Standard and Extended ACL Configuration
Overview
This lab simulates the configuration and application of standard and extended access control lists (ACLs) on a Cisco router to enforce specific network communication policies. The scenario includes multiple subnets and services across routers and end devices. Key tasks included blocking DNS access to a specific server and preventing direct communication between subnets. ACLs were crafted to match protocols (TCP, UDP), port (53), and IP addresses using wildcard masks. ACLs were applied inbound and outbound on appropriate interfaces, with a focus on applying filters close to the source (for extended ACLs) and close to the destination (for standard ACLs). The lab demonstrates the flexibility of standard and extended ACLs, how they affect device communication in real time, and concludes with successful verification using ping and browser tests.
| Skills Demonstrated |
|---|
| Creating extended ACLs based on protocol, source/destination IP, and ports |
| Blocking DNS using both TCP and UDP port 53 |
| Applying ACLs inbound on router interfaces |
| Combining multiple policy rules into a single ACL |
| Using wildcard masks to specify source and destination subnets |
| Testing ACL effectiveness with ping and browser utilities |
| Verifying ACL hit counts using show access-lists |
| Tools Used |
|---|
| Cisco Packet Tracer |
| Router CLI |
| Command Prompt |
| Web Browser |
1. Network Topology
For this lab, the topology consists of two LAN segments on the left side consisting of PCs and two server LAN segments on the right side, all interconnected via two routers (R1 and R2) with a serial point-to-point link
The goal of this lab will be to set up standard and extended ACLs so the following occurs:
- Hosts in 172.16.2.0/24 can't communicate with PC1 (standard numbered ACL)
- Hosts in 172.16.1.0/24 can't access the DNS service on SRV1 (extended named ACL)
2. Configuring Standard Numbered ACL on R1
First I want to configure a standard numbered ACL to prevent hosts in 172.16.2.0/24 from communicating with PC1, and I will add it outbound on interface G0/0 so it is closest to the destination.
I run the following commands:
R1> en
R1# conf t
R1(config)# access-list 1 deny 172.16.2.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# int g0/0
R1(config-if)# ip access-group 1 out
Now when running show ip access-lists we see the ACLs has been configured:
Standard IP access list 1
10 deny 172.16.2.0 0.0.0.255
20 permit any
And when I run show ip int g0/0 we can see the ACL has been added outbound:
GigabitEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.1.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 1
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
And when trying to ping from PC3 which is in 172.16.2.0/24 it can't reach PC1:
C:\>ping 172.16.1.1
Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Ping statistics for 172.16.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
3. Configuring Extended Named ACL on R1
Now I'm going to add an extended named ACL on R1, this time inbound on interface G0/0 to prevent hosts in 172.16.1.0/24 from accessing the DNS service on SRV1.
SRV1 has been configured to act as a DNS server:
And on PC1 and PC2, I have set the DNS server to SRV1's IP address:
So to prevent hosts in 172.16.1.0/24 from accessing the DNS service on SRV1 I run the following commands:
R1> en
R1# conf t
R1(config)# ip access-list extended DENY_DNS
R1(config-ext-nacl)# deny tcp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq 53
R1(config-ext-nacl)# deny udp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq 53
R1(config-ext-nacl)# permit ip any any
R1(config-if)# int g0/0
R1(config-if)# ip access-group DENY_DNS in
Now when running show ip access-lists we see the extended ACL added:
Standard IP access list 1
10 deny 172.16.2.0 0.0.0.255 (4 match(es))
20 permit any
Extended IP access list DENY_DNS
10 deny udp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq domain (4 match(es))
20 deny tcp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq domain
30 permit ip any any (4 match(es))
Also, when running show ip int g0/0 we see the outbound and inbound ACL added successfully:
GigabitEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.1.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 1
Inbound access list is DENY_DNS
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Now to test if the DNS service is working on PC1 I ping SRV2 by hostname and receive an error, but when pinging its IP address it is successful. This lets me know the ACL to deny DNS service is working successfully:
C:\>ping srv2
Ping request could not find host srv2. Please check the name and try again.
C:\>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time=14ms TTL=126
Reply from 192.168.2.100: bytes=32 time=12ms TTL=126
Reply from 192.168.2.100: bytes=32 time=12ms TTL=126
Reply from 192.168.2.100: bytes=32 time=12ms TTL=126
Ping statistics for 192.168.2.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 14ms, Average = 12ms