Free CCNA 200-301 Course 28-06: Numbered ACLs Lab Demo
Summary
TLDRIn this informative lecture, the presenter guides viewers through configuring Access Control Lists (ACLs) for network security using a CCNA course lab demo in GNS3. The session covers setting up a standard numbered ACL to block traffic from a specific subnet while allowing it from another, and an extended numbered ACL to permit telnet access from a single host. The practical demonstration includes applying the ACLs to the correct interfaces and testing their functionality to ensure the desired traffic is allowed or denied, effectively securing the network according to the given scenarios.
Takeaways
- 📚 The lesson focuses on configuring Access Control Lists (ACLs) in a CCNA course, with lab exercises available for download.
- 🔗 The link to download the hands-on lab exercises is provided in the description of the lecture.
- 📌 The lab demo involves routers R1 and R2, with PCs in the 10.0.1 subnet and PC3 in the 10.0.2.0/24 subnet.
- 🛠️ Routing has been pre-configured for successful ping tests between the devices, confirming network connectivity.
- 🚫 The security task is to prevent PCs in the 10.0.2 network from accessing R2 at 10.0.0.2, while allowing PCs in the 10.0.1 subnet to maintain connectivity.
- 🌐 Standard ACLs can only filter based on source IP address, while Extended ACLs can specify both source and destination addresses.
- 🔄 The standard ACL is applied to the external FastEthernet 0/0 interface on R2 to block traffic from the 10.0.2 subnet.
- 🔒 The ACL configuration includes a deny statement for the 10.0.2.0/24 subnet and a permit statement for the 10.0.1.0/24 subnet.
- 📈 The ACL is tested by pinging from PCs in the 10.0.1 subnet to R2 and ensuring that PC3 from the 10.0.2 subnet cannot reach R2.
- 🔐 The second scenario involves configuring a numbered extended ACL to allow telnet access from PC1 to R2, while denying it from other PCs.
- 🔍 The extended ACL permits TCP traffic from host 10.0.1.10 (PC1) to R2 on port 23 (telnet) and denies the same for the 10.0.1.0/24 subnet.
- 🎯 The extended ACL is applied inbound on the FastEthernet 0/0 interface of R1 to secure the telnet access as close to the source as possible.
Q & A
What is the main topic of the lecture?
-The main topic of the lecture is configuring access control lists (ACLs) with a lab demo as part of a complete CCNA course.
How can you access the hands-on lab exercises?
-You can access the hands-on lab exercises by downloading them from the link provided in the description of the lecture.
What are the two routers and the three PCs named in the lab scenario?
-In the lab scenario, the two routers are named r1 and r2, and the PCs are named pc1, pc2, and pc3.
What is the IP subnet for pc1 and pc2?
-Pc1 and pc2 are in the 10.0.1 subnet.
Which subnet does pc3 belong to?
-Pc3 is in the 10.0.2.0/24 subnet.
What is the first security task given to the network administrator in the scenario?
-The first security task is to configure the network so that PCs in the 10.0.2 network have no connectivity to r2 at 10.0.0.2, while PCs in the 10.0.1 subnet maintain connectivity to r2.
What type of ACL is used to block traffic from the 10.0.2 subnet to r2 while allowing traffic from the 10.0.1 subnet?
-A standard numbered ACL is used to block traffic from the 10.0.2 subnet to r2 while allowing traffic from the 10.0.1 subnet.
Where is the standard numbered ACL applied in the router to achieve the security task?
-The standard numbered ACL is applied outbound on the FastEthernet 0/0 interface of r2.
What is the second scenario's security task in the lecture?
-The second scenario's security task is to permit telnet access from pc1 to r2, allowing only the administrator workstation to access the router remotely, while denying telnet access from any other PC or subnet.
What type of ACL is used for the second security task, and what are its characteristics?
-An extended numbered ACL is used for the second security task. It allows specifying both source and destination addresses and the protocol (in this case, TCP for telnet).
How is the extended numbered ACL applied in the router for the second scenario?
-The extended numbered ACL is applied inbound on the FastEthernet 1/0 interface of r1, which is the interface connected to the PCs.
What is the result of applying the ACLs in the lab scenario?
-After applying the ACLs, pc1 maintains connectivity to r2 and can telnet to it, pc2 is unable to telnet to r2 as expected, and pc3 remains unable to reach r2 due to the previously applied standard ACL.
Outlines
📚 Introduction to CCNA Lesson and Lab Exercises
The video begins with a reminder for viewers to download the lab exercises for the comprehensive CCNA course and to subscribe for updates. The lecture focuses on configuring access control lists (ACLs) with a practical lab demonstration. The lab setup includes routers (r1 and r2) and PCs in different subnets, with pre-configured routing. The objective is to secure the network by preventing PCs in the 10.0.2 network from accessing r2 at 10.0.0.2 while allowing PCs in the 10.0.1 subnet to maintain connectivity. The lesson explains the process of configuring a standard numbered ACL on the external interface of r2 to achieve this security task.
🔒 Configuring a Standard Numbered Access List
The paragraph details the process of configuring a standard numbered access list (ACL) to secure network traffic. It explains the limitations of a standard ACL, which only allows specification of the source address. The task involves allowing traffic from the 10.0.1 network while blocking traffic from the 10.0.2 subnet. The configuration is demonstrated by creating ACL number 1, denying traffic from 10.0.2.0 with a wildcard mask, and permitting traffic from 10.0.1.0 with a subnet mask. The ACL is then applied in the outbound direction on the external interface of r1 to control traffic to r2. The effectiveness of the ACL is tested by pinging from different PCs to confirm the desired connectivity and blocking behavior.
🌐 Implementing a Numbered Extended Access List
This section introduces the use of a numbered extended ACL to permit specific types of traffic, such as telnet, from designated hosts. The scenario involves allowing only PC1 (the administrator workstation) to telnet into r2, while blocking this access from other PCs. The extended ACL is configured with ACL number 100, permitting TCP traffic from host 10.0.1.10 to host 10.0.0.2 on telnet, and denying similar traffic from the rest of the 10.0.1 subnet. The ACL also includes a permit statement for all other IP traffic to override the implicit deny any at the end of the list. The ACL is applied to the inbound interface on r1 (fast1/0), and its functionality is tested by attempting to telnet from PC1 and PC2, as well as pinging from PC2 to r2 to confirm the ACL's effectiveness.
Mindmap
Keywords
💡CCNA
💡Access Control Lists (ACLs)
💡GNS3
💡Routing
💡Subnetting
💡Standard ACLs
💡Extended ACLs
💡Wildcard Mask
💡Implicit Deny
💡Inbound and Outbound
💡Telnet
Highlights
The lesson focuses on configuring Access Control Lists (ACLs) in a CCNA course.
Hands-on lab exercises accompany the course, with a link provided in the description for download.
The lab demo involves configuring routers and PCs in a network setup within GNS3.
The network setup includes routers R1 and R2, and PCs in the 10.0.1 and 10.0.2 subnets.
Routing has been pre-configured for successful connectivity between the devices.
The lecture demonstrates how to apply a standard numbered ACL for network security.
The scenario involves securing the network by restricting access from the 10.0.2 network to R2.
The ACL is applied on R2's outside interface to block traffic from the 10.0.2 subnet.
The lecture explains the difference between standard and extended ACLs, emphasizing the need for extended ACLs for more complex rules.
A standard ACL is limited to specifying source addresses only.
The lecture provides a step-by-step guide on configuring and applying the ACLs.
Testing the ACL configuration is done by pinging and attempting to establish Telnet connections.
The lecture also covers the use of implicit deny statements at the end of ACLs.
A numbered extended ACL is introduced to allow Telnet access from a specific PC to the router.
The extended ACL configuration involves specifying source and destination addresses and the protocol (Telnet).
The ACLs are applied to the interfaces to control inbound and outbound traffic.
The lecture concludes with a summary of the tasks completed using numbered standard and extended ACLs.
Transcripts
just a quick reminder before we get into
the lesson
to download the hands-on lab exercises
that accompany this complete ccna course
i'll include the link in the description
also remember to subscribe
and hit the notifications bell so you
don't miss any of the lessons in the
course
okay let's get into it
in this lecture you'll learn how to
configure access
control lists with a lab demo
so here's the lab i've got to open in
gns3 here
and i've got a couple of routers r1
and r2 i've got pc1
and pc2 are in the 10.0.1 subnet
and pc3 is in 10.0.2.0
24. i've already
configured the routing
so if i control onto
pc1 and let's try pinging r2
at 10.0.0.2 so paying 10.002
from pc1 works okay
i know for sure it's going to work from
pc2
as well because it's in the same subnet
but let's just do it anyway
so paying 10.002 from here
as well and
let's check that everything's okay from
our 10.0.2
subnet as well so i'll ping
10.0.0.2 which is r2 from there as well
okay so connectivity is all working just
fine actually let's have a look at the
routing table
on r1 so
i'll jump on there i'll do a show ip
route
and try to do it without a typo
and i've just got my connected and
local routes on there and because r2
is also on the 10.0.0 network at
10.00.0.2
that's why i've got connectivity
everywhere okay looking back
at the topology diagram
and the scenario is that we're the
network administrator
and we've been given some security tasks
to secure the network so the first
scenario
is that pcs in the 10.0.2 network
should not have any connectivity to r2
at 10.00.0.2 but
the the pcs and the 10.0.1 subnet they
should have connectivity to r2
and also pc3 and 10.2 still should have
connectivity to 10.0.1 as well
so usually when we configure an acl
to do security we'll secure it as close
to the source as possible so the traffic
isn't going over any part of a network
but it doesn't need to
but if we look at the scenario here
let's see that we've been given a task
that we have to configure a standard
numbered access list to do that and it
has to be
on our one so
we could do it inbound on fast ethernet
2
0 at the bottom here with a
standard acl you can only specify the
source address
to be able to specify source and
destination that it's going to that
needs to be an extended or a named
extended
acl so what we want to do is we want to
block traffic from 10.0.2
to r2 but we need to allow
traffic from 10.2 to 10.0.1
so we can't put the acl inbound
on that fast 2 0 interface on r1
because if we blocked traffic from
10.0.2
would be blocking it going to r2 but
we'd be blocking it to the 10.0.1
subnet as well so the only way that we
can do this task
using a numbered standard acl
is by putting it on that outside fast
zero slash
zero interface on r two
so if that's not clear yet let's do it
and then you'll see
what i mean so we want to block traffic
from
10.0.2 allow traffic from 10.0.1
so let's go on to the command line on r1
i'll go to global config
and i'll make this accession list
one and i'm going to deny
traffic from the 10.0.2.0 subnet
the wildcard mask is 0.0.0.0
because it's a slash 24
and it's a standard acl i can tell
because it's number one
so i can only specify the source address
so that's all that i need to put in here
now in all of your accessories there's
always an
implicit deny any any at the bottom of
the list
but i need to allow traffic from the
10.0.1 network
so for that i'm gonna do access
list this is also on list one and i'm
gonna permit
10.00.1.0
and 0.0.0.255
again and that's all that i need to do
and well apart from actually applying
the access list of course
so to do that let's look at the topology
diagram again
and i'm going gonna do on the outside
interface fast zero
slash zero so back on the command line
i go to interface fast zero slash zero
and the command now is ip access
group it was group one and i'm doing it
in the direction towards r2
so that is in the outbound direction
looking at the topology diagram again if
i wanted to control traffic
going from the 10.0.2 network to
r2 i could either do it inbound on fast
2
0 as it comes into r1 or i can do it
outbound on fast 0 0 as it goes out of
r1
on its way to r2 but like we said
earlier
you can't do that in this particular
scenario because if i blocked
traffic coming from 10.0.2.0 coming in
on fast 2
0 it wouldn't just stop it getting it to
r2
it would stop it getting to the 10.0.1
network as well
and i need to allow that so that's my
whole config
let's just have a look at again
so i denied traffic from 10.0.2
i permitted traffic from 10.0.1 and
applied that
outbound on the fast 0 0
interface so let's check that it is
working
so let's go on to pc1 first
and check that pc1 still has
connectivity to the router
so i'll ping 10.0.0.2 and that is all
good pc1 has so i know that pc2 does
as well pc3 should not have connectivity
to 10.002 so let's check that ping
10.0.0.2
and there we go the ping fails so my
access list is working
but it should have connectivity to the
pc's in the other subnet so i'll ping
pc1 10.0.1.10
and that is successful so that is the
first task completed
we used a numbered standard acl
to block traffic from the 10.0.2 subnet
to r2810.0.0.2 but allow
all of our other traffic everywhere else
okay so that was a numbered standard acl
next up let's have a look at a numbered
extended
acl and if i go back to
the topology again the scenario
this time is going to be we're going to
permit
telnet from pc1 to r2
let's say that pc1 is our administrator
workstation
and telnet is a way that you can
remotely get onto the command line on
our router we'll cover it in more detail
in a later section so we're going to
allow it from
pc1 but pc1 is the only administrator
workstation
so no other pc no other subnet is
allowed to telnet on to
r2 so let's
configure that so i'll go on to
the command line on r1 again and in my
hcl
i'm going to do an extended acl
which allows traffic from 10.0.1.10
to 10.0.0.2 when it's telnet traffic
but denies it from everywhere else and
is going to allow
all other traffic so let's go into
our one to configure this
so let's go down a few lines i'll say
access list and it's an extended hdl
this time so that starts with 100 i'll
use that for my number
and i'm going to permit traffic from
host 10.0.1.10 but i'm going to specify
it's telnet traffic
so i need to say that this is tcp
so i permit tcp and i'm going to say
from host
10.0.1.10 and it's going to host
r2 at 10.0.0.2
and then equals the part is telnet
i could also have said equals 23 the
router would take that command as well
so i'm allowing it from pc1 i don't want
to allow it from
any other pc in that subnet so i'll see
access list 100
and i'm going to deny tcp from the
10.0.1.0.0.0.
subnet going to host 10.000.2
equals telnet
and you can see it's important i get
these in the right way if i put
that second command in first i'd be
blocking traffic from all hosts on the
10.0.1 subnet
including pc1 so i need to make my more
specific commands
up at the top of the acl and then i want
to allow all
other traffic i'm just controlling
telnet here
so i need to also say access list
100 permit ip
nanny to allow all other traffic and
that overrides
the implicit deny nana
at the bottom of the acl the implicit is
an ine is still down there at the bottom
but the router reads the permit ipnene
first
so this is going to allow all traffic
apart from what i explicitly denied
okay so that's my acl configured and
importantly we need to remember to apply
it
at the interface it's really easy to
forget to do this
so you're looking at the topology
diagram
and it's always best practice to secure
as close to the source as you can
so here we could put the hdl either
inbound
on this interface on the outside here
which
is fast zero slash one
fast one slash zero sorry on the
router actually let me make a note just
to make
that clear so i'll save this
is fast one slash zero and
that is the interface that we're gonna
put this on let me try to clear that up
a bit
okay that's right okay so we're going to
put it on fast one slash zero
let me just clear that up a bit making a
mess my topology diagram here
okay so it's going to go inbound there i
could also have put it outbound on fast
0.0 but i've already got an acl
configured on there the acl that i did
earlier my standard numbered
you can only have one acl per interface
per direction
so i'm going to put it on fast one slash
zero so
back on r1 i go interface fast one slash
zero
and it's ip access group
100 and it's in this time because it's
coming in
fast one slash zero going out fast zero
slash
zero okay so that is my scl configured
let's test it next so if i go on a pc
one
i should be able to telnet to 10.00
telnet's already been configured and
there you go i can see it's working
because i'm getting the password prompt
so i'm able to tell it onto r2
from pc1 i should not be able to get on
there from pc2
so let's check that i'm going to pc2
and i'll telnet to 10.0.0.2
and there we go destination unreachable
that's good it's because my acl
is blocking the traffic but it should
just be telnet traffic i should be able
to ping
10.002 and that's working so that is
all good actually looking back at the
topology diagram again
i didn't need to specify anything about
pc3 because i already had my first dcl
blocking traffic going out to r2 from it
so it was getting blocked already okay
so that was a numbered standard
and a numbered extended
i'll do a named
acl in the next lecture because i feel
like this one's gone on for a little
while now
so go get yourself a cup of coffee if
you want to i'll see you back here
for named acls thanks for watching
if you'd like to get the complete course
ad free
right now then you can enroll in my ccna
gold bootcamp
by clicking the link above my head or in
the description
it also includes full study notes
quizzes
and 150 pages of additional
troubleshooting labs
you can't find anywhere else
Browse More Related Video
Access Control Lists | Cisco CCNA 200-301
Free CCNA | Configuring Interfaces | Day 9 Lab | CCNA 200-301 Complete Course
Access Controls Part 1: Computer Security Lectures 2014/15 S2
VLANs in OpenWrt 21
Numbered Headings and Subheadings | Microsoft Word Tutorial
Perform Wireless Attacks | CEHv12 Practical ILabs Walkthrough
5.0 / 5 (0 votes)