CCNA 200-301 Chapter 5 Security Fundamentals Lab 049 How to Configure Extended Access Lists ACL
Watch Full Demo on YouTube:
Lab Objective:
Access Control Lists (ACLs) are essential for enforcing security policies and controlling traffic flow in a network. Extended ACLs provide more granular control by filtering traffic based on source and destination IP addresses, protocols, and ports. This lab will guide you through configuring both numbered and named extended ACLs to regulate network access for different devices and services. By completing this lab, you will gain hands-on experience configuring, applying, and verifying Extended ACLs in a router-on-a-stick topology, ensuring that specific security policies are enforced within the network.
Lab Topology:
Equipment Required:
- 2 x Cisco Router (e.g., CISCO2811/K9)
- 2 x Cisco switch (e.g., Cisco Catalyst series)
- 3 x PC or laptop with NIC
- 3 x Server with NIC
- Console Cable
- Ethernet Cable for connections between devices
- Computer with Terminal emulation software e.g. PuTTY
IPv4 Address Table:
A. Router IP Address Table:
| Device Name | Interface ID | IP Address | Subnet-Mask |
| R1 | Gig0/0/0 | 10.10.1.1 | 255.255.255.252 |
| R1 | Gig0/0/1.10 | 10.10.10.1 | 255.255.255.0 |
| R1 | Gig0/0/1.20 | 10.10.20.1 | 255.255.255.0 |
| R1 | Gig0/0/1.30 | 10.10.30.1 | 255.255.255.0 |
| R2 | Gig0/0/0 | 10.10.1.2 | 255.255.255.252 |
| R2 | Gig0/0/1.100 | 10.1.1.1 | 255.255.255.252 |
| R2 | Gig0/0/1.100 | 10.2.2.1 | 255.255.255.252 |
| R2 | Gig0/0/1.100 | 10.3.3.1 | 255.255.255.252 |
B. Hosts IP Address Table:
| Device Name | Interface ID | IP Address | Subnet-Mask | Gateway |
| PC1 | Fa0 | 10.10.10.10 | 255.255.255.0 | 10.10.10.1 |
| PC2 | Fa0 | 10.10.20.10 | 255.255.255.0 | 10.10.20.1 |
| PC3 | Fa0 | 10.10.30.10 | 255.255.255.0 | 10.10.30.1 |
| Server_A | Fa0 | 10.1.1.2 | 255.255.255.252 | 10.1.1.1 |
| FTP_SERVER | Fa0 | 10.2.2.2 | 255.255.255.252 | 10.2.2.1 |
| WEB_SERVER | Fa0 | 10.3.3.2 | 255.255.255.252 | 10.3.3.1 |
List of Command Summary:
| Command | Command Description |
| enable | enters privileged EXEC mode. |
| configure terminal | enters global configuration mode from privileged EXEC mode. |
| hostname [hostname] | assign a device name to router. |
| ip access-list extended [<100-199>|name] | This command is used to create an Extended Access Control List (ACL) on a Cisco device. Extended ACLs allow filtering based on source and destination IP addresses, protocol types (TCP, UDP, ICMP, etc.), and specific port numbers. If a number in the range 100-199 is used, the ACL is referenced as a numbered ACL. If a name is provided instead, it creates a named ACL, which is easier to manage and modify. Extended ACLs are typically applied closer to the source of the traffic to be filtered, ensuring efficient network performance and security |
| permit icmp [Source address] [Source wildcard] host [host address] | This command allows ICMP (Internet Control Message Protocol) traffic from a specified source IP range to a single destination host. ICMP is commonly used for network diagnostics, such as ping and traceroute. Source address – The starting IP address of the allowed traffic. Source wildcard – A wildcard mask defining a range of allowed source addresses. host [host address] – Specifies a single destination IP address that the source is allowed to reach. |
| permit tcp any host [Destination address] eq 80 | This command allows TCP traffic from any source to a specific destination host, but only for traffic using port 80 (HTTP). It is typically used in extended ACLs to permit web traffic to a specific server while blocking other traffic. tcp – Specifies that the rule applies to TCP traffic. any – Allows traffic from any source IP address. host [Destination address] – Specifies a single destination IP address. eq 80 – Filters traffic to only port 80, which is used for HTTP web traffic. |
| permit tcp any host [Destination address] range 1024 65535 | This command permits TCP traffic from any source to a specific destination host, but only for destination ports within the range 1024 to 65535. These ports are commonly referred to as ephemeral ports, used for client-side communication with servers. tcp – Specifies the rule applies to TCP traffic. any – Allows traffic from any source IP address. host [Destination address] – Defines a specific destination IP address. range 1024 65535 – Allows traffic only for ports 1024 through 65535, which include dynamically assigned ports used by applications and services. |
| deny ip [Source address] [Source wildcard] [Destination address] [Destination wildcard] | This command blocks all IP traffic between a specified source and destination, regardless of the protocol (TCP, UDP, ICMP, etc.). It is commonly used in extended access control lists (ACLs) to restrict communication between networks or hosts. deny – Specifies that the rule blocks matching traffic. ip – Applies to all IP-based traffic (TCP, UDP, ICMP, etc.). [Source address] [Source wildcard] – Defines the source IP address and wildcard mask to match multiple addresses if needed. [Destination address] [Destination wildcard] – Defines the destination IP address and wildcard mask. |
| ip access-list standard [named or numbered ACL Definition] | This command is used to create and define a Standard Access Control List (ACL) on a Cisco device. Standard ACLs filter traffic based only on source IP addresses and are typically used to permit or deny access from specific networks or hosts. |
| deny [IP Address] [Wildcard] | Blocks traffic from a specific source IP address or subnet based on the wildcard mask. Used within an ACL to restrict access. This command is used within a standard ACL to block traffic from a specific source IP address or range. The wildcard mask determines which bits of the IP address to match (e.g., deny 192.168.1.0 0.0.0.255 blocks traffic from the entire 192.168.1.0/24 subnet). |
| permit any | This command allows all traffic that matches the ACL. It is often used as the final rule in an ACL to permit any traffic not explicitly denied by previous rules. |
| ip access-group [named or numbered ACL Definition] out | This command applies the specified ACL to outbound traffic on an interface. Example: ip access-group MY_ACL out applies the ACL named MY_ACL to traffic leaving the interface. |
| ip access-group [named or numbered ACL Definition] in | This command applies the specified ACL to inbound traffic on an interface. Example: ip access-group 10 in applies the numbered ACL 10 to traffic entering the interface. |
| copy running-config startup-config | used to save the currently running configuration (stored in the RAM) to the startup configuration (stored in the NVRAM) |
| end | exit configuration mode. |
| exit | exits one level in the menu structure command. |
Lab Task:
- Check connectivity between all departments and ensure that each department can reach all servers.
- Restrict VLAN10 to access Server_A via ICMP: Allow only ICMP traffic from PC1/VLAN10 to Server_A while blocking all other types of traffic using a numbered ACL.
- Allow HTTP Access to the WEB_Server: Permit only HTTP (port 80) traffic from all PCs to the WEB_Server while denying all other protocols.
- Restrict FTP Access to FTP_Server: Allow only FTP (port 21, 20) traffic from all PCs to the FTP_Server while explicitly denying pings and other traffic. Please note if you are using a passive FTP then you will need to permit the following ports (1024–65535).
- Block communication between the Finance and the Engineering Departments.
- Verify ACL Configuration: Test ACLs using ICMP, FTP, HTTP, and show commands to ensure only the permitted traffic types are allowed while all other traffic is blocked.
Lab Solution:
1- Check connectivity between all departments and ensure that each department can reach all servers.
Ping from PC1:
Ping from PC2:
Ping from PC3:
2- Restrict VLAN10 to access Server_A via ICMP: Allow only ICMP traffic from PC1/VLAN10 to Server_A while blocking all other types of traffic using a numbered ACL.
We need to apply the ACL against the interface that is connected to R2 since R2 is connected to Server_A.
Applying the ACL in the outbound direction means that the filtering will happen as traffic leaves the router towards Server_A. This approach ensures that any packet leaving GigabitEthernet0/0/0 is checked against the ACL before being forwarded.
We can issue the following commands:
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#permit icmp 10.10.10.0 0.0.0.255 host 10.1.1.2
R1(config-ext-nacl)#exit
R1(config)#interface gigabitEthernet 0/0/0
R1(config-if)#ip access-group 101 out
R1(config-if)#end
R1#
The ACL is designed to allow only ICMP from VLAN10 (10.10.10.0/24) to Server_A (10.1.1.2) while blocking all other traffic types
3- Allow HTTP Access to the WEB_Server: Permit only HTTP (port 80) traffic from all PCs to the WEB_Server while denying all other protocols.
To achieve this task, we will need to update the extended list to permit traffic to WEB_Server using HTTP Protocol:
On R1:
R1#configure terminal
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#permit tcp any host 10.3.3.2 eq 80
R1(config-ext-nacl)#end
R1#
Now let’s test the traffic to the WEB_Server:
Initiate a ping from any PC – the ping should fail:
As you can see ICMP traffic have been blocked by the ACL. Now let’s initiate some HTTP traffic:
From PC1:
From PC2:
From PC3:
We can see that we are able to access HTTP services on the WEB_Server.
4- Restrict FTP Access to FTP_Server: Allow only FTP (port 21, 20) traffic from all PCs to the FTP_Server while explicitly denying pings and other traffic. Please note if you are using a passive FTP then you will need to permit the following ports (1024–65535).
We will need to create a couple of ACL to permit FTP traffic only from all PCs to the FTP_Server:
On R1:
R1#configure terminal
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#permit tcp any host 10.2.2.2 eq 20
R1(config-ext-nacl)#permit tcp any host 10.2.2.2 eq 21
R1(config-ext-nacl)#permit tcp any host 10.2.2.2 range 1024 65535
R1(config-ext-nacl)#end
R1#
Please note:
Control connection on port 21 (used for authentication and issuing commands). Data connection on port 20 (used for file transfers and directory listings in Active FTP mode).
If your FTP server is using Passive Mode, it dynamically assigns random ports for data transfer instead of using port 20. In this case, you must allow a range of ephemeral ports (e.g., 1024–65535) that the server uses.
Some FTP servers allow configuring the passive port range, which can help in refining ACL rules.
Now let’s test the ACL in question:
Let’s ping and try to HTTP to the FTP_Server from any of the PCs, I will do this test on PC1:
Now let’s test FTP Services:
I will create a text file called iee.txt and type random data:
I will exit, save the file and name the file accordingly:
Now go to the CLI, verify the file exists and issue “dir” command to list all directories:
Now let’s FTP to the server and issue “ftp 10.2.2.2” command, please use cisco/cisco as the default credentials:
You can see that we are able to FTP to the server, however, let’s issue “dir” to list all files:
Now we are going to push the file we just created from PC1 to the FTP server to finalize the test:
The transfer was successful and now we are going to verify the file has been created on the server:
5- Block communication between the Finance and the Engineering Departments.
First step we need to determine which interface is connected to SW1:
Based on the output above, we will need to create a numbered ACL and deny both the Finance and Engineering departments networks and apply them into GigabitEthernet0/0/1.20 and GigabitEthernet0/0/1.30 interfaces in the inbound direction.
On R1:
R1#
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VLAN20_30_BLOCK
R1(config-ext-nacl)# deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
R1(config-ext-nacl)# deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
R1(config-ext-nacl)#permit ip any
R1(config-ext-nacl)#permit ip any an
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface GigabitEthernet0/0/1.20
R1(config-subif)#ip access-group VLAN20_30_BLOCK in
R1(config-subif)#interface GigabitEthernet0/0/1.30
R1(config-subif)#ip access-group VLAN20_30_BLOCK in
R1(config-subif)#end
R1#
Let’s perform inflight checks:
Initiate a ping from PC1 to PC2 and PC3 (Ping should work):
Initiate a ping from PC2 to PC3 (Ping should not work):
Initiate a ping from PC3 to PC2 (ping should not work):
6- Verify ACL Configuration: Test ACLs using ICMP, FTP, HTTP, and show commands to ensure only the permitted traffic types are allowed while all other traffic is blocked.
We already test each step. Now we can look at the ACL statistics on R1:
Conclusion:
In this lab, we implemented and verified Extended ACLs to enforce network security policies by controlling traffic between departments and servers. We began by ensuring baseline connectivity, then applied a numbered ACL to restrict VLAN10, allowing only ICMP traffic to Server_A. We configured named ACLs to permit only HTTP access to the WEB_Server and FTP access to the FTP_Server while explicitly blocking unauthorized traffic. Additionally, we enforced security policies by preventing communication between the Finance and Engineering departments. Through testing with ICMP, FTP, HTTP, and show commands, we confirmed that the ACLs were correctly applied and functioning as expected. This lab reinforced the importance of Extended ACLs in securing network environments by providing granular control over traffic flow, a critical skill for both the CCNA certification and real-world network administration.
Packet Tracer Lab (Pre/Post configuration):
Download the file below and open the word document to access the Packet Tracer labs.
