P. 1
Dis4 Lab 1.3.4.4 Answer

Dis4 Lab 1.3.4.4 Answer

|Views: 407|Likes:
CCNA4 discovery 4.0
CCNA4 discovery 4.0

More info:

Categories:Types, School Work
Published by: Adelaide-City South Australia on Apr 29, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/07/2015

pdf

text

original

CCNA Discovery Designing and Supporting Computer Networks

Lab 1.3.4 Creating an ACL

Device Discovery Server R1 S1 Host1 Host2

Host Name Server FC-CPE-1 FC-ASW-1 PC1 PC2

Address 172.17.1.1 Fa0/1 172.17.0.1 Fa0/0 10.0.0.1 — 10.0.0.10 10.0.0.201

Subnet Mask 255.255.0.0 255.255.0.0 255.255.255.0 — 255.255.255.0 255.255.255.0

Objective
• Create Access Control Lists (ACLs) to filter traffic for security and traffic management.

640-802 CCNA Exam Objectives
This lab contains skills that relate to the following CCNA exam objectives: • • • Configure and apply ACLs based on network filtering requirements (including CLI/SDM). Configure and apply ACLs to limit telnet and SSH access to the router (including SDM/CLI). Verify and monitor ACLs in a network environment.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 11

Inc. This host must be permitted FTP and HTTP access to the network server. All contents are Copyright © 1992–2007 Cisco Systems. This lab also uses Discovery Server to provide representative application data traffic. In this lab you will consider the need for data traffic control and filtering in a network. Its purpose is to emphasize data traffic control and filtering. Page 2 of 11 . What do you expect the result of performing these tasks will be? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ How is an understanding of ACLs useful in network administration? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ How will a network administrator know if the ACL is working properly? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Background / Preparation Instructor Notes: This lab reviews ACLs. This document is Cisco Public Information. read through the tasks that you are expected to perform. Before starting this lab. See CCNA Discovery Server FAQ on Academy Connection Tools. Students should review the use of wildcard masks in the Challenge Task.CCNA Discovery Designing and Supporting Computer Networks Expected Results and Success Criteria Instructor note: This section helps the students realize why they are doing the tasks outlined in the lab. and telnet access to the router FC-CPE-1. students should discuss the answers in this section with a partner before beginning the configuration steps. If possible this should include FTP and HTTP/Web traffic. This is a demonstration lab that uses wildcard masks. Determine the access and filtering requirements. and design the policies to achieve this. It also requires them to anticipate the end result of the lab. Alternately a local lab server can be set up to provide representative data traffic. All rights reserved. This lab will use a router connected to a server that will provide sample network applications to demonstrate ACL placement and operation. initially at the design stage and then move to representative implementation of these policies. Whereas ACLs were covered in detail in CCNA Discovery: Introducing Routing and Switching in the Enterprise. Step 1: Analyze the traffic filtering requirements a. For this lab: 1) PC1 is a network administrator's workstation. The traffic security design will then be applied to an example network using ACLs. ACLs are typically applied at the Distribution Layer. this lab focuses on security and ACL design. If possible.

All rights reserved.CCNA Discovery Designing and Supporting Computer Networks 2) PC2 is a general workstation that is to have HTTP access only. ACLs with many statements take longer to process. The sequence of the statements is important. ACL recommended practice. Potential problems with allowing all other traffic: _______________________________________________________________ Unwanted or malicious traffic is not blocked. Benefits of denying all other traffic: _______________________________________________________________ Unwanted or malicious traffic is automatically blocked. Page 3 of 11 . ACLs must be applied to an interface. b. Create and edit ACLs with a text editor and save the file. FTP services and Telnet access to the router is not permitted. Put the more specific statements at the beginning and the more general statements at the end. Placement of ACLs: o o Standard: closest to destination (if have administrative authority on that router) Extended: closest to source (if have administrative authority on that router) • • b. Inc. Although there is an implicit deny any statement at the end of every ACL. An interface can have one ACL per Network Layer protocol. Deny specific traffic first and then permit general traffic. To take effect. Consider the two approaches to writing ACLs: • • Permit specific traffic first and then deny general traffic. Use Named ACLs wherever possible. Having determined specific requirements. which may affect router performance. Statements are added to the end of the ACL as they are written. List the benefits and potential problems to the following filtering scenarios: Benefits of allowing all other traffic: _______________________________________________________________ Future implemented services are not blocked. and then apply. Step 2: Design and create the ACL a. When would it be best to permit specific traffic first and then deny general traffic? All contents are Copyright © 1992–2007 Cisco Systems. it is good practice to configure this explicitly. Use comments (remark option) within the ACL to document the purpose of the statements. decide if all other traffic is to be allowed or denied. Review. This ensures that you remember that the effect is in place and allows logging of matches to this statement to be used. This document is Cisco Public Information. • • • • • • • • • Always plan thoroughly before implementation. Potential problems with denying all other traffic: _______________________________________________________________ Future implemented services are automatically blocked. per direction.

0.1 eq www log Allow PC1 telnet access to router Fa0/0 access-list 101 permit tcp host 10.0. Select one approach and write the ACL statements that will meet the requirements of this lab.these packets are matched early in the ACL without having to traverse many statements.10 host 10. When would it be best to deny specific traffic first and then permit general traffic? _______________________________________________________________________________ _______________________________________________________________________________ When there is likely to be more traffic of the type to be denied .0. Page 4 of 11 .10 host 172.10 host 172.1. All rights reserved.1 eq www log access-list 101 permit tcp host 10.1.0.these packets are matched early in the ACL without having to traverse many statements. it is useful to know if the ACL statements are having the desired effect.CCNA Discovery Designing and Supporting Computer Networks _______________________________________________________________________________ _______________________________________________________________________________ When there is likely to be more traffic of the type to be permitted .17.0.0. This document is Cisco Public Information.201 host 172. Why is it important to know to how many times packets that match an ACL statement are denied? _______________________________________________________________________________ _______________________________________________________________________________ This potentially shows the number of attempts at unauthorized access to denied services that may lead to further investigation of network usage.17. c.1.1 eq telnet log Deny all other traffic access-list 101 ip deny any any log After an ACL is written and applied to an interface.0. The number of packets that meet the conditions of each ACL statement can be logged by adding the option log at the end of each statement. All contents are Copyright © 1992–2007 Cisco Systems. minimizing router latency.0.17. minimizing packet latency.1 eq ftp log Allow PC2 to access web server access-list 101 permit tcp host 10.0. Inc. _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ Answers vary: One example is: Allow PC1 to access server http and ftp access-list 101 permit tcp host 10.0.

d.1. Click and drag a Chapter file to the local Desktop.0. Connect and configure the devices in accordance with the given topology and configuration. What web page was displayed? _________________________________________ Discovery FTP Home Directory c. c.0.0. open the Discovery 1 folder. issue the command telnet 10. All rights reserved. connect the console (or rollover) cable to the console port on the router and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.255. b.1 at the address bar. Referring to the topology diagram.255. What response did the router display? ______________________________________________ Prompt for Telnet password and login to router e. Troubleshoot and establish connectivity if the pings fail. quit All contents are Copyright © 1992–2007 Cisco Systems. On the Discovery FTP Home Directory.1.1 at the address bar. Did the file copy successfully? _________ Yes d.0.255. ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab. Open a web browser on PC1 and enter the URL http://172. Your instructor may substitute Discovery Server with an equivalent server for this lab. This document is Cisco Public Information.CCNA Discovery Designing and Supporting Computer Networks Step 3: Cable and configure the given network NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet. or other terminal emulation program.1. Page 5 of 11 . Ping between PC1 and Discovery Server to confirm network connectivity.17. from PC1 to Router R1.0 FC-CPE-1(config-if)#no shutdown FC-CPE-1(config-if)#exit FC-CPE-1(config)#interface FastEthernet0/1 FC-CPE-1(config-if)#ip address 172. What web page was displayed? _________________________________________ Discovery Server Home Page b. Exit the Telnet session.0.17.17. Ensure that power has been applied to both the host computer and router.1 255. for example) to establish a Telnet session to the router. Inc. From the global configuration mode issue the following commands: Step 4: Test the network services without ACLs Perform the following tests on PC1: a. Router(config)#hostname FC-CPE-1 FC-CPE-1(config)#interface FastEthernet0/0 FC-CPE-1(config-if)#ip address 10. Establish a HyperTerminal.0 FC-CPE-1(config-if)#no shutdown FC-CPE-1(config-if)#exit FC-CPE-1(config)#line vty 0 4 FC-CPE-1(config-line)#password telnet FC-CPE-1(config-line)#login FC-CPE-1(config-line)#end e.1 255. Open a web browser on PC1 and enter the URL ftp://172. or use a Telnet client (HyperTerminal or TeraTerm. From the PC1 command line prompt.0. a.

1 at the address bar.17. Step 5: Configure the network services ACL From the global configuration mode issue the following commands: a.1. open the Discovery 1 folder. What response did the router display? ______________________________________________ Prompt for Telnet password and login to router. Page 6 of 11 .0. issue the command telnet 10.0. Click and drag a Chapter file to the local Desktop. This document is Cisco Public Information. Exit the Telnet session.0.1. FC-CPE-1(config-ext-nacl)#remark Allow PC2 to access web server FC-CPE-1(config-ext-nacl)#permit tcp host 10.17.1. Open a web browser on PC2 and enter the URL ftp://172. for example) to establish a Telnet session to the router. All rights reserved. Inc.1 eq www log b. ___________________________________________________________________ Successful connection was expected. FC-CPE-1(config-ext-nacl)#remark Deny all other traffic All contents are Copyright © 1992–2007 Cisco Systems. Deny all other traffic. FC-CPE-1(config)#ip access-list extended Server-Access FC-CPE-1(config-ext-nacl)#remark Allow PC1 access to server FC-CPE-1(config-ext-nacl)#permit tcp host 10. quit Why was each of the above connections successful? ___________________________________________________________________ There were no data access or filtering controls in place.0.CCNA Discovery Designing and Supporting Computer Networks Perform the following tests on PC2: a. On the Discovery FTP Home Directory.0.17.1. Allow PC2 to access the web server.0. If any of the above connections was not successful. What web page was displayed? ______________________________________________ Discovery FTP Home Directory c.0. Allow PC1 telnet access to router FC-CPE-1(config-ext-nacl)#remark Allow PC1 to telnet router FC-CPE-1(config-ext-nacl)#permit tcp host 10. or use a Telnet client (HyperTerminal or TeraTerm. troubleshoot the network and configurations and establish each type of connection from each host.0.1 at the address bar.0.10 host 172.1.10 host 10.1 eq telnet log d.17.1 eq www log c. From the PC2 command line prompt. Open a web browser on PC2 and enter the URL http://172. What web page was displayed? ______________________________________________ Discovery Server Home Page b.0. Allow PC1 to access the web server. Did the file copy successfully? __________ Yes d. e.201 host 172.

1 at the address bar. Perform the following tests on PC2: a. All contents are Copyright © 1992–2007 Cisco Systems. Click and drag a Chapter file to the local Desktop. issue the command telnet 10.0.17. Page 7 of 11 . From the Privileged EXEC mode.1.1. All rights reserved. Open a web browser on PC1 and enter the URL http://172.CCNA Discovery Designing and Supporting Computer Networks FC-CPE-1(config-ext-nacl)#deny ip any any log FC-CPE-1(config-ext-nacl)#exit Step 6: Apply the ACLs a. issue the show running-configuration command and confirm that the ACLs have been configured and applied as required. From the PC1 command line prompt. What web page was displayed? ______________________________________________ Discovery Server Home Page Why is this the outcome? ______________________________________________ This host is allowed web access.1 at the address bar.1. e. What web page was displayed? ______________________________________________ Discovery FTP Home Directory c. or use a Telnet client (HyperTerminal or TeraTerm. This document is Cisco Public Information. FC-CPE-1(config)#interface FastEthernet0/0 FC-CPE-1(config-if)#ip access-group Server-Access in FC-CPE-1(config-if)#end b. Inc. Open a web browser on PC2 and enter the URL http://172. Step 7: Test the network services with ACLs Perform the following tests on PC1: a. What response did the router display? ______________________________________________ Prompt for Telnet password and login to router Why is this the outcome? ______________________________________________ This host is allowed Telnet access.1 at the address bar.17.1 at the address bar. for example) to establish a Telnet session to the router. What web page was displayed? ______________________________________________ Discovery Server Home Page b. Open a web browser on PC2 and enter the URL ftp://172. open the Discovery 1 folder. Exit the Telnet session. Open a web browser on PC1 and enter the URL ftp://172. Did the file copy successfully? _________ Yes Why is this the outcome? ______________________________________________ This host is allowed FTP access.1.17. b. Reconfigure if errors are noted.0.1. On the Discovery FTP Home Directory. d. Apply the Extended ACL to the router interface closest to the source.17.

Challenge Rewrite the Server-Access ACL used in this lab so that: 1) Administrator workstations are considered to be in the address range of 10. If any of these transactions did not result in the expected outcome.1.0. and. ______________________________________________ ______________________________________________ Answers will vary (1383 matches) Step 9: Clean up Erase the configurations and reload the routers and switches.17. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet). 2) The general workstations have the address range of 10. Inc.0. All rights reserved.0. This document is Cisco Public Information. c. Step 8: Observe the number of statement matches a. From the Privileged EXEC mode.16 /24 to 10. Page 8 of 11 .0. or use a Telnet client (HyperTerminal or TeraTerm.15 172. What response did the router display? ______________________________________________ Telnet connection refused. for example) to establish a Telnet session to the router. reconnect the appropriate cabling and restore the TCP/IP settings.0 0.0.0.1 log remark Allow PC2 to access web server All contents are Copyright © 1992–2007 Cisco Systems.0.1. issue the command telnet 10.0. issue the command: FC-CPE-1#show access-list Server-Access List the number of matches logged against each ACL statement.0.0.15 /24 instead of a single host.0.CCNA Discovery Designing and Supporting Computer Networks What web page was displayed? ______________________________________________ error page cannot be displayed Why is this the outcome? ______________________________________________ This host is not allowed FTP access.0. ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ip access-list extended Server-Access remark Allow PC1 to access any IP traffic permit ip host 10.10 /24 to 10. Disconnect and store the cabling.0. Why is this the outcome? ______________________________________________ This host is not allowed Telnet access.254 /24 instead of being a single host. From the PC2 command line prompt.0. troubleshoot the network and configurations and retest the ACLs from each host.

255 172.0. All rights reserved. This document is Cisco Public Information. Inc.0 0.0.0.17. Current configuration : 1309 bytes ! version 12. Page 9 of 11 .CCNA Discovery Designing and Supporting Computer Networks permit ip host 10.1 eq www log remark Deny all other traffic deny ip any any log Running config of router after lab completion: FC-CPE-1#show run Building configuration.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname FC-CPE-1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ! ! All contents are Copyright © 1992–2007 Cisco Systems..1.0..

Page 10 of 11 .CCNA Discovery Designing and Supporting Computer Networks ! ! ! ! ! interface FastEthernet0/0 ip address 10.1 255.0.0.0. This document is Cisco Public Information.255.17. Inc.0 ip access-group Server-Access in duplex auto speed auto ! interface FastEthernet0/1 ip address 172. All rights reserved.0.0 duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Serial0/1/0 no ip address shutdown clock rate 125000 ! interface Serial0/1/1 no ip address shutdown clock rate 125000 ! interface Vlan1 no ip address ! All contents are Copyright © 1992–2007 Cisco Systems.255.255.1 255.

0.1.17.1 eq ftp www remark Allow PC2 to access web server permit tcp host 10. Inc.10 host 172.201 host 172. Page 11 of 11 .CCNA Discovery Designing and Supporting Computer Networks ip classless ! ip http server ! ip access-list extended Server-Access remark Allow PC1 access to server permit tcp host 10.0.1 eq www remark Allow PC1 to telnet router permit tcp host 10.0. This document is Cisco Public Information. All rights reserved.1 eq telnet remark Deny all other traffic deny ip any any ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password telnet login ! end FC-CPE-1# All contents are Copyright © 1992–2007 Cisco Systems.1.17.0.10 host 10.0.0.0.0.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->