CCNA And CCENT Lab: Testing Access Lists With Extended Ping
Here’s our network!
In our extended ACL lab, we applied an ACL to R1 that should block traffic sourced from 220.127.116.11 /24 if the destination is 18.104.22.168 /24. Here’s that ACL:
R1#show ip access-list Extended IP access list 111 10 deny ip 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255 20 permit ip any any
Here’s the verification of that ACL being successfully applied to R1’s Serial 0/1/0 interface.
R1#show ip interface serial 0/1/0 Serial0/1/0 is up, line protocol is up Internet address is 188.8.131.52/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 101 (output truncated for clarity)
It’s not enough to verify that the ACL is applied. We have to make sure it’s doing what we want it to do — in this case, stop traffic sourced from 184.108.40.206 /24 and destined for 220.127.116.11 /24 while allowing all other traffic.
I want to go the extra mile for you and show you the traffic flow before the ACL was applied. With that in mind, I’m going to remove the ACL from R1’s Serial interface. I’ve also added a default static route to R3 pointing to R1, and a default static route to R1 pointing to R3 to allow us to ping the loopbacks without adding a dynamic routing protocol. A quick reminder of the network:
R1(config)#int serial 0/1/0 R1(config-if)#no ip access-group 111 in R1(config)#ip route 0.0.0.0 0.0.0.0 18.104.22.168 R3(config)#ip route 0.0.0.0 0.0.0.0 22.214.171.124
The ACL requirements revolve around packets from 126.96.36.199 /24, but if we send packets from R3 via a regular ping, the source of those packets will be 188.8.131.52, the interface closest to the destination being pinged. Pings have the source IP address of their exit interface by default, as I’ll verify with debug ip packet and ping 184.108.40.206.
R3#debug ip packet IP packet debugging is on
R3#ping 220.127.116.11 Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: IP: s=22.214.171.124 (local), d=126.96.36.199 (Serial0/1/0), len 100, sending
Now we’ll put the ACL back on R1 and test it from R3 with that same ping command.
R1(config)#int serial 0/1/0 R1(config-if)#ip access-group 111 in
R3#ping 188.8.131.52 source 184.108.40.206 Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: Packet sent with a source address of 18.104.22.168 U.U.U Success rate is 0 percent (0/5)
The packets are now denied, which indicates the ACL on R1 is working correctly. Let’s ping another loopback on R1 with that same source to be sure.
R3#ping 22.214.171.124 source 126.96.36.199 Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: Packet sent with a source address of 184.108.40.206 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
Success indeed! These packets go through because they don’t match both the source and destination IP of the first ACL line. The second line permits everything, so the packets zoom right through.
The requirements mentioned allowing packets to “all other subnets, including those added in the future,” so let’s go the extra mile add a subnet to R1 and ping it from 220.127.116.11.
R1(config)#int loopback111 R1(config-if)#ip address 18.104.22.168 255.255.255.0
R3#ping 22.214.171.124 source 126.96.36.199 Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: Packet sent with a source address of 184.108.40.206 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
Our tests prove pings from 220.127.116.11 to 18.104.22.168 are blocked, but pings from 22.214.171.124 to other subnets are allowed. Just what we wanted!
Two ACL terms you’ll see all over your Cisco certification exams and in your real-world networking career are host and any. We’ll have a look at those two ACL options in the next CCNA tutorial, coming up on July 26, 2018. In the meantime, have a look or three at these, and thanks for making my work a part of your success. — Chris B.