Topic learning guide: ACLs
Preparation:
Watch the YouTube lecture "Standard ACLs - Part 1"
https://www.youtube.com/watch?v=a7ewUWSteBM
Watch the YouTube lecture "Standard ACLs - Part 2"
https://www.youtube.com/watch?v=JXHpuRDopl4
Download and read Cisco's document "Access Control Lists: Overview and Guidelines"
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1000939
Download and read the SANS document "Easy steps to Cisco Extended ACLs'
https://www.sans.org/reading-room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list-231
Watch the YouTube lecture "Extended ACL for Cisco CCNA - part 1"
https://www.youtube.com/watch?v=FIVJUx1k3xA
Watch the YouTube lecture "Extended ACL for Cisco CCNA - part 2"
https://www.youtube.com/watch?v=aSkv5-0S0ZM
Test your understanding
You should now be able to answer the following short answer questions.
1. What are the two main types of ACLs in Cisco?
2. Name two types of network devices that an ACL can be applied to.
3. What are the two main statements used to allow access or restrict access in an ACL?
4. What parameter(s) in the IP packet are used by standard ACLs to make decisions about what to do with the packet?
5. If I have multiple entries in an access control list, in what order are the individual ACEs (access control entries) processed?
6. How does an ACL wildcard relate to a subnet mask?
7. What is the ACL wildcard I would need to apply to packets from an IP address with a subnet mask of 255.255.255.0?
8. What parameters in an IP packet can be used by extended ACLs to make decisions about what to do with the packet
9. After I have created an access list, what do I need to apply it to on the router?
10. What is the Cisco IOS command to view access lists?
Lab
For this Lab, you need to complete labs 12.1 and 12.2 in the book Todd LammleCCNA Routing and Switching Study GuideSybex, 2013. )A copy of the pages describing this lab is provided for your convenience - see Word files Lab12.1 and Lab12.2)
Once you have completed your labs, save your files as Lab3.pktWritten
Lab 12
The answers to this lab can be found in Appendix A, "Answers to Written Labs" In this section, write the answers to the following questions:
1. What command would you use to configure a standard IP access list to prevent all machines on network 172.16.0.0/16 from accessing your Ethernet network?
2. What command would you use to apply the access list you created in question 1. Ethernet interface outbound?
3. What command(s) would you use to create an access list that denies host 192.168.253 access to an Ethernet network?
4. Which command verifies that you've entered the access list correctly?
5. What two tools can help notify and prevent DoS attacks?
6. What command(s) would you use to create an extended access list that stops host 172.16.10.1 from telnetting to host 172.16.30.5?
7. What command would you use to set an access list on a VTY line?
8. Write the same standard IP access list you wrote in question 1 but this time as a names access list.
9. Write the command to apply the named access list you created in question 8 to an Ethernet interface outbound.
10. Which command verifies the placement and direction of an access list?
Hands-on Labs
In this section, you will complete two labs. To complete these labs, you will need at learn three routers. You can easily perform these labs with the Cisco Packet Tracer program. You are studying to take your Cisco exam, you really need to do these labs!
Lab 12.1: Standard IP Access Lists
Lab 12.2: Extended IP Access Lists
Lab 2
At this point, you can add the eq telnet command to filter host 192.168.10.2 from telnetting to 172.16.10.6. The log command can also be used at the end of the com-mand so that whenever the access-list line is hit, a log will be generated on the console.
SF(config)#access-list 118 deny tcp host
192.168.18.2 host 172.16.10.6 eq telnet log
It is important to add this line next to create a permit statement. (Remember that 0.0.0.0 255.255.255.255 is the same as the any command.)
SF(config)#access-list 110 permit ip any 0.0.0.0
255.255.255.255
You must create a permit statement; if you just add a deny statement, nothing will be permitted at all. Please see the sections earlier in this chapter for more detailed information on the deny any command implied at the end of every ACL.
Apply the access list to the FastEthernet0/0 on SF to stop the Telnet traffic as soon as it hits the first router interface.
SF(config)#int f
SF(config-if)#ip access-group 110 in
SF(config-if)#AZ
Try telnetting from host 192.168.10.2 to LA using the destination IP address of 172.16.10.6. This should fail, but the ping command should work.
On the console of SF, because of the log command, the output should appear as follows;
01:11:48: %SEC-6-IPACCESSLOGP: list 110 denied tcp
192.168.10.2(1030) -> 172.16.10.6(23), 1 packet
01:13:04: %SEC-6-IPACCESSLOGP: list 110 denied tcp
192.168.10.2(1030) -> 172.16.10.6(23), 3 packets