Lab – Configuring and Verifying Standard ACLs

Cisco Packet Tracer

Topology

Addressing Table

Device

Interface

IP Address

Subnet Mask

Default Gateway

fa0/0

192.168.10.1

255.255.255.0

N/A

lo 0

192.168.20.1

255.255.255.0

N/A

s0/0/0

10.1.1.1

255.255.255.252

N/A

ISP

s0/0/0

10.1.1.2

255.255.255.252

N/A

s0/1/0

10.2.2.2

255.255.255.252

N/A

lo 0

209.165.200.225

255.255.255.224

N/A

fa0/0

192.168.30.1

255.255.255.0

N/A

lo 0

192.168.40.1

255.255.255.0

N/A

s0/1/0

10.2.2.1

255.255.255.252

N/A

PC-A

NIC

192.168.10.3

255.255.255.0

192.168.10.1

PC-B

NIC

192.168.30.3

255.255.255.0

192.168.30.1

Step 1: Configure basic settings for the routers.

R1>enable
R1#configure terminal 
R1(config)#int fa0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#int s0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252 
RR1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#int lo 0
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#

R2>enable 
R2#configure terminal 
R2(config)#int fa0/0
R2(config-if)#ip address 192.168.30.1 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#int s0/1/0
R2(config-if)#ip address 10.2.2.1 255.255.255.252
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#int lo 0
R2(config-if)#ip address 192.168.40.1 255.255.255.0
R2(config-if)#

ISP>enable 
ISP#configure terminal 
ISP(config)#int s0/0/0
ISP(config-if)#ip address 10.1.1.2 255.255.255.252
ISP(config-if)#clock rate 64000
ISP(config-if)#no shutdown 
ISP(config-if)#exit
ISP(config)#int s0/1/0
ISP(config-if)#ip address 10.2.2.2 255.255.255.252 
ISP(config-if)#clock rate 64000
ISP(config-if)#no shutdown 
ISP(config-if)#exit
ISP(config)#int lo 0
ISP(config-if)#ip address 209.165.200.225 255.255.255.224
ISP(config-if)#

Step 2: Configure IP addresses on PC-A and PC-B.

PC-A

PC-A>ipconfig

FastEthernet0 Connection:(default port)

   Link-local IPv6 Address.........: FE80::2E0:F7FF:FE58:11D5
   IP Address......................: 192.168.10.3
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.10.1

PC-A>

PC-B

PC-B>ipconfig

FastEthernet0 Connection:(default port)

   Link-local IPv6 Address.........: FE80::209:7CFF:FE86:C255
   IP Address......................: 192.168.30.3
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.30.1

PC-B>

Step 3: Configure EIGRP routing on R1, ISP, and R3.

Configure autonomous system (AS) number 10 and advertise all networks on R1, ISP, and R3. Disable automatic summarization.

R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.20.0
R1(config-router)#network 10.1.1.0 
R1(config-router)#no auto-summary

R2(config)#router eigrp 10
R2(config-router)#network 10.2.2.0
R2(config-router)#network 192.168.30.0
R2(config-router)#network 192.168.40.0
R2(config-router)#no auto-summary

ISP(config)#router eigrp 10
ISP(config-router)#network 10.1.1.0
ISP(config-router)#network 10.2.2.0
ISP(config-router)#network 209.165.200.224
ISP(config-router)#no auto-summary

After configuring EIGRP on R1, ISP, and R3, verify that all routers have complete routing tables listing all networks. Troubleshoot if this is not the case.

R1#show ip route 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
C       10.1.1.0 is directly connected, Serial0/0/0
D       10.2.2.0 [90/21024000] via 10.1.1.2, 00:05:04, Serial0/0/0
C    192.168.10.0/24 is directly connected, FastEthernet0/0
C    192.168.20.0/24 is directly connected, Loopback0
D    192.168.30.0/24 [90/21026560] via 10.1.1.2, 00:02:52, Serial0/0/0
D    192.168.40.0/24 [90/21152000] via 10.1.1.2, 00:02:52, Serial0/0/0
     209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
D       209.165.200.0/24 [90/21664000] via 10.1.1.2, 00:02:52, Serial0/0/0
D       209.165.200.224/27 [90/20640000] via 10.1.1.2, 00:05:04, Serial0/0/0
R1#

R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
D       10.1.1.0 [90/21024000] via 10.2.2.2, 00:02:25, Serial0/1/0
C       10.2.2.0 is directly connected, Serial0/1/0
D    192.168.10.0/24 [90/21026560] via 10.2.2.2, 00:03:12, Serial0/1/0
D    192.168.20.0/24 [90/21152000] via 10.2.2.2, 00:03:12, Serial0/1/0
C    192.168.30.0/24 is directly connected, FastEthernet0/0
C    192.168.40.0/24 is directly connected, Loopback0
     209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
D       209.165.200.0/24 is a summary, 00:03:27, Null0
D       209.165.200.224/27 [90/20640000] via 10.2.2.2, 00:03:12, Serial0/1/0
R2#

ISP#show ip route 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
C       10.1.1.0 is directly connected, Serial0/0/0
C       10.2.2.0 is directly connected, Serial0/1/0
D    192.168.10.0/24 [90/20514560] via 10.1.1.1, 00:05:41, Serial0/0/0
D    192.168.20.0/24 [90/20640000] via 10.1.1.1, 00:05:41, Serial0/0/0
D    192.168.30.0/24 [90/20514560] via 10.2.2.1, 00:03:29, Serial0/1/0
D    192.168.40.0/24 [90/20640000] via 10.2.2.1, 00:03:29, Serial0/1/0
     209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
D       209.165.200.0/24 [90/21152000] via 10.2.2.1, 00:03:29, Serial0/1/0
C       209.165.200.224/27 is directly connected, Loopback0
ISP#

Step 4: Verify connectivity between devices.

From PC-A, ping PC-B and the loopback interface on R2. Were your pings successful? yes

PC-A>ping 192.168.30.3

Pinging 192.168.30.3 with 32 bytes of data:

Reply from 192.168.30.3: bytes=32 time=2ms TTL=125
Reply from 192.168.30.3: bytes=32 time=2ms TTL=125
Reply from 192.168.30.3: bytes=32 time=2ms TTL=125
Reply from 192.168.30.3: bytes=32 time=2ms TTL=125

Ping statistics for 192.168.30.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

PC-A>ping 192.168.40.1

Pinging 192.168.40.1 with 32 bytes of data:

Reply from 192.168.40.1: bytes=32 time=2ms TTL=253
Reply from 192.168.40.1: bytes=32 time=2ms TTL=253
Reply from 192.168.40.1: bytes=32 time=2ms TTL=253
Reply from 192.168.40.1: bytes=32 time=13ms TTL=253

Ping statistics for 192.168.40.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 13ms, Average = 4ms

PC-A>

From R1, ping PC-B and the loopback interface on R2. Were your pings successful?

R1>ping 192.168.30.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/8/22 ms

R1>ping 192.168.40.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/9/23 ms

R1>

Step 5: Configure a numbered standard ACL.

Standard ACLs filter traffic based on the source IP address only.

A typical best practice for standard ACLs is to configure and apply it as close to the destination as possible.

Q1: What wildcard mask would you use to allow all hosts on the 192.168.10.0/24 network to access the 192.168.30.0/24 network? 0.0.0.255
Q2: Following Cisco’s recommended best practices, on which router would you place this ACL? R2
Configure the ACL on R1. Use 1 for the access list number.

R2(config)#access-list 1 remark ALLOW_R1_LANs_ACCESS
R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255
R2(config)#access-list 1 permit 192.168.20.0 0.0.0.255
R2(config)#access-list 1 deny an
R2(config)#access-list 1 deny any 
R2(config)#int fa0/0
R2(config-if)#ip access-group 1 out

Verify a numbered ACL.

R2#show access-lists 
Standard IP access list 1
    10 permit 192.168.10.0 0.0.0.255
    20 permit 192.168.20.0 0.0.0.255
    30 deny any
R2#

What command would you use to see where the access list was applied and in what direction?

R2#show ip int fa0/0

[ ... ]
  Outgoing access list is 1
  Inbound  access list is not set
[ ... ]

R2#

From the PC-A command prompt, ping the PC-B IP address. Were the pings successful? yes

PC-A>ping 192.168.30.3

Pinging 192.168.30.3 with 32 bytes of data:

Reply from 192.168.30.3: bytes=32 time=3ms TTL=125
Reply from 192.168.30.3: bytes=32 time=3ms TTL=125
Reply from 192.168.30.3: bytes=32 time=2ms TTL=125
Reply from 192.168.30.3: bytes=32 time=2ms TTL=125

Ping statistics for 192.168.30.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

PC-A>

From the R1 prompt, ping PC-B’s IP address again.Was the ping successful? Why or why not? No, the pings failed. When you ping from the router, it uses the closest interface to the destination as its source address. The pings had a source address of 10.1.1.1. The access list on R3 only allows the 192.168.10.0/24 and the 192.168.20.0/24 networks access.

R1#ping 192.168.30.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R1#

Step 6: Configure a named standard ACL.

Create a named standard ACL that conforms to the following policy:
- allow traffic from all hosts on the 192.168.40.0/24 network access to all hosts on the 192.168.10.0/24 network.
- Also, only allow host PC-B access to the 192.168.10.0/24 network.
- The name of this access list should be called BRANCH-OFFICEPOLICY.
Q1: Following Cisco’s recommended best practices, on which router would you place this ACL? R1
Q2: On which interface would you place this ACL? In what direction would you apply it? fa0/0
Create the standard named ACL BRANCH-OFFICE-POLICY on R1.

R1(config)#ip access-list standard BRANCH-OFFICE-POLICY
R1(config-std-nacl)#permit host 192.168.30.3
R1(config-std-nacl)#permit 192.168.40.0 0.0.0.255
R1(config-std-nacl)#end
R1#

Apply the ACL to the appropriate interface in the proper direction.

R1(config)#int fa0/0
R1(config-if)#ip access-group BRANCH-OFFICE-POLICY out
R1(config-if)#

Verify a named ACL. On R1, issue the show access-lists command.

R1#show access-lists 
Standard IP access list BRANCH-OFFICE-POLICY
    10 permit host 192.168.30.3
    20 permit 192.168.40.0 0.0.0.255
R1#

Is there any difference between this ACL on R1 with the ACL on R2? If so, what is it? Although there is no line 30 with a deny any on R1, it is implied.

On R1, issue the show ip interface fa0/0 command.

R1#show ip int fa0/0

[ ... ]
  Outgoing access list is BRANCH-OFFICE-POLICY
  Inbound  access list is not set
[ ... ]

R1#

From the command prompt on PC-B, ping PC-A’s IP address. Were the pings successful? yes

PC-B>ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:

Reply from 192.168.10.3: bytes=32 time=2ms TTL=125
Reply from 192.168.10.3: bytes=32 time=2ms TTL=125
Reply from 192.168.10.3: bytes=32 time=2ms TTL=125
Reply from 192.168.10.3: bytes=32 time=3ms TTL=125

Ping statistics for 192.168.10.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

PC-B>

Test the ACL to see if it allows traffic from the 192.168.40.0/24 network access to the 192.168.10.0/24 network. no

R2#ping 192.168.10.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R2#

Part 7: Modify a Standard ACL

Management has decided that users from the 209.165.200.224/27 network should be allowed full access to the 192.168.10.0/24 network.
Management also wants ACLs on all of their routers to follow consistent rules.
A deny any ACE should be placed at the end of all ACLs.
You must modify the BRANCH-OFFICE-POLICY ACL.

From R1 privilege EXEC mode, issue a show access-lists command.

R1#show access-lists
Standard IP access list BRANCH-OFFICE-POLICY
    10 permit host 192.168.30.3 (4 match(es))
    20 permit 192.168.40.0 0.0.0.255
R1#

Add two additional lines at the end of the ACL. From global config mode, modify the ACL, BRANCHOFFICE-POLICY.

R1(config)#ip access-list standard BRANCH-OFFICE-POLICY
R1(config-std-nacl)#30 permit 209.165.200.224 0.0.0.31
R1(config-std-nacl)#40 deny any
R1(config-std-nacl)#end
R1#

Verify the ACL.On R1, issue the show access-lists command.

R1#show access-lists 
Standard IP access list BRANCH-OFFICE-POLICY
    10 permit host 192.168.30.3 (4 match(es))
    20 permit 192.168.40.0 0.0.0.255
    30 permit 209.165.200.224 0.0.0.31
    40 deny any
R1#

Q1: Do you have to apply the BRANCH-OFFICE-POLICY to the fa0/0 interface on R1? No, the ip access-group BRANCH-OFFICE-POLICY out command is still in place on fa0/0.

Keywords

Standard ACLs , yaser rahmati , یاسر رحمتی , cisco , isp , router , IP address , EIGRP , routing , loopback , standard ACL , ping , access-list , Configure a named standard ACL , permit , deny , deny any , show access-lists , implicit deny , CCNA

Last updated 4 years ago

Was this helpful?

R1>enable R1#configure terminal R1(config)#int fa0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#int s0/0/0 R1(config-if)#ip address 10.1.1.1 255.255.255.252 RR1(config-if)#no shutdown R1(config-if)#exit R1(config)#int lo 0 R1(config-if)#ip address 192.168.20.1 255.255.255.0 R1(config-if)#

R2>enable R2#configure terminal R2(config)#int fa0/0 R2(config-if)#ip address 192.168.30.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#int s0/1/0 R2(config-if)#ip address 10.2.2.1 255.255.255.252 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#int lo 0 R2(config-if)#ip address 192.168.40.1 255.255.255.0 R2(config-if)#

ISP>enable ISP#configure terminal ISP(config)#int s0/0/0 ISP(config-if)#ip address 10.1.1.2 255.255.255.252 ISP(config-if)#clock rate 64000 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#int s0/1/0 ISP(config-if)#ip address 10.2.2.2 255.255.255.252 ISP(config-if)#clock rate 64000 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#int lo 0 ISP(config-if)#ip address 209.165.200.225 255.255.255.224 ISP(config-if)#

PC-A>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Address.........: FE80::2E0:F7FF:FE58:11D5 IP Address......................: 192.168.10.3 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 192.168.10.1 PC-A>

PC-B>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Address.........: FE80::209:7CFF:FE86:C255 IP Address......................: 192.168.30.3 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 192.168.30.1 PC-B>

R1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/0/0 D 10.2.2.0 [90/21024000] via 10.1.1.2, 00:05:04, Serial0/0/0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 C 192.168.20.0/24 is directly connected, Loopback0 D 192.168.30.0/24 [90/21026560] via 10.1.1.2, 00:02:52, Serial0/0/0 D 192.168.40.0/24 [90/21152000] via 10.1.1.2, 00:02:52, Serial0/0/0 209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks D 209.165.200.0/24 [90/21664000] via 10.1.1.2, 00:02:52, Serial0/0/0 D 209.165.200.224/27 [90/20640000] via 10.1.1.2, 00:05:04, Serial0/0/0 R1#

R2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/30 is subnetted, 2 subnets D 10.1.1.0 [90/21024000] via 10.2.2.2, 00:02:25, Serial0/1/0 C 10.2.2.0 is directly connected, Serial0/1/0 D 192.168.10.0/24 [90/21026560] via 10.2.2.2, 00:03:12, Serial0/1/0 D 192.168.20.0/24 [90/21152000] via 10.2.2.2, 00:03:12, Serial0/1/0 C 192.168.30.0/24 is directly connected, FastEthernet0/0 C 192.168.40.0/24 is directly connected, Loopback0 209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks D 209.165.200.0/24 is a summary, 00:03:27, Null0 D 209.165.200.224/27 [90/20640000] via 10.2.2.2, 00:03:12, Serial0/1/0 R2#

ISP#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/0/0 C 10.2.2.0 is directly connected, Serial0/1/0 D 192.168.10.0/24 [90/20514560] via 10.1.1.1, 00:05:41, Serial0/0/0 D 192.168.20.0/24 [90/20640000] via 10.1.1.1, 00:05:41, Serial0/0/0 D 192.168.30.0/24 [90/20514560] via 10.2.2.1, 00:03:29, Serial0/1/0 D 192.168.40.0/24 [90/20640000] via 10.2.2.1, 00:03:29, Serial0/1/0 209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks D 209.165.200.0/24 [90/21152000] via 10.2.2.1, 00:03:29, Serial0/1/0 C 209.165.200.224/27 is directly connected, Loopback0 ISP#

PC-A>ping 192.168.30.3 Pinging 192.168.30.3 with 32 bytes of data: Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Ping statistics for 192.168.30.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 2ms, Average = 2ms PC-A>ping 192.168.40.1 Pinging 192.168.40.1 with 32 bytes of data: Reply from 192.168.40.1: bytes=32 time=2ms TTL=253 Reply from 192.168.40.1: bytes=32 time=2ms TTL=253 Reply from 192.168.40.1: bytes=32 time=2ms TTL=253 Reply from 192.168.40.1: bytes=32 time=13ms TTL=253 Ping statistics for 192.168.40.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 13ms, Average = 4ms PC-A>

R1>ping 192.168.30.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/8/22 ms R1>ping 192.168.40.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/9/23 ms R1>

R2(config)#access-list 1 remark ALLOW_R1_LANs_ACCESS R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255 R2(config)#access-list 1 permit 192.168.20.0 0.0.0.255 R2(config)#access-list 1 deny an R2(config)#access-list 1 deny any R2(config)#int fa0/0 R2(config-if)#ip access-group 1 out

PC-A>ping 192.168.30.3 Pinging 192.168.30.3 with 32 bytes of data: Reply from 192.168.30.3: bytes=32 time=3ms TTL=125 Reply from 192.168.30.3: bytes=32 time=3ms TTL=125 Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Reply from 192.168.30.3: bytes=32 time=2ms TTL=125 Ping statistics for 192.168.30.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 2ms PC-A>

PC-B>ping 192.168.10.3 Pinging 192.168.10.3 with 32 bytes of data: Reply from 192.168.10.3: bytes=32 time=2ms TTL=125 Reply from 192.168.10.3: bytes=32 time=2ms TTL=125 Reply from 192.168.10.3: bytes=32 time=2ms TTL=125 Reply from 192.168.10.3: bytes=32 time=3ms TTL=125 Ping statistics for 192.168.10.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 2ms PC-B>

R1#show access-lists Standard IP access list BRANCH-OFFICE-POLICY 10 permit host 192.168.30.3 (4 match(es)) 20 permit 192.168.40.0 0.0.0.255 30 permit 209.165.200.224 0.0.0.31 40 deny any R1#