 10. To create the first list, I enter a command in which it is necessary to specify the same list name that we wrote down on paper: ip access-list standard ACL Secure_Ma_And_Se. After that, the system gives hints of possible parameters: I can choose deny, exit, no, permit or remark, and also enter a Sequence Number from 1 to 2147483647. If I don't do this, the system will assign it automatically.
Therefore, I do not enter this number, but go directly to the permit host 192.168.1.130 command, since this permission is valid for a specific PC0 device. I can also use a Reverse Wildcard Mask, now I'll show you how.
Next, I enter the deny 192.168.1.128 command. Since we have /26, I use a backmask and add it to the command: deny 192.168.1.128 0.0.0.63. Thus, I prohibit network traffic 192.168.1.128/26.
Similarly, I block traffic on the following network: deny 192.168.1.0 0.0.0.127. All other traffic is allowed, so I issue the permit any command. Next, I have to apply this list to the interface, so I use the int s0/1/0 command. Then I type ip access-group Secure_Ma_And_Se and the system prompts you to choose an interface - in for incoming packets and out for outgoing packets. We need to apply an ACL to the egress interface, so I use the ip access-group Secure_Ma_And_Se out command.
Let's go to the PC0 command line and ping the IP address 192.168.1.194 belonging to Server0. The ping succeeds because we used a special ACL clause for PC0 traffic. If I do the same from PC1, the system will throw an error: "destination host not reachable" because traffic from the other accounting IP addresses is blocked from accessing the backend.
By entering the CLI of the R2 router and typing the show ip address-lists command, you can see how the finance department network traffic was routed - it shows how many times the ping was allowed according to the permission and how many times the ping was blocked according to the prohibition.
We can always go into the router settings and see the access list. Thus, the conditions of Tasks No. 1 and No. 4 are met. Let me show you one more thing. If I want to fix something, I can enter the global configuration mode of R2 settings, enter the command ip access-list standard Secure_Ma_And_Se and then the command "host 192.168.1.130 is not allowed" - no permit host 192.168.1.130.
If we look at the access list again, we will see that line 10 has disappeared, we have only lines 20,30 and 40 left. Thus, you can edit the ACL access list in the router settings, but only if it is not in the classic form.
Now let's move on to the third ACL, because it also applies to the R2 router. It says that any traffic from Laptop3 should not leave the network of the sales department. At the same time, Laptop2 should communicate with the computers of the financial department without any problems. To test this, I ping the IP address 192.168.1.130 from this laptop and make sure everything works.
Now I will go to the Laptop3 command line and ping the address 192.168.1.130. Pinging is successful, but we don't need it, since, according to the condition of the problem, Laptop3 can only communicate with Laptop2, located with it in the same network of the sales department. To do this, you need to create another ACL using the classic method.
I will go back to the R2 settings and try to recover the deleted entry 10 using the permit host 192.168.1.130 command. You can see that this entry appeared at the end of the list at number 50. In this case, access will still not work, because the line with the permission of a specific host is at the end of the list, and the line that prohibits all network traffic is at the top of the list. If we try to ping laptop0 of the management department from PC0, we get a "destination host not reachable" message, even though there is an allow entry in the ACL at number 50.
Therefore, if you want to edit an existing ACL, then you need to enter the no permit host 2 command in R192.168.1.130 mode (config-std-nacl), check that line 50 has disappeared from the list, and enter the 10 permit host 192.168.1.130 command. We see that now the list has acquired its original form, where this entry has taken the first line. Sequence numbers help edit the list in any form, so the modern form of ACL is much more convenient than the classic one.
Now I will show how the classic form of ACL 10 works. To use the classic list, you need to enter the accessβlist 10 ? command, and, following the prompt, select the desired action: deny, permit, or remark. Then I enter the line access-list 10 deny host, then I type the command access-list 10 deny 192.168.1.3 and add the reverse mask. Since we have a host, the forward subnet mask is 255.255.255.255 and the reverse is 0.0.0.0. As a result, to deny host traffic, I must issue the access-list 10 deny 192.168.1.3 0.0.0.0 command. After that, you need to specify permissions, for which I type the command access-list 10 permit any. This list needs to be applied to the G0 / 1 interface of the R2 router, so I sequentially enter the commands in g0 / 1, ip access-group 10 in. Regardless of which list is used, classic or modern, applying this list to the interface is carried out by the same commands.
To check if the settings are correct, I go to the Laptop3 command line terminal and try to ping the IP address 192.168.1.130 - as you can see, the system reports that the destination host is unreachable.
Let me remind you that you can use both the show ip access-lists command and the show access-lists command to check the list. We have to solve one more problem, which refers to the router R1. To do this, I go to the CLI of this router and switch to global configuration mode and enter the ip access-list standard Secure_Ma_From_Se command. Since we have a network 192.168.1.192/27, its subnet mask will be 255.255.255.224, which means that the reverse mask will be 0.0.0.31 and we need to enter the deny 192.168.1.192 0.0.0.31 command. Since all other traffic is allowed, the list ends with the permit any command. To apply an ACL to a router's egress interface, use the ip access-group Secure_Ma_From_Se out command.
Now I will go to the command line terminal of Server0 and try to ping the Management's Laptop0 at IP address 192.168.1.226. The attempt failed, but if I ping 192.168.1.130, communication is established without problems, that is, we have forbidden the server computer from communicating with the management department, but allowed communication with all other devices in other departments. Thus, we successfully solved all 4 tasks.
Let me show you something else. We go into the settings of the R2 router, where we have 2 types of ACLs - classic and modern. Suppose I want to edit ACL 10, Standard IP access list 10, which in its classic form consists of two entries 10 and 20. If you use the do show run command, you can see that at first we have a modern access list of 4 entries without numbers under the general heading Secure_Ma_And_Se, and below are two ACL 10 entries of the classic form with the repetition of the name of the same access-list 10.
If I want to make some changes, such as removing the deny host 192.168.1.3 entry and entering an entry for a device on a different network, I need to use the delete command on that entry only: no access-list 10 deny host 192.168.1.3. But as soon as I enter this command, all ACL 10 entries will completely disappear. This is why the classic ACL view is very inconvenient to edit. The modern recording method is much more convenient to use, as it allows free editing.
In order to assimilate the material of this video tutorial, I advise you to watch it again and try to solve the considered problems yourself without prompts. ACL is an important topic in the CCNA course, and many people are confused by the procedure for creating an inverse Wildcard Mask, for example. I assure you - it is enough to understand the concept of mask transformation, and everything will become much easier. Remember that the most important thing in understanding the topics of the CCNA course is practical exercises, because only practice will help you understand this or that Cisco concept. Practice is not a copy-paste of my commands, but solving problems in your own way. Ask questions to yourself: what needs to be done to block the flow of traffic from here to where to apply the conditions and so on, and try to answer them.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com