Technological Institute of the Philippines

Computer Engineering Department

Network Security Design using ACL

In partial fulfillment of the requirements in

Computer Networks Design (CPE501)

Submitted by:

Nardo, Timothy Amiel F.

Senia, Carl Jamesy O.

Submitted to:

Engr. Alonica R. Villanueva

September 27, 2019

I. Background / Scenario

CjTim Corporation is a startup company in which they have built a network for their company. Having
a small network consisting of four (4) departments in two (2) clusters naming Management, Sales,
Engineering, and Guest. Each of the said department has its access or restriction in accessing or contacting
each department in the network.

I.1 Management
• configured to have access to all or permitting the connection to all

I.2 Sales
• configured in Extended ACL
• this department should not be able to have access to the Web Services.
• permits other traffics

I.3 Engineering
• configured in ACL Standard
• this department should not be able to access Guest PCs.
• can receive email but cannot send
• permits other traffic.

I.4 Guest
• configured in both ACL Standard and Extended ACL
• this department is configured to ONLY receive an email, but sending an email to other
departments such as SALES and ENGINEERING is denied.
• Cannot access FTP.
• this department also cannot ping the SALES and ENGINEERING department.
• permits other traffic

II. Objectives
- to design a simple network
- to apply ACL Standard and Extended ACL

III. Topology

Figure 3.1 Network Topology

Figure 3.2 Management and Sales Network

Figure 3.3 Engineering & Guest

 IV. Addressing Table
Table 4-1 IP Addressing for the network topology
Device Interface IP address Subnet Mask Default Gateway

R1 G0/0.10 192.168.0.110 255.255.255.240 N/A

G0/1.20 192.168.0.94 255.255.255.224 N/A
S0/0/0 10.10.10.1 255.255.255.0 N/A
ISP S0/0/0 10.10.10.2 255.255.255.0 N/A
S0/0/1 10.10.11.2 255.255.255.0 N/A
G0/0 192.168.3.62 255.255.255.192 N/A
G0/1 192.168.4.30 255.255.255.224 N/A
R2 G0/0.30 192.168.0.62 255.255.255.224 N/A
G0/1.40 192.168.0.30 255.255.255.224 N/A
S0/0/1 10.10.11.1 255.255.255.0 N/A
Management_1 Fa0 192.168.0.97 255.255.255.240 192.168.0.110
Management_2 Fa0 192.168.0.98 255.255.255.240 192.168.0.110
Sales_1 Fa0 192.168.0.65 255.255.255.224 192.168.0.94
Sales_2 Fa0 192.168.0.66 255.255.255.224 192.168.0.94
Engineering_1 Fa0 192.168.0.33 255.255.255.224 192.168.0.62
Engineering_2 Fa0 192.168.0.34 255.255.255.224 192.168.0.62
Guest_1 Fa0 192.168.0.1 255.255.255.224 192.168.0.30
Guest_2 Fa0 192.168.0.2 255.255.255.224 192.168.0.30
DNS Server Fa0 192.168.3.1 255.255.255.192 192.168.3.62
Email Server Fa0 192.168.4.1 255.255.255.224 192.168.4.30

V. Resources

- Cisco Packet Tracer 7.2

- Laptop / Computer
VI. Network Configuration
Figure 6.1 Network Configuration for router R1.
Figure 6.2 Network Configuration for router ISP.
 Figure 6.3 Network Configuration for router R2

VII. Test and Simulations

Management having access to all

Figure 7.1 Test Connection of Management_1 to other departments and servers.

Sales unable to access the Web Service and unable to communicate with Guest PCs.

Figure 7.2 Access-list configuration for Sales Department.

Engineering should not be to access Guest PCs.

Figure 7.3 Configuration of access-list for Engineering Department

Guest receives email but cannot send, can ONLY communicate to Management Department
 Figure 7.4 shows the overall access-list configuration for the Guest department such as not
sending email, not having access to other department only for Management and not accessing the FTP.

Test Web service for Management_1 Test Web for Engineering_1

 Test of FTP in Management_1

Test Web service for Guest_1

Test of FTP in Engineering_1 Test of FTP in Sales_1

VIII. Conclusion
Working with access control list, we have concluded that it can be used on network devices such as router
to act as a filter for network traffic, packet storms, services and host access. The standard access list
provides basic packet filtering abilities, based on the source IP address of a packet only while extended
access lists allow filtering not only on source addresses, but also on destination addresses, protocols, and
even applications, based on their port number. All the complete statement needs to be matched in order to
permit or deny an ACL and if no ACL conditions match, the router rejects the packet because of an implicit
deny all clause. Taken as a whole, access control list provides control for permitting and denying packets
within the network.
IX. Reflection
CJ: In doing the case study I am able to understand how standard and extended ACLs work within
a network. I have also learned that implementing ACLs in a network helps you to be more secured.

Timothy: Doing the case study was a big help in understanding how ACL works within a certain
network. Having a good access management to each department of a network is much better than having
not.