Standard Access Lists
In this blog, I’ll walk through configuring routers with IP addresses, enabling Routing Information Protocol version 2 (RIPv2), and setting up standard Access Control Lists (ACLs) to filter traffic. ACLs are crucial in network security because they control which packets are allowed or denied as they traverse network interfaces.
The configuration steps I’ll discuss include setting hostnames, assigning IP addresses, enabling interfaces, configuring RIPv2 for routing, and creating standard ACLs to block specific traffic.
EVE-NG LAB SETUP
IP ADDRESSES
| Device | Interface | IP Address | Subnet Mask |
|---|---|---|---|
|
Router1 |
Fa0/0 |
24.17.2.1 |
255.255.255.240 |
|
Router1 |
S0/0 |
24.17.2.17 |
255.255.255.240 |
|
Router2 |
Fa0/0 |
24.17.2.2 |
255.255.255.240 |
|
Router4 |
S0/0 |
24.17.2.18 |
255.255.255.240 |
VIRTUALIZED HARDWARE
| Device | Image |
|---|---|
|
Routers |
Cisco C7200_ADVENTERPRISEK9-M |
|
Switches |
Cisco I86BI_LINUXL2-IPBASEK9-M |
Command Breakdown
access-list access-list-number {deny | permit} source-address source-wildcard: Creates an ACL that denies or permits IP traffic from a specified source address or address range.clock rate clock-rate: Sets the clock rate on a Data Communications Equipment (DCE) serial interface.configure terminal: Enters global configuration mode from privileged EXEC mode.enable: Enters privileged EXEC mode from user EXEC mode.end: Exits configuration mode and returns to privileged EXEC mode.hostname host-name: Sets the router’s hostname for identification.interface type number: Enters interface configuration mode for a specified interface.ip address ip-address subnet-mask: Assigns an IP address and subnet mask to an interface.ip access-group {access-list-number | access-list-name} {in | out}: Applies an ACL to an interface to filter incoming or outgoing traffic.network network-address: Enables a routing protocol on a specified network.no shutdown: Activates an interface that is administratively down.ping ip-address: Sends ICMP echo request packets to test connectivity to a specific IP address.router rip: Enables the Routing Information Protocol (RIP).show access-lists: Displays all configured access lists on the router.version 2: Configures RIP to use version 2.
Standard Access Control Lists (ACLs) are essential tools in network management used to control the flow of IP traffic based on source IP addresses. They allow network administrators to permit or deny packets moving through the routers, enhancing security and traffic management. Unlike Extended ACLs, Standard ACLs focus solely on filtering traffic based on the source IP address.
Configuring Routers with IP Addresses and RIPv2
First, I configure Router1 with the appropriate hostname, IP addresses, and enable the interfaces. Since Router1 is the DCE end of the link to Router4, I set the clock rate on Serial 0/0.
Router>enable
Router#configure terminal
Router(config)#hostname Router1
Router1(config)#interface Fa0/0
Router1(config-if)#ip address 24.17.2.1 255.255.255.240
Router1(config-if)#no shutdown
Router1(config-if)#interface S0/0
Router1(config-if)#ip address 24.17.2.17 255.255.255.240
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
The process for Router2 is similar to Router1, but without configuring a clock rate since it is not the DCE.
Router>enable
Router#configure terminal
Router(config)#hostname Router2
Router2(config)#interface Fa0/0
Router2(config-if)#ip address 24.17.2.2 255.255.255.240
Router2(config-if)#no shutdown
Configure Router4 with its own IP address and enable the serial interface.
Router>enable
Router#configure terminal
Router(config)#hostname Router4
Router4(config)#interface S0/0
Router4(config-if)#ip address 24.17.2.18 255.255.255.240
Router4(config-if)#no shutdown
To ensure the configurations are correct, I verify connectivity by pinging Router2 and Router4 from Router1. Both pings should succeed, indicating that the routers are correctly configured and can communicate.
Router1#ping 24.17.2.2
Router1#ping 24.17.2.18
I enable RIP version 2 on all three routers to advertise their connected networks dynamically.
Router1(config)#router rip
Router1(config-router)#version 2
Router1(config-router)#network 24.0.0.0
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 24.0.0.0
Router4(config)#router rip
Router4(config-router)#version 2
Router4(config-router)#network 24.0.0.0
After allowing time for the network to converge, verify that you can ping Router2’s FastEthernet 0/0 interface (24.17.2.2) from Router4. The ping should be successful.
Router4#ping 24.17.2.2
Configuring Standard ACLs
I need to block traffic from Router4 (source IP 24.17.2.18) to Router2. Since Standard ACLs filter based on source IP addresses, I create the ACL on Router2 and apply it as close to the destination as possible.
Creating ACL 1 on Router2:
Router2(config)#access-list 1 deny host 24.17.2.18
At this point, although the ACL is created, it is not yet applied to any interface, so it does not affect traffic.
I apply the ACL inbound on Router2’s Fa0/0 interface to filter incoming traffic.
Router2(config)#interface Fa0/0
Router2(config-if)#ip access-group 1 in
Attempting to ping Router2 from Router4 should now fail, as the ACL blocks traffic from Router4’s IP address.
Router4#ping 24.17.2.2
Understanding Implicit Deny Any
Now, I test connectivity from Router1 to Router2.
Router1#ping 24.17.2.2
The ping fails. This happens because of the implicit “deny any” at the end of every ACL. If a packet doesn’t match any permit or deny statements in the ACL, it is implicitly denied. In this case, since the ACL only contains a deny statement for Router4’s IP and no permit statements, all other traffic is also denied.
Explanation:
- ACL Processing Order: Routers evaluate packets against ACL statements in sequential order.
- Implicit Deny Any: Any traffic not explicitly permitted is denied by default.
- Permit and Deny Keywords: These determine whether matching packets are forwarded or dropped.
Editing ACLs
To allow all other traffic to reach Router2, I add a permit any statement to the ACL.
Router2(config-if)#exit
Router2(config)#access-list 1 permit any
Note: When editing ACLs, be cautious. In some routers, you may need to remove and recreate the ACL to insert statements in the correct order, as ACLs process entries sequentially.
After modifying the ACL, I test connectivity from Router1 to Router2 again.
Router1#ping 24.17.2.2
The ping should now succeed, indicating that the ACL permits traffic from all sources except Router4.
I perform a final check to ensure that traffic from Router4 is still blocked. The ping should fail, confirming that the ACL continues to block traffic from Router4 while allowing other traffic.
Router4#ping 24.17.2.2