Extended Named ACLs 1

Are you comfortable matching packets with extended ACLs? How about with TCP and UDP ports in those ACLs? Here’s a 10-minute lab exercise to practice; all you need is the time and a piece of paper or a place to type!

Requirements

Configure an extended access list to control that traffic as detailed in the following rules:

• Create an extended named ACL, with name “ThisACL”, which performs the following functions:
  • Permit all traffic coming from the telnet, SSH and SNMP server at address 10.0.3.100, going to the the 20.0.2.0/24 subnet displayed in the figure
  • Block all other traffic coming from telnet, SSH, and SNMP servers in the 10.0.3.0/24 subnet, going to the 20.0.2.0/24 subnet
  • Permit all other traffic
• Apply the ACL on the appropriate device per the figure
• Assume all router interfaces shown in the lab are up, working and have correct IP addresses assigned
• Assume routing between all devices is configured and operational

Figure 1: Two Router ROAS Topology

Initial Configuration

Examples 1, 2, 3 and 4 shows the beginning configuration state of R1, R2, SW1 and SW2.

Example 1: R1 Config

hostname R1
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.252
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface GigabitEthernet0/2.1
 encapsulation dot1q 10
 ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
 encapsulation dot1q 20
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
 encapsulation dot1q 30
 ip address 10.0.3.1 255.255.255.0
!
router eigrp 10
 network 0.0.0.0

Example 2: R2 Config

hostname R2
!
interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.252
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface GigabitEthernet0/2.1
 encapsulation dot1q 10
 ip address 20.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
 encapsulation dot1q 20
 ip address 20.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
 encapsulation dot1q 30
 ip address 20.0.3.1 255.255.255.0
!
router eigrp 10
 network 0.0.0.0

Example 3: SW1 Config

hostname SW1
!
vlan 10,20,30
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/2
 switchport access vlan 10
!
interface GigabitEthernet0/3
 switchport access vlan 20
!
interface GigabitEthernet1/0
 switchport access vlan 30

Example 4: SW2 Config

hostname SW2
!
vlan 10,20,30
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/2
 switchport access vlan 10
!
interface GigabitEthernet0/3
 switchport access vlan 20
!
interface GigabitEthernet1/0
 switchport access vlan 30

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution, if you happen to try it with VIRL or real gear, you can check by verifying it with the show ip access-lists and show ip interfaces commands. If possible you could also configure hosts to the topology to ensure the access-list is working as expected.

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1