——Now I will do a LAB—-Goal is that the sales LAN =10.10.10.0/24 will not be able to access the

EGR LAN= 30.30.30.0/24

Pre step 1) what kind Of ACL?

Standard ACL- since It talk about the source if it says I do not want SALES Lan cannot access the webserver=30.30.30.200 (port 80)

that will be extended ACL …why >? Since I am talking about both source and destination

————-Step 1) I go to R1 and Write my ACL —-R1#

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#acc

R1(config)#access-list ?

<1-99>     IP standard access list

<100-199>  IP extended access list

R1(config)#access-list 3 ?

deny    Specify packets to reject

permit  Specify packets to forward

remark  Access list entry comment

R1(config)#access-list 3 den

R1(config)#access-list 3 deny ?

A.B.C.D  Address to match

any      Any source host

host     A single host address

R1(config)#access-list 3 deny  10.10.10.0 ?

A.B.C.D  Wildcard bits

<cr>

R1(config)#access-list 3 deny  10.10.10.0 0.0.0.255

———–HINT: make sure you will have a permit statement at end of it why? Since there is an implicit deny at the end of ACL;

R1(config)#acc

R1(config)#access-list ?

<1-99>     IP standard access list

<100-199>  IP extended access list

R1(config)#access-list 3 ?

deny    Specify packets to reject

permit  Specify packets to forward

remark  Access list entry comment

R1(config)#access-list 3 per

R1(config)#access-list 3 permit ?

A.B.C.D  Address to match

any      Any source host

host     A single host address

R1(config)#access-list 3 permit any ?

<cr>

R1(config)#access-list 3 permit any

R1(config)#

——-Let’s look at show run —–

access-list 3 deny 10.10.10.0 0.0.0.255

access-list 3 permit any

 ———-NOW step 2) is to apply it to int s0/0

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int s0/0

R1(config-if)#ip acc

R1(config-if)#ip access-group ?

<1-199>  IP access list (standard or extended)

WORD     Access-list name

R1(config-if)#ip access-group 3 ?

in   inbound packets

out  outbound packets

R1(config-if)#ip access-group 3 out ?

<cr>

R1(config-if)#ip access-group 3 out

R1(config-if)#

——–Here is my show run so far—

R1#show run
!
interface Serial0/0

ip address 20.20.20.9 255.255.255.252

ip access-group 3 out

clock rate 64000

access-list 3 deny 10.10.10.0 0.0.0.255

access-list 3 permit any

——-As we see I cannot ping the other Lan—

PC>ping 30.30.30.4

Pinging 30.30.30.4 with 32 bytes of data:

Reply from 10.10.10.100: Destination host unreachable.

Reply from 10.10.10.100: Destination host unreachable.

Reply from 10.10.10.100: Destination host unreachable.

Reply from 10.10.10.100: Destination host unreachable.

Ping statistics for 30.30.30.4:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

———————————————

Here I ping and I see it did not work and I see the result—

R1#show access-lists

Standard IP access list 3

deny 10.10.10.0 0.0.0.255 (4 match(es))

permit any

R1#show access-lists

Standard IP access list 3

deny 10.10.10.0 0.0.0.255 (8 match(es))

permit any