5.2.7 Packet Tracer - Configure and Modify Standard IPv4 ACLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi friends welcome to world in this video we are going to uh solve this packet tracer activity configure and modify standard ipv4 acls before coming to this activity friends if you like to get any ccna version 7 online classes or any technical support you can contact our team using our website link you will get from the description below and also if you like to get this type of technical videos in future consider subscribing and don't forget to enable that bell icon so that you will get notification message whenever we upload a new video now we are back to this activity here we can see our addressing table coming to the objectives part one verify connectivity in particular configure and verify standard number and named acls then in part 3 modify a standard acl we will go through the scenario network security and traffic flow control are important issues when designing and managing iep networks the ability to configure proper rules to filter packets based on established security policies is a valuable skill in this lab we will set up filtering rules for two business locations that are represented by r1 and r3 management has established some access policies between the lands located at r1 and r3 which you must implement the edge router sitting between r1 and r3 has been provided by the isp will not have any acls placed on it you would not be allowed any administrative access to the edge router because you can only control and manage your own equipment we will go to the instructions in part one verify connectivity in part one we will verify connectivity between devices the given a node it is very important to test whether connectivity is working before you configure and apply access list you want to be sure that your network is properly functioning before you start to filter traffic yes that is very important uh we will verify the connectivity from pc dash a ping pc c and pc dash d where you are being successful uh we will do that we will get the iep address for pc dash c then we will go to this pc dash a command prompt desktop then command prompt so i will give that ping command then ip address and we are waiting for the replies you may get one or two requests timed out yeah here we can see we get the replies now we will ping to pc dash d ping to pc dash d okay here we get the replace here uh pings succeeded from pc dash a to pc dash c and pc dash d now from r1 ping pc dash c and pc-d where you are being successful okay we will get the ip address of pc dash c we'll go to r1 cli and here enable and we will give a ping command then address so we can see success rate is hundred percent we will get the ip address of pc-d coming to r1 ping to pc-d so success rate is hundred percent this is succeeded now from pc dash c ping pc dash a and pc b where you are being successful so we will go to pc dash c uh we will get the iphone pc a coming to pc c desktop command prompt ping and here we get the replies now we'll ping to pc b so we may get one request timed out here we get the replace then from r3 ping pc dash a and pc dash b where your pings are successful we will get the ip address opc a coming to r3 cli enable then we will ping to pc dash a here we can see success rate is hundred percent also we'll get the ip address of pc dash b we have to go to r3 okay it's working then can all of the pcs ping the server at 209.165.20. we will test that i will copy this ip address coming to pc dash a okay we are waiting for the replies so pc dash a can communicate then we will go to a pc b we are pinging from this uh all these pcs to this server we'll try from pc b ping to our server okay we get the replies we'll go to pc dash c ping to the server we get the replies we'll go to dash d ping to the server perfect coming to party 2 configure and verify standard numbered and named acls step 1 configure an unpaired standard sel standard acls filter traffic based on the source iphones only a typical best practice for standard acls is to configure and apply the acls as close to the destination as possible for the first access list in this activity create a standard numbered acl that allows traffic from all housed on the 192.192.168.10.0 24 network and all hosts on the 192.168.20.0 24 networks to access all hosts on the 192.168.30.0.24 network the security policy also states that an explicit deny any access control entry also referred to as an acl statement should be present at the end of all acls okay here we will allow only this host from these networks 10.0 24 and a 20.0 24 to access this network that is 30.0 so we will identify these networks in this topology we will go to this router r1 enable here i will give a show iep interface brief command and here we can see 192.168.10.120.1 even we can see this in routing table show ip root connected here we can see those networks are 10.0 and 20.0 which is directly connected to g 0 0 0 and g 0 0 1 so coming to our topology here we can see those networks here is the g 0 0 0 then here we can see g 0 0 1 next we will identify this one nine two one six eight thirty dot zero slash 24 network coming to r3 enable show ip root connected and here we can see one nine two one six eight thirty dot zero slash twenty four is directly connected to g zero zero zero coming to our topology here we can see that interface g zero slash zero slash zero now our acl policy is clear that means this network and this network only allowed to access this network and all other networks not allowed to access this network what wildcard mask would you use to allow all hosts on the 192.168.10.04 network to access the 192.168.3 24 network so here are the prefix they given as a slash 24 that means uh the wild card mask will be 0.0.0.255. following cisco's recommended best practices on which router would you place this acl so uh here uh we read that a typical best practice for a standard access control list is to configure and apply the acl as close to the destination as possible so here our destination is 192.168.30.0 so we can implement this acl this router r3 on which interface would you place this acl in what direction would you apply it so here we can see our uh destination network is here and it is connected to this interface g 0 0 0 in this router r3 and we have to apply this acl in out direction here configure the acl on r3 use 1 for the access list number here they given the command access list one they set this remark first hello r1 lens access then access list one permit here they given the source address 192.168.10.0 and 192.168.20.0 and finally the given access list one deny any that means only these two networks are allowed to access this 30.0 network okay we will give this commands here in this router r3 you will go to global configuration mode conf t and here we will give access list 1 and we have to give the remark right hello r1 lance access then we will create access list 1 and we will permit 192.168.10.0 then we have to specify the wildcard mask 0.0.0.255 also we will give access list one permit 192.168.20.0 wild regard mask 0.0.0.255 and we have to give access list one deny any then apply the acl to the appropriate interface in the proper direction yeah already we discussed to be able to apply this acl to this interface g 0 0 0 connecting to this network uh that is ip access group 1 in out direction we will do that we have to go to that interface that is a g 0 0 0 and here we will give iep access group that is 1 direction out now we will verify a numbered acl the use of various show commands can help you to verify both the syntax and placement of your acls in your router to see access list one in its entirety with all acs uh which command would you use obviously we can use a show access list command what command would you use to see where the access list was applied and in what direction uh we can use the show iep interface then the interface name that is a g 0 0 r0 where we upload our access control list or even we can see this using show ip interface command on r3 issue the show access list to one command okay we will give that you end show access list one and here we can see standard ip access list to one here we can see the command to be given permit this network and a wildcard mask then permit 192.168.20.0 then deny any then on r3 issue the show iep interface g 0 0 zero command okay so that we can see the direction we will give show ip interface that is a g zero slash zero slash zero and uh here we can see the direction here is the command here we can see outgoing access list is one perfect next is test the acl to see if it allows the traffic from the 192.168.10.0 24 network to access the 192.168.30.0 24 network for that from the pc a command prompt ping the pc cip address where the ping is successful we will test that we will get the iphone pc dash c then we will go to pc a command prompt then we will ping to pc-c perfect we get the replies then test the acl to see if it allows a traffic from the 192.168.20.0 24 network access to the 192.168.30.0 24 network from the pc b command prompt ping the pc dash c i p address where the ping successful it should succeed we will test it you'll ping to pc dash c and here we get the replies that means it is pinging should pings from pc-d to pc-c b successful ping from pc d to pc dash c to verify your answer so we'll ping from pc dash d and uh ping to pc-c and it will not uh succeed here we can see destination house unreachable because only these two networks are allowed to communicate to this network next is from the r1 prompt ping pc dash c ip address again okay we will ping from r1 and it will not succeed okay we will see that pink to pc-c and here we can see success rate is zero percent yes why it's failed when we ping from this r1 to this network r1 uses the iep address of this interface serial 0 slash 1 slash 0 which is near to this destination and this network is not allowed to access this network only these two networks are allowed to access this network now issue the show access list one command again note that the command output displays information for the number of times each ace was matched by traffic that reached interface gigabit ethernet 0 0 0 we will go to r3 and we will give that show command show access list one and here we can see the matches and here we can see in deny any we got nine matches now we will go to step two configure a named standard acl create a named standard acl that conforms to the following policy allow traffic from all hosts on the 192.168.40.0 24 network access to all host only 192.168.10.0624 network also only allow house to pc dash c access to the 192.168.10.0 24 network the name of the success list should be called branch dash office dash policy here this policy says all the host in this network and uh only this pc dash c from this network is allowed to access this uh network that is 192.168.10.00 network following cisco's recommended best practices on which router would you place this acl obviously we have to implement this acl near to the destination that is on r1 and on which interface would you place this acl in what direction would you apply it obviously we have to apply to this interface g 0 0 0 in out direction now we will create the standard named cl uh branch dash office dash policy on r1 just i will copy this name and here we can see the command ip access list standard then we have to specify the name of the acl then we have to uh permit uh only this host so we have to specify host then the ip address of that host the ip address of this pc-c then we have to permit uh all the host in this network that is 192.168.40.0 network and here they did not give that deny any commander here okay anyways we will see that we will go to r1 and we will give these commands county and here we will give ip access list and here we can see uh it start with ip ip access list standard then we will give its a name i already copied it okay then press enter then we will permit host 192.168.30.3 this is the ip address of our pc dash c then press enter also we will permit the network that is 192.168.40.0 then wildcard mask 0.0.0.2 look at the first ace in the access list what is another way to write this so this is the first command we given permit host then it's address we'll go to r1 and we will check that permit we have host then we given 192.168. then we'll put space and a question mark uh here only shows enter but even we can give this 0.0.0.0 me try with this anyways here we are not going to give because it will be added in the access list so we can use this command permit 192.168.30.3 then we can give space 0.0.0.0 now we have to apply the acl to the appropriate interface uh in the proper direction yes uh we have to apply to this interface 0 0 0 in out direction ok we will go to r 1 and we will do that exit because we have to go to interface g 0 0 0 and here we have to give ip access group then we have to specify the name i think already we copied it branch dash office dash policy and we have to give the direction it's out next we will verify a named acl one r1 issue the show access list command so we'll go to r1 and here we will give that command give end then give show access list and here we can see standard ip access list branch dash office dash policy this is what we created and here we can see a line 10 and 20 and here we cannot see that line number 30 that is deny any there is a question is there any difference between this acl on r1 and the acl on r3 if so what is it yeah we have seen let me show in r3 we have three lines show access list here we can see the third line 30 deny any and we did not give this uh line here and here we can see only 10 and 20 two lines okay now on r1 issue show ip interface g 0 0 0 command to verify that the acl is configured on the interface okay coming to r1 show ip interface g 0 0 0 and here we can see outgoing access list is branch dash office dash policy now we are going to test the acl from the command prompt on pc dash c ping the ip address of pc dash a where the ping successful ok we are going to ping from pc dash c to this pc dash a we will get the iep address of pc dash a then we will go to pc dash c command prompt ping to pc-a and here we get the replies because this host pc-c is allowed to access pc-a now test the acl to ensure that only the pc-c host is allowed access to the 192.168.10.0.24 network you must do an extended ping and use the g 0 0 0 address on r3 as your source yes we can do that ping pc dash is ip address so we have to give ping and then press enter from r3 so we'll go to r3 and here we will give a ping then press enter here we can see protocol ip we will give 192.168.10.3 this is the iep address of our pc dash a okay but here we can see we get the error message the reason is we given here ip address for this protocol uh so here we have to give either ip or simply we can press enter uh so that it will accept this default protocol that is ip that's fine so we will give ping again then press enter so here again we will press enter so that it will take the protocol ip now we can see target ip address the ip address of this pc dash a uh it's 192.168.10. that's fine so uh repeat count so by default it's five okay just to be value as it is press enter and datagram size 100 that's fine just press enter then timeout in seconds by default it's 2 that's fine then extended commands so we will give yes we need extended commands then source address or interface so here we are going to give the ip address 192.168.30.1 that means the ip address of this interface uh g 0 0 0 we will give that 192.168.30.21 then press enter uh type of service zero okay press enter here again no press enter again press enter again okay enter enter and we can see success rate is zero percent because we ping from this interface that is 192.168.30.21 but uh this address is not allowed to access this network only this pc dash c is allowed to access this network were the pings successful no it is not succeeded next test the acl to see if it allows the traffic from the 192.168.4024 network access to the 192.168.10.0 24 network from the pc d command prompt ping the pc dash a ip address where the pings are successful it should succeed because uh we allowed this network uh to access this network so we will get the ip address of pc dash a then we will go to pc dash d command prompt and ping to pc dash a perfect we get the replies next we will go to part three modify a standard access control list it is common in business for security policies to change for this reason acls may need to be modified in part 3 we will change one of the acls you configured previously to match a new management policy that is being put in place now attempt to ping the server at 209.165.200.254 from pc a notice that the ping is not successful the acl on r1 is blocking internet traffic from returning to pc dash a this is because the source address in the packets that are returned is not in the range of parameter addresses okay we will attempt to bring to the server using this address from this pc dash a bring to our server and we are waiting for the replies request timed out no it's not working packets are sent to four but received zero lost four hundred percent loss why this communication is failed because here uh only this network and this pc-c is allowed to communicate with the pc dash a but here pc-a can communicate to the server yes he can communicate but when the acknowledgement come back this server cannot communicate to pc dash a i think i will show in simulation mode so that it will be more clear we will go to simulation let me maximize this and here i will click on show all none then edit filters here we will choose only icmp now we will see why it's not pinging so i will go to pc a command prompt again we will ping to our server and here we can see our icf packet yes so we'll click on capture but forward it goes to s1 and it goes to r1 then goes to edge then to the internet then it goes to server we can see that packet or reached in this server now the server is going to send acknowledgement back to this pc dash a so it comes to the internet then it goes to edge and then we can see it will go to r1 but we can see this r1 will drop this packet why this r1 is drop this packet because this network is not allowed to access this network that's why he dropped this packet here now management has decided that traffic that is returning from the 209.165.200.224.24 network okay from this network uh should be allowed full access to the 192.168.10.0624 network management also wants acls on all routers to follow consistent rules a deny any ace should be placed at the end of all acls you must modify the branch dash office dash policy acl yes actually we did not set this deny any command uh even though there will be an implicit deny uh but as per the um you know cisco uh rules we have to set this deny any command you will add two additional lines to this acl there are two ways you could do this okay that's great here we can see option one issue a no ip access list standard branch dash office dash policy command in global configuration mode this would remove the acl from the router depending upon the rotor ios one of the following scenarios would occur all filtering of packets would be cancelled and all packets would be allowed through the router or because you did not remove the ip access group command from the g01 interface filtering is still in place regardless when the acl is gone you could retype the whole acl or cut and paste it in from a text editor here we can see option two and this is the best you can modify acls in place by adding or deleting specific lines within the acl itself this can come in handy especially with acls that are long the retyping of the whole acl or cutting and pasting can easily lead to errors so we can go with this second option modifying a specific lines within the acl is easily accomplished for this activity i use option two that's fine step one modify a named standard acl from r1 issue the show access list command so here in r1 we will give that command enable show access list and here we can see line number 10 and line number 20. now we are going to add two additional lines at the end of the acl from global configuration mode modify the acl branch dash office dash policy we have to give this command then we have to add these lines 30 then permit 209.165.200.224 then wild regard mask 0.0.0.31 also we will uh specify deny any with the line number 40. just i will copy this acl name coming to r1 and here we can give that conf t in global configuration mode we have to do that ip access list standard and here is the name okay and here we are going to add those lines that is 30 and here we are going to permit uh 209.165.200.224 then we have to give a wild card mask 0.0.0. also we will add line number 40 and we have to give a deny any end now we will verify the access control list on r1 issue the show access list command show access list and we can see these lines 30 and 40 will be added show access list and here are those lines do you have to apply the branch dash of his dash policy to the g0 slash one interface on r1 uh not g zero slash one it's a g zero slash zero slash zero uh and no need to do that again because uh it's already be given and it will be there in this router r1 uh we can verify that uh show ip interface g 0 0 r0 and here we can see that outgoing access list is branch dash office dash policy or even we can verify using show running config g0 0 0 here we can see that iep access group then acl name and direction out hence no need to give that command again test the acl to see if it allows the traffic from the 209.165.200.24 slash 27 network access to return to the 192.168.10.0 24 network from pc dash a ping the server at this address we'll go to pc a and we will ping again here is the address you can press up arrow from the keyboard yes and we get the replace where the things successful yes it succeeded okay that's all in this activity that is configure and to modify standard ipv4 acls here we can see our completion status it's hundred percent dear friends if you have any doubt any suggestions regarding this bike tracer activity please comment below or you can contact our team using our website link you will get from the description below and if you like your video give a thumb and share with all your friends stay tuned and we will meet again with the next video thank you
Info
Channel: Tech Acad
Views: 6,691
Rating: undefined out of 5
Keywords: CISCO, CISCO Certification, CCNA, CCNAv7, ACL, Access Control List, ENSA, Packet Tracer
Id: KOaVDRiPFUs
Channel Id: undefined
Length: 39min 12sec (2352 seconds)
Published: Mon Sep 14 2020
Related Videos
5.2.7 Packet Tracer - Configure and Modify Standard IPv4 ACLs
Christian Augusto Romero Goyzueta
1.8K
5.4.12 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1
Tech Acad
6.6K
5.5.1 Packet Tracer - IPv4 ACL Implementation Challenge
Tech Acad
12K
11.5.5 Packet Tracer - Subnet an IPv4 Network
Tech Acad
82K
1.1.7 Lab - Basic Switch Configuration
Tech Acad
51K
13.1.10 Packet Tracer - Configure a Wireless Network
Tech Acad
35K
4.1.4 Packet Tracer - ACL Demonstration
Tech Acad
5.5K
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs
Tech Acad
7.3K
2.6.6 Packet Tracer - Verify Single-Area OSPFv2
Christian Augusto Romero Goyzueta
2.2K
CCNAv7 ENSA Packet Tracer Skills Assessment
Christian Augusto Romero Goyzueta
27K
4.3.8 Packet Tracer - Configure Layer 3 Switching and Inter-VLAN Routing
Christian Augusto Romero Goyzueta
6.3K
15.6.2 Lab - Configure IPv4 and IPv6 Static and Default Routes
Tech Acad
7.2K
5.1.8 Packet Tracer - Configure Numbered Standard IPv4 ACLs
Tech Acad
7K
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs
Christian Augusto Romero Goyzueta
6.2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.