ACL Task 1

Stop PC0 from accessing the webserver in Chatham

This means we must block port 80 traffic

What is PC0’s IP address? 172.16.1.2

What is the webserver’s address? 172.17.2.100

What protocol is carrying the port 80 (www) traffic? TCP

 

We need these answers to create the ACL

Extended access control lists need 4 parameters from the network and a decision to either permit or deny the traffic.

Required parameters:

1.  the transport protocol – here is TCP

2. and 3.  Source and destination IP addresses (don’t forget the wildcard masks)

3. The port that relates to the traffic we want to match

Access-list number [permit | deny] protocol source ip address plus wildcard mask; destination ip address plus wildcard mask; the port we are matching

If we add this information we can create the command below.

This will match the traffic we need to block.

access-list 100 deny tcp 172.16.1.2  0.0.0.0  172.17.2.100  0.0.0.0 eq 80

now we need to create a line to allow all other traffic through. We can use either of the following to achieve this:

access-list 100 permit ip 0.0.0.0 255.255.255.255  0.0.0.0 255.255.255.255 

OR

access-list 100 permit ip any any

This needs to be entered onto the closest router to PC0. This would be the London router.

Enter global configuration mode

Router(config-ext-nacl)#access-list 100 deny tcp 172.16.1.2  0.0.0.0  172.17.2.100  0.0.0.0 eq 80

Router(config)#access-list 100 permit ip any any

Now we need to apply this to a particular interface. It is more efficient to have an outbound ACL. Look back at the network and you can see that the interface that is most suitable is s0/0/1

Imagine you are standing INSIDE the London router, the ACL needs to be applied in an outbound direction. Apply as shown below.

 

Router(config)#int s0/0/1

Router(config-if)#ip access-group 100 out

To check that the ACL has worked, try using the browser on PC0 to access 172.17.2.100 (the webserver).

You should not receive any reply, but you ought to be able to ping 172.17.2.100 from PC0.

To verify that the ACL is working you need to show the access list on the router. It will show how many times the ACL has actually been tested with a certain number of matches.

 

Router#show ip access-list 100

Extended IP access list 100

    deny tcp host 172.16.1.2 host 172.17.2.100 eq www (48 match(es))

    permit ip any any (7 match(es))

 

You can see from above that the first line has been accessed 48 times and the second line 7 times.

You can generate more matches either with the browser again or ping the webserver again. Try this