ACL lab

NetwurkNetwurk Posts: 1,155Member ■■■■□□□□□□
Here's a simple ACL lab I came up with using two routers. Hopefully it will be helpful to someone.


In this lab, we have two routers directly connected via ethernet. Router 1 has an IP address of 172.27.193.201 and Router 2 has an IP address of 172.27.193.214. As a first step, we'll run the "ip http server" command on Router1.

Router1#configure terminal
Router1(config)#ip http server
Router1(config)#exit

This is normally done to allow web access to a router, but we're just going to use it to test an ACL.

At Router 2, we'll telnet to Router 1 using port 80. (Not that anyone ever telnets via port 80 - it's just a way of testing access to the port)

Router2#telnet 172.27.193.201 80
Trying 172.27.193.201, 80 ... Open
.HTTP/1.0 400 Bad Request
Date: Wed, 29 Nov 2006 11:24:14 EST
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>400 Bad Request</H1>

You'll get the output shown above by simply typing a period after you log in. This is just to verify you can access port 80.

Back at Router 1, we'll set up an access list to deny all access via port 80.

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 120 deny tcp any any eq 80
Router1(config)#access-list 120 permit ip any any
Router1(config)#interface ethernet 0
Router1(config-if)#ip access
Router1(config-if)#ip access-group 120 in
Router1(config-if)#exit

Back at Router 2, we'll try our telnet to the web trick again.

Router2#telnet 172.27.193.201 80
Trying 172.27.193.201, 80 ...
% Destination unreachable; gateway or host down

This message tells us our access list is working.

End of lab.

:)

Comments

Sign In or Register to comment.