Config Lab: Extended Numbered ACL 1
Ready to review how to match subnets with extended ACLs? And how to match well-known ports? Today’s lab lets you do just that. Along the way, you get to think about where to place the ACL to most efficiently filter packets. Jump in and create your own config.
The Lab Exercise
Requirements
Configure an extended access list to control that traffic as detailed in the following rules:
- Create an extended numbered (101) ACL which performs the following functions:
- Block all traffic from the 20.0.1.0/24 subnet to the http, ftp (data and control) and tftp ports of the 10.0.3.0/24 subnet displayed in the figure
- Permit all other traffic
- Apply the ACL on the appropriate device
- Assume all router interfaces shown in the lab are up, working and have correct IP addresses assigned
- Assume routing between all devices is configured and operational
Figure 1: Topology Used in Extended ACL Lab
Initial Configuration
Examples 1, 2, 3, and 4 show the beginning configuration state of R1, R2, SW1, and SW2.
hostname R1
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 10.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 20.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 20.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 20.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 2: R2 Config
hostname SW1
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
Example 3: SW1 Config
hostname SW2
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
Example 4: SW2 Config
Host device info:
Although not required for this lab, the .pkt file includes one PC per subnet, preconfigured as per the following table, for easier testing.
Device | IP Address |
PC1 | 10.0.1.11 |
PC2 | 10.0.2.12 |
PC3 | 10.0.3.13 |
PC4 | 20.0.1.14 |
PC5 | 20.0.2.15 |
PC6 | 20.0.3.16 |
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
Device | Lab Port | Â CML Port |
SW1 | G1/0/1 | G0/1 |
SW1 | G1/0/2 | G0/2 |
SW1 | G1/0/3 | G0/3 |
SW1 | G1/0/4 | G1/0 |
SW2 | G1/0/1 | G0/1 |
SW2 | G1/0/2 | G0/2 |
SW2 | G1/0/3 | G0/3 |
SW2 | G1/0/4 | G1/0 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
Device | IP Address | User/password |
S1 | 10.0.1.11 | cisco/cisco |
S2 | 10.0.2.12 | cisco/cisco |
S3 | 10.0.3.13 | cisco/cisco |
S4 | 20.0.1.14 | cisco/cisco |
S5 | 20.0.2.15 | cisco/cisco |
S6 | 20.0.3.16 | cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Topology Used in Extended ACL Lab
interface GigabitEthernet0/2.1
ip access-group 101 in
!
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq www
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq ftp
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq ftp-data
access-list 101 deny udp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq tftp
access-list 101 permit ip any any
Example 1: R2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
The primary use of access-lists is to control which traffic is allowed to come in and go out of the interfaces of a device. On Cisco devices, you can use either standard or extended ACLs. Standard ACLs use simple matching logic based solely on the source IP address of the packet. Extended ACLs use more complex matching based on multiple header fields, including the source and destination host or network, and matching based on the protocol in use. However, it is important to note that ACLs are not limited to the blocking or permitting of specific traffic. They are also used in several features, from Network Address Translation (NAT) to route maps.
With this lab, you were tasked with configuring an extended ACL that would be used to block specific traffic from one subnet to another. The requirements used two subnets: a source subnet of 20.0.1.0/24 and a destination subnet of 10.0.3.0/24. To match those subnets, you would use the same wildcard mask of 0.0.0.255. You could calculate the wildcard mask to use to match a subnet by taking the DDN mask (255.255.255.0 in each case) and subtract it from 255.255.255.255, leaving 0.0.0.255.
The matching requirements also listed many well-known ports, all of which can be matched with keywords rather than the actual port numbers. In particular, to match packets from subnet 20.0.1.0/24 to subnet 10.0.3.0/24, to the destination port with HTTP (port 80), use this command:
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq www
Similarly, to match FTP control traffic, FTP data (which uses a different port), and TFTP traffic, use these additional commands:
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq ftp
access-list 101 deny tcp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq ftp-data
access-list 101 deny udp 20.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255 eq tftp
The final requirement was to permit all other traffic. Remember that all traffic will be blocked by the implicit deny at the end of all ACLs without this statement. That statement could be explicitly switched to permit all remaining traffic by configuring the access-list 101 permit ip any any command at the ACL’s end.
The last step is to apply the ACL to the appropriate interface. Generally, Cisco suggests applying standard ACLs to the interface closest to the destination and applying extended ACLs to the interface closest to the source. In this case, R2 is connected to the source subnet, so apply the ACL inbound on router R2, so apply the ACL on R2’s G0/2.1 subinterface using the ip access-group 101 in command.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | Limited port number keywords in CPT | Real Cisco IOS supports a larger number of text keywords that identify well-known TCP and UDP port numbers. In this lab, you may need to configure port numbers rather than names, for example, port 20 instead of ftp-data, as shown in the solution. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without owning real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps:
- Issue the show ip access-lists and show access-lists commands to display the access-lists.
- Issue the show ip interfaces commands and look for the lines on each interface that identify if any ACLs are enabled, and if so, which ACLs and in what direction.
- Add some hosts to the topology and use some ping and traceroute commands to generate traffic and test the ACLs. Because all the requirements mention IP packets only and not specific applications, you can use any command to drive traffic to test the ACL.
Just a quick question, I am still stumbling through ACL’s in the book – why is there “any any” at the end of the final solution command? Wouldn’t just one “any” work?
Hi Trenton,
On the extended ACL command (access-list 101 permit…) there are three required parameters: the protocol (e.g., ip, tcp, udp), the source IP address range (e.g. 10.1.1.0 0.0.0.255), and the destination IP address range (e.g. 10.1.2.0 0.0.0.255). So in the examples that say end with “access-list 101 permit ip any any”, that command has the minimum number of parameters after the “permit”. The “any” means “any address” aka “match all addresses”. So, “ip any any” matches every IP packet.
beacause must be specified “source and destination” the sentences is access-list 101 permit tcp “source” “destination”
from “any” source to “any” destination
Shouldn’t we just use SW2 to put the ACL on? It’s a layer 3 device, and it’s closer to the source.
Hi JP,
Catching up on the blog after some unexpected travel. Anyway, on this one…
SW1 and SW2, as configured here, are layer 2 only. They have no VLAN interfaces (aka SVIs), which is one way to configure layer 3 interfaces on switches. They also have no layer 3 ports (physical interfaces with the “no switchport” subcommand configured.) So, those switches wouldn’t support layer 3 ACLs as currently configured. Hope this helps.
Hi Mr. Wendell,
I’ve configured the ACL in the R2’s Gi0/1 interface outbound. Is it a valid solution?
Hi Cristian,
Sure! As long as you can give your reasoning, and it works, I’m good with it. And I believe it would work. As to reasoning, why there, and not inbound on R2’s LAN interface? That’s what I’d ask if we were in a live class.
Wendell