Extended ACL Configuration

Overview

Extended ACL is one type of ACL was used to filter traffic in network infrastructure by implement on Router , Firewall, Multilayer Switch and other network devices which support ACL. Extended ACL is one type of technology use for network security practices. In home, small business, medium and enterprise business never missed of ACL. But sometime in home and small business that using SOHO products still don’t know how they use ACL. One more, extended ACL is more effectively and efficiency in using by NA T and VPN configuration.Extended ACL ranges 100 to 199 and 2000 to 2699. Extended ACL can be used for filter source and destination IP and Port that is a powerful ACL. Learn4CCNA recommend you should not missed this configuration.

Scenario

In this topology you should assign IP address as we noted in topology . After IP address was configured successfully , you may configure one of dynamic routing protocol ( we suggest you use OSPF v2 to configure routing in this scenario). First, Y ou may verify connectivity by ping from one of PCs to all PCs and Sever to make sure routing that you configure is working properly . Second, you should configure this scenario by 2 following task:

Task 1
  • Configure IP address to all end devices and routers as we mention in topology (we suggest you to assign IP x.x.x.10 to all PCs)
  • Configure HTTP , DNS and FTP server (domain name should use www.cisco.com for DNS mapping)
  • Configure dynamic routing protocol (recommend for OSPF v2)

Note: After you configure HTTP , DNS, FTP Server and routing successfully , you should access web server from Guest PC by using web browser to www.cisco.com. Accessing should be successfully.

Task 2
  • Create extended ACL by using number 100
  • Create statements that compliance with
    • Guest Network should not reach Server Host by request HTTP
    • Guest Network should reach all service and network except upon case
  • Apply ACL to which interface should be

Topology

Extended ACL Configuration

Extended ACL Configuration

R1

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip access-group 100 out
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 1/1
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config-if)#interface fastEthernet 1/0
R1(config-if)#ip address 192.168.0.9 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 192.168.2.0 0.0.0.255 area 0
R1(config-router)#network 192.168.0.0 0.0.0.3 area 0
R1(config-router)#network 192.168.0.8 0.0.0.3 area 0
R1(config-router)#exit
R1(config)#access-list 100 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.10 eq www
R1(config)#access-list 100 permit ip any any

R2

Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#interface fastEthernet 1/0
R2(config-if)#ip address 192.168.4.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.0.5 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#network 192.168.0.0 0.0.0.3 area 0
R2(config-router)#network 192.168.0.4 0.0.0.3 area 0
R2(config-router)#network 192.168.4.0 0.0.0.255 area 0
R2(config-router)#exit

R3

Router>enable
Router#configure terminal
Router(config)#hostname R3
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.0.6 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastEthernet 0/1
R3(config-if)#ip address 192.168.0.10 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastEthernet 1/0
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#router ospf 1
R3(config-router)#network 192.168.0.4 0.0.0.3 area 0
R3(config-router)#network 192.168.0.8 0.0.0.3 area 0
R3(config-router)#network 192.168.3.0 0.0.0.255 area 0
R3(config-router)#exit

Verify Connectivity

  • Guest PC which in Guest network should not reach HTTP Server or Web Server by accessing www.cisco.com in web browser.
  • Guest PC reach all network and services except HTTP Sever.

Leave a Reply