Professional Documents
Culture Documents
AlexLeguízamo - 4.2.2.11 Packet Tracer - Configuring Extended ACLs Scenario 2 - ILM
AlexLeguízamo - 4.2.2.11 Packet Tracer - Configuring Extended ACLs Scenario 2 - ILM
Estudiante:
Alexander Leguízamo
Tutora:
Nancy Amparo Guaca
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of
Packet Tracer - Configuring Extended ACLs - Scenario 2
(Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.
Topology
Addressing Table
Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Reflection Questions
Background / Scenario
In this scenario, devices on one LAN are allowed to remotely access devices in another LAN using the Telnet
protocol. Besides ICMP, all traffic from other networks is denied.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of
Packet Tracer - Configuring Extended ACLs - Scenario 2
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of
Packet Tracer - Configuring Extended ACLs - Scenario 2
Step 2: Apply the extended ACL.
The general rule is to place extended ACLs close to the source. However, since access list 199 affects traffic
originating from both networks 10.101.117.48/29 and 10.101.117.32/28, the best placement for this ACL
might be on interface Gigabit Ethernet 0/2 in the outbound direction. What is the command to apply ACL 199
to the Gigabit Ethernet 0/2 interface?
ip access-group 199 out
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of
Packet Tracer - Configuring Extended ACLs - Scenario 2
d. Ping from PCA to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP
addresses before continuing.
e. Telnet from PCA to SWC. The access list causes the router to reject the connection.
f. Telnet from PCA to SWB. The access list is placed on G0/2 and does not affect this connection.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of
Packet Tracer - Configuring Extended ACLs - Scenario 2
Solucionada la puerta de enlace en SWB, se procede nuevamente a realizar Telnet desde PCA a SWB.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of
Part 2: Reflection Questions
1. How was PCA able to bypass access list 199 and Telnet to SWC? Two steps were used: First, PCA used
Telnet to access SWB. From SWB, Telnet was allowed to SWC.
Se realizaron dos pasos: PCA hizo Telnet al SWB, y una vez allí, se hizo Telnet al SWC
2. What could have been done to prevent PCA from accessing SWC indirectly, while allowing PCB Telnet
access to SWC? Access list 199 should have been written to deny Telnet traffic from the 10.101.117.48 /29
network while permitting ICMP. It should have been placed on G0/0 of RTA.
Se ha debido configuar una lista de acceso que deniegue el paso de Telnet desde PCA red
10.101.11.48/29, mientras que sí se permite el paso ICMP (ping). Esa lista de acceso estaría ubicada en
el G0/0 del RTA.
Conclusiones:
Las ACL nos ayuda a mejorar el rendimiento en la red, y nos permite controlar el flujo de
tráfico, con lo que podemos en caso de no necesitar actualizaciones de enrutamiento, poder
restringirlas, con lo cual se preservaría el ancho de banda.
Con las ACL se proporciona un nivel básico de seguridad para el acceso a la red; es decir
que se puede configuar una red para que un host pueda acceder a parte de la red y evitar que
otros accedan a la misma.
Una ACL extendida de IPV4 se usar para tener un control más preciso del filtrado de tráfico
en una red. Estas ACL denominadas extendidas se númeran del 100 al 199 y del 200 al
2699; tambíen se pueden identifcar con un nombre.
Las Acl nos permite filtrar por protocolos y número de puertos; por tal motivo facilita
administrar una red de manera muy escpecífica; es decir que por ejemplo podemos filtrar
paquetes permitiendo o denegando su tráfico a los usuarios para acceder a determinados
archivos (FTP o HTTP).