Tabish Hussain 2019-CE-139
LAB#11
Objective: To implement security within the network by Extended ACL to filter source or destination packets
Extended access lists create filters based on source addresses, destination addresses, protocol, port number and
other features and are used for packet based filtering for packets that traverse the network.
Exercise#01
Topology Diagram for Extended and Named ACL
Allow PC 0 (11.0.0.2) to only ping PC 2 (12.0.0.2)
First do the IP configuration listed in the Exercise 1 of Lab 12 and delete all other ACL
Extended ACL is mainly applied near source so configure it on Router0 router
Like the standard ACLs, the first value {100-199 or 2000 - 2699} specifies the ACL number range.
The next value specifies whether to permit or deny according to the criteria that follows.
The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols).
Verify
PC1 to PC3:
SSUET Page 2
�Tabish Hussain 2019-CE-139
PC0 to PC2:
Router1#show ip access-lists 100
Extended IP access list 100
permit icmp host 11.0.0.2 host 12.0.0.2(4 match(es))
Note that these “matches ” listed are the number of times the rule matched
Exercise#02
Allow PC (11.0.0.3) to only telnet PC 2 (12.0.0.2)
Extended ACL is mainly applied near source so configure it on Router0 router
This command will check every packet which is entering the router.
Verify
Router1#show access-lists 100
SSUET Page 3
�Tabish Hussain 2019-CE-139
Extended IP access list 100
permit icmp host 11.0.0.2 host 12.0.0.2
permit tcp host 11.0.0.3 host 12.0.0.2 eq telnet
Named ACL (Access Control List)
Objective: To configure Extended Named ACL
You can also name your ACLs so you can more easily identify their purpose. You can name both standard and
extended ACLs.
Exercise#03
Allow PC 0 (11.0.0.2) to only ping PC 2 (12.0.0.2) and PC 1(11.0.0.3) to only telnet PC 2 (12.0.0.2)
First do the IP configuration listed in the Exercise 1 and delete all other ACL
Extended ACL is mainly applied near source so configure it on Router0 router
Exercise#04
Verification
Router0# show ip access-list sajjad
Extended IP access list sajjad
permit icmp host 11.0.0.2 host 12.0.0.2(4 match(es))
permit tcp host 11.0.0.3 host 12.0.0.2 eq telnet
SSUET Page 4
�Tabish Hussain 2019-CE-139
Note that these “matches ” listed are the number of times the rule matched
Router1# show running-config
interface FastEthernet0/0
ip address 11.0.0.1 255.0.0.0
ip access-group sajjad in
duplex auto
speed auto
ip access-list extended sajjad
permit icmp host 11.0.0.2 host 12.0.0.2
permit tcp host 11.0.0.3 host 12.0.0.2 eq telnet
SHOW RUNNING-CONFIG:
EXERCISE QUESTIONS
1. How to delete ACLs?
Ans:
To completely remove an entire ACL, first remove it from the interface by using the no ip access-group
access-list-number command on the specific interface and then use the global configuration no access-
list access-list-number command to delete the entire ACL.
2. Discuss extended and named ACL.
Ans:
Extended ACLs: These ACLs permit or deny packets based on the source IPv4 address and destination
IPv4 address, protocol type, source and destination TCP or UDP ports, and more.
Named Access Control Lists (ACLs): allows standard and extended ACLs to be given names instead of
numbers. Unlike in numbered Access Control Lists (ACLs), we can edit Named Access Control Lists. To
create a Named Access Control List (ACL), we can use the following IOS command from Global
Configuration mode.
SSUET Page 5
�Tabish Hussain 2019-CE-139
3. Configure the following topology
ROUTER 0 :
ROUTER 1 :
SSUET Page 6
�Tabish Hussain 2019-CE-139
Applying Extended ACL AT ROUTER 0:
SSUET Page 7
