SEC 450 DeVry Week 3 iLab 3 of 7 Latest



Product Description

SEC 450 DeVry Week 3 iLab 3 of 7 Latest

SEC 450 DeVry Week 3 iLab 3 of 7 Latest



SEC 450 DeVry Week 3 iLab 3 of 7 Latest

Lab 3 of 7: Database Security Demands

Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.)


ACL Tutorial

This document highlights the most important concepts on Access Control List (ACL) that you need to learn in order to configure ACL in CLI. This tutorial does not intend by any mean to cover all ACL applications, but only those scenarios used in the SEC450 iLabs.

Introduction to Access Control List

•           A host-based firewall essentially works closing and/or opening ports in a computer. The engine behind firewalls is built with Access Control Lists (ACL).

•           Network-based firewalls are implemented in device-specific appliances and routers. Basically, firewalls in routers filter packets through interfaces to permit or deny them.

•           Ports are layer-4 address specified in TCP/IP protocol suit that identify networking processes running in clients and servers. •           ACLs are configured using shell-specific commands. In Cisco IOS, CLI commands access-list and access-group are used to create and apply ACL on an interface.

•           ACL can be named by number ID or a name. Naming ACL is useful to identify ACL’s purpose.

•           ACL are classified in Standard ACL and Extended ACL.

•           Standard ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number IDs are from 100 to 199.

•           Standard ACL only uses source IP address in an IP packet to filter through an interface. Hence, standard ACL denies or permits all packets (IP) with the same source IP regardless upper protocols, destination IP address, etc. Example 1: Router (config)#access-list 8 deny host

•           Extended ACL does filtering packets based on protocol, source IP address, source port number, destination IP address, and destination port number. Example 2: Router (config) #access-list 102 deny tcp host host Deny tcp packets with source IP address and destination IP address

•           Since, Standard ACLs only have source IP address; the rule is to apply them in an interface as closer as possible to the destination IP address.

•           For the contrary, the rule for Extended ACLs is to apply them in an interface as closer as possible to the source IP address.

•           Use Extended ACL in all iLabs as they are more granular on packet filtering.

Create Extended ACL in global configuration

•           You can use access-list command options lt, gt, eq, neq, and range (less than, greater than, equal, not equal, range of ports) to do operation with port numbers.

Example 3: access-list 102 deny tcp any host gt 20 denies all packets with any source IP address to destination IP address and destination tcp port greater than 20.

Example 4: access-list 107 permit udp any any permits all packets with udp protocol with any source IP address to any destination IP address.

•           Extended ACL can do packet filtering based on source port number and destination port number.

•           Extended ACL Syntax can be as follows. access-list <#,name> host host where: <#,name> is a number between 100 to 199 or a one-word name is any protocol in the TCP/IP suite and are the source and destination IP addresses is optional, and can be eq, gt, lt, neq, and range and follow to specify the port number(s). and can be replaced by the application protocol. Example, http instead of eq 80.

•           Creation of ACL follows the three Ps rule. One ACL per protocol, per interface, per traffic direction. Per protocol means ones protocol such as IP, TCP, IPX, UDP, or ICMP can be specified. Per interface means the ACL is applied to an interface to make it active. Per direction means the ACL needs to specify which direction at the interface, packet in or out, filtering applies.

•           Steps for configuring a new ACL are: First, create the ACL in CLI global configuration using access-list command(s). Then, apply the ACL using access-group command in CLI interface configuration. The ACL is activated unless it is applied to an interface.

•           An ACL consists of one or more access-list commands. Routers process the ACL commands in order; top first to bottom last likewise a scripting or computer program. That is why the order of access-list commands makes a difference.

•           The effectiveness of an access-list command depends upon previous access-list commands. Therefore, always write the commands following the order; more-specific-traffic commands first and, then more-generic-traffic commands last. Example 5: It makes sense to write an ACL as

Router (config) #access-list 101 deny tcp host any

Router (config) #access-list 101 permit tcp any any

But never follows the order below, because the second command is more specific, and therefore, “deny” is worthless because the first command already lets packets passing through.

Router (config) #access-list 101 permit tcp any any

Router (config)#access-list 101 deny tcp host any

•           All ACL have a hidden access-list command at the end that denies all packets (i.e., deny ip any any). Hence, packets that are not specifically permitted in a command will always be denied by the ACL. Example 6: Use command Router(config)#access-list 105 permit ip any any at the end of ACL if it requires to permit all other traffic after denying packets with Router(config)#access-list 105 deny icmp any host

•           Wildcard option is used in access-list commands filtering packets from a subnet of source and/or destination IP addresses instead of single hosts. IP addresses in each of those subnets must be continuous. Filtering on port numbers is also applicable, but it have been omitted for the sake of simplicity. Here is the syntax. access-list <#,name> < where:

<#,name> is a number between 100 to 199 or a one-word name

is any protocol in the TCP/IP suite

and are the source and destination IP addresses

and specify the subnet ranges of source and destination IP addresses

•           Wildcard in ACL has the same meaning as in routing protocols such as EIGRP and OSPF. Wildcard bit 0 means the bit in the IP address must be the same as the corresponding bit in the subnet IP addresses. Wildcard bit 1 means the bit in the IP address can be any value (0 or 1).

Example 7: access-list 105 deny udp any means to deny all packets with udp protocol with source IP addresses from to to any destination IP address. Note that .3 is in binary .00000011 and .000000xx for wildcard, where x means any (0 or 1).

Example 8: access-list 109 permit tcp host eq 80 means to permit all tcp packets from source IP address and source port tcp 80 (e.g., http server) to destination IP addresses in range to The fact that would not qualify for host IP in classful networks is irrelevant to the ACL.

•           Using wildcard with all 0s is the same as using the option host in access-list commands. Example 9: access-list 110 permit ip host host and access-list 110 permit ip are equivalent commands. Both permit filtering packets with source IP address and destination IP address

•           Only use wildcard in access-list commands when the ACL requires filtering packets on subnet of IP addresses; either at source, destination, or both.

Applying ACL to an Interface to activation

•           Example 10: Assume you need to create an ACL in router that permits filtering any traffic excepting udp packets with source IP address and destination IP address as shown in the network diagram below.

•           First, you need to create an extended ACL in CLI global configuration.

Router# config t

Router(config)#access-list 103 deny udp host host

Router(config)#access-list 103 permit ip any any

•           Second, you need to apply ACL 103 in an interface closer to the source (e.g., extended ACL rule of thumb). The closer interface is S0/1 in Router for traffic coming from IP Thus, you go to interface configuration in CLI to activate the ACL.

Router (config)#interface s0/1

Router(config-if)#ip access-group 103 in

•           If you need to make any correction after creating an ACL, then erase first the ACL from global and interface configurations. To erase ACL 103 from the previous example execute the following commands.

Router (config)#interface s0/1

Router(config-if)#no ip access-group 103

Router(config)#no ip access-list 103

Now, you can start over creating ACL 103. If you do not erase the ACL, then new access-list commands will be compounding in the configuration file producing unexpected behavior. Use command show run to verify the ACL is erased and created again correctly.

Verify ACL Configuration

•           Example 11: Let’s say you have been asked to create an ACL in a router R to deny TCP traffic coming through interface Serial 0/2 from source IP address to destination IP address172.16.5.3 with destination port number greater than 200. Also, the ACL should permit filtering any other traffic.

•           There are two configuration tasks you need to do in CLI. First, create the ACL. Second, apply the ACL to interface Serial 0/2.

•           So, in CLI,

R> enable

R# config t

R(config)# access-list 101 deny tcp host host gt 200

R(config)# access-list 101 permit ip any any this command is needed to permit any other traffic after denying the selecting packets from the first command.

R(config)# interface serial0/2

R(config-if)# ip access-group 101 in this command is to apply the ACL to serial0/2 for traffic coming in.

R(config-if)# exit

R# show run this is to verify the ACL configuration is correct in running-config.file

R#show running-config

version 12.3


hostname R


interface FastEthernet0/0

ip address


interface FastEthernet0/1

ip address



interface Serial0/0

ip address


interface Serial0/1

ip address



interface Serial0/2

ip address

ip access-group 101 in


router rip




ip default-network

ip route serial0/0



access-list 101 permit tcp host host gt 200

access-list 101 permit ip any any



line con 0

line aux 0

line vty 0 4

password cisco

line vty 5 15

password cisco



•           If the ACL is not correct, then delete it with the command below and start over again

R# config t

R(config)# no access-list 101

R(config)# interface serial0/2

R(config-if)#no ip access-group 101

SEC 450 DeVry Week 3 iLab 3 of 7 Latest

SEC 450 DeVry Week 3 iLab 3 of 7 Latest


There are no reviews yet.

Add your review