Lab 11‐1 - Snowboundport37/champlain GitHub Wiki

<title>Lab 11-1 – Cisco Access Control List (ACL)</title> <style> body { font-family: Arial, sans-serif; background-color: #f8f9fa; color: #222; line-height: 1.6; margin: 40px; } h1, h2, h3, h4 { color: #b30000; } pre { background: #1e1e1e; color: #dcdcdc; padding: 10px; border-radius: 6px; overflow-x: auto; } code { color: #0bc; } .section { margin-bottom: 35px; } .check { color: green; font-weight: bold; } .fail { color: red; font-weight: bold; } hr { border: 0; border-top: 1px solid #ccc; margin: 30px 0; } </style>

Lab 11-1 – Cisco Access Control List (ACL) Assignment

🎯 Objective

Configure and verify Standard and Extended Access Control Lists (ACLs) on a simulated enterprise network.

  • Control traffic flow between internal subnets
  • Restrict specific hosts and networks from Internet access
  • Secure remote router access via VTY lines
  • Apply and test ACLs on the proper interfaces and directions

🖥️ Network Overview

  • Routers: R1, R2, R3
  • Key Networks:
    • 192.168.10.0/24 – Internal LAN 1
    • 192.168.11.0/24 – Internal LAN 2
    • 192.168.20.0/24 – DMZ servers (Mail, Web, File)
    • 200.200.200.0/24 – Simulated ISP Network

⚙️ Router Configurations

🔹 Router 3 – Standard ACL (STND-1)

Blocks network 192.168.11.0/24 from entering R3, preventing PC3 from reaching PC5.

enable
configure terminal
ip access-list standard STND-1
deny 192.168.11.0 0.0.0.255
permit any
exit
interface s0/0/0
ip access-group STND-1 in
end
write

✅ Test Results
PC3 (192.168.11.10) → PC5 (192.168.30.10): Fail
PC1 (192.168.10.10) → PC5 (192.168.30.10): Success

🔹 Router 2 – Extended ACL (EXTEND-1)

Blocks the 192.168.10.0/24 LAN from accessing the ISP (200.200.200.1).

enable
configure terminal
ip access-list extended EXTEND-1
deny ip 192.168.10.0 0.0.0.255 host 200.200.200.1
permit ip any any
exit
interface s0/0/0
ip access-group EXTEND-1 out
end
write

✅ Test Results
PC1 → 200.200.200.1 (ISP): Fail
PC1 → PC5 (192.168.30.10): Success

🔹 Router 1 – VTY ACL (Numbered ACL 2)

Allows only hosts from 10.2.2.0/30 and 192.168.30.0/24 networks to access router VTY lines.

enable
configure terminal
access-list 2 permit 10.2.2.0 0.0.0.3
access-list 2 permit 192.168.30.0 0.0.0.255
access-list 2 deny any
line vty 0 4
access-class 2 in
login local
end
write

✅ Test Results
Telnet R2 → R1: Denied
Telnet R3 → R1: Allowed (Password Prompt)

⭐ Bonus Tasks (Optional)

1. Deny ISP Access to File Server

ip access-list extended BLOCK_FILE
deny ip host 200.200.200.1 host 192.168.20.210
permit ip any any
interface fa0/0
ip access-group BLOCK_FILE in

2. Allow Only Mail Access to Mail Server

ip access-list extended MAIL_ONLY
permit tcp any host 192.168.20.200 eq 25
deny ip any host 192.168.20.200
permit ip any any
interface fa0/0
ip access-group MAIL_ONLY in

3. Allow Only Web Access to Web Server

ip access-list extended WEB_ONLY
permit tcp any host 192.168.20.201 eq 80
deny ip any host 192.168.20.201
permit ip any any
interface fa0/0
ip access-group WEB_ONLY in

🧪 Verification Commands

show access-lists
show ip interface s0/0/0
show running-config | include access-group

Expected Output:

  • ACL 2 applied inbound on VTY lines
  • EXTEND-1 applied outbound on R2 S0/0/0
  • STND-1 applied inbound on R3 S0/0/0

🛠️ Troubleshooting Notes

The initial grading error occurred because the Packet Tracer .pka file expected a numbered ACL (2) instead of a named ACL STND-2. Replacing the named ACL with the numbered one resolved the issue and resulted in all routers being graded as Correct.

✅ Results

All ACL configurations verified and graded as Correct in Packet Tracer’s “Check Results.”
Lab Objectives Achieved:

  • Network segmentation
  • Access restriction
  • Remote management control

Author: Andrei Gorlitsky
Date: November 3, 2025
Course: SEC-350 – Network Security

Champlain College - Andrei Gorlitsky's Academic Wiki

Welcome to my GitHub Wiki! This is where I document my entire Champlain College experience, including assignments, notes, and everything I've learned across all courses until I graduate.

This wiki serves as a central hub for my academic journey, showcasing my growth and knowledge in cybersecurity and beyond.

For more information about Champlain College, visit:
Champlain College

© Andrei Gorlitsky 2025 - Champlain College

⚠️ **GitHub.com Fallback** ⚠️