In Four examples, we will configure 4 access controls lists covering both standards and extended access lists that will block different types of traffic
Example 1
Standard access list example
Blocking PC2 from accessing network 192.168.3.0
Only PC2 must be blocked, PC0 should be able to access the network.
To configure the access list, we will use the following commands
Router(config)#access-list 1 deny 192.168.2.5
Router(config)#access-list 1 permit any
Now, the access list will be assigned to FA 1/0 in the inbound direction.
After the configuration, PC2 should be blocked from network 192.168.3.0 however this PC must be able to ping PC0
Download this lab to test the configuration.
Example 2
Standard access list for blocking PC2 from establishing the telnet connection with the router
VTY lines are configured on the router and the password is Cisco.
The other two PCs should be able to connect with the router using telnet protocol.
We can use the previously used commands to achieve the expected results. To block the telnet access, we have to create a standard access list with the name and assign the created access list to the VTY lines using the following command.
Router(config-line)#ip access-class ping in
We cannot assign numbered access list on the Telnet line as it only allows a named access list.
Download this lab to test the configuration; PC2 cannot use telnet while other computers are successfully using telnet.
Example 3
Extended access list to block internet access
The extended access list has the capability to allow or deny traffic based on the port number so we will create an access list to block the internet traffic.
Whenever we use the internet, the request is sent to the HTTP server on port 80 so to block the internet access; we have to block traffic destined for port 80 using the access list.
PC3 should be blocked to access the internet or any other web server on the internal network.
Command to configure the extended access list
Router(config)#no ip access-list extended 100
Router(config-ext-nacl)#deny tcp host 192.168.5.5 any eq www
Router(config-ext-nacl)#permit ip any any
After creating and assigning the access list to the router’s interface, we can test the access list by generating HTTP traffic.
We can use the traffic generation tool available on the PC to generate traffic.
After generating the traffic, we will verify if the access list is working as required and blocking the web traffic.
As seen in the below output the access list has blocked the HTTP traffic from PC3
Extended IP access list 100
10 deny tcp host 192.168.5.5 any eq www (20 match(es))
20 permit ip any any (19 match(es))
Example 4
Named extended access list to block only ICMP traffic
In a standard access list, if we want to block traffic then complete traffic blocked from one destination to another however extended access list allows us to choose the traffic that we would like to block. E.g. in this lab, PC3 will not be able to ping the server however it will access the web service.
Command to use
Router(config)#ip access-list extended Block-ICMP
Router(config-ext-nacl)#deny icmp host 192.168.5.5 host 192.168.4.1
Router(config-ext-nacl)#permit ip any any
Once the access list is enabled on the interface, it will block the ICMP packets sent from the PC3 while all other traffic will be allowed.
Extended IP access list Block-ICMP
10 deny icmp host 192.168.5.5 host 192.168.4.1 (8 match(es))
20 permit ip any any (2 match(es))
Download this lab and try pinging the server, you will see the destination host unreachable error however you can use other services provided by the server.
Try using the web service, it will work fine.
