Scribd Logo
Upload

Welcome to Scribd!

  • 65 views

    IP Access Lists: Objective Lab Topology

    Uploaded by

    Tomas Rodriguez Ramirez
    lab 6

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    IP Access Lists: Objective Lab Topology

    Uploaded by

    Tomas Rodriguez Ramirez
    65 views5 pages
    lab 6

    Original Title

    lab 6

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    lab 6

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    65 views5 pages

    IP Access Lists: Objective Lab Topology

    Uploaded by

    Tomas Rodriguez Ramirez
    lab 6

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 5

    Lab ID: 9.9K1116A087.DHI2.

    IP Access Lists
    Objective
    Build standard and extended IP access lists to filter inbound traffic on Router1’s Serial 0/0 interface.

    Lab Topology
    The topology diagram below represents the portion of the network you will configure in this lab.

    Fa0/0 Router1
    S0/0

    Fa0/0
    Router2

    S0/0
    S0/1 S0/0

    Router3 Router4
    180.10.1.0/24

    Command Summary
    Command Description
    access-list access-list-number {deny | creates an access list that denies or permits IP traffic from the
    permit} source-address source- specified address or address range
    wildcard
    access-list access-list-number {deny | defines an extended IP access control list (ACL) for the traffic
    permit} protocol source source- type specified by the protocol parameter
    wildcard [operator [port]] destination
    destination-wildcard [operator [port]]
    configure terminal enters global configuration mode from privileged EXEC mode
    enable enters privileged EXEC mode
    end ends and exits configuration mode
    exit exits one level in the menu structure
    interface type number changes from global configuration mode to interface
    configuration mode

    1 Boson NetSim Lab Manual


    Command Description
    ip access-group {access-list-number | controls access to an interface
    access-list-name} {in | out}
    ping ip-address sends an Internet Control Message Protocol (ICMP) echo
    request to the specified address
    show running-config displays the active configuration file
    telnet ip-address starts the terminal emulation program from a PC, router, or
    switch that permits you to access devices remotely over the
    network

    Lab Tasks
    Passwords in this lab have been configured as cisco.
    1. Ensure that you can ping Router2’s FastEthernet 0/0 interface (160.10.1.2) from both Router3 and
    Router4. If you cannot ping successfully, what troubleshooting methods could you use to help you
    solve the problem? _______________________________________________________________
    ______________________________________________________________________________

    2. On Router1, build a standard IP access list, numbered 1, that permits traffic from subnet 175.10.1.0
    but blocks traffic from all other devices. Apply this access list to Router1’s Serial 0/0 interface for
    inbound traffic. Is a deny any statement required in the access list? ________________________
    What type of mask should you use in the access list? ____________________________________
    What are the number ranges for a standard IP access list? _______________________________

    3. Test access list 1 by pinging from Router3 and Router4 to Router2 (160.10.1.2). What is the result of
    the pings? ______________________________________________________________________

    4. On Router1, build an extended IP access list, numbered 100, that will deny Telnet traffic from
    Router4 (180.10.1.2), deny ICMP traffic from Router3 (175.10.1.2), and allow all other traffic. Apply
    the new, extended, access list to Router1’s Serial 0/0 interface. What are two ways you can specify
    a host address in an extended IP access list? __________________________________________
    ______________________________________________________________________________
    What are the number ranges for extended IP access lists? ________________________________

    5. Test access list 100 by pinging and telnetting from Router3 and Router4 to Router2’s FastEthernet
    0/0 interface (160.10.1.2). What are the results of the ping and telnet attempts? _______________

    Once you have completed this lab, be sure to check your work by using the grading function.
    You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

    2 Boson NetSim Lab Manual


    Lab Solutions
    Passwords in this lab have been configured as cisco.
    1. Pings from Router3 and Router4 to Router2’s FastEthernet 0/0 interface (160.10.1.2) should
    succeed. If you cannot successfully ping Router2, ensure that IP addresses have been assigned,
    that all interfaces are up, and that a dynamic routing protocol, such as Routing Information Protocol
    (RIP), Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol
    (EIGRP), or Open Shortest Path First (OSPF) is running on all routers.

    Router3#ping 160.10.1.2

    Router4#ping 160.10.1.2

    2. On Router1, issue the following commands to configure standard ACL 1:

    Router1(config)#access-list 1 permit 175.10.1.0 0.0.0.255


    Router1(config)#interface serial 0/0
    Router1(config-if)#ip access-group 1 in

    A deny any statement is not required in the access list. An implicit deny any statement is at the
    end of every access list. The mask 0.0.0.255 in the access list is a wildcard, or reverse, mask; any
    device whose source address starts with 175.10.1 in the first three octets is permitted. Standard IP
    access lists are in the range from 1 through 99 or from 1300 through 1999; other numbers cannot be
    assigned to a standard IP access list.

    3. The ping from Router3 (in subnet 175.10.1.0) to Router2 (160.10.1.2) should succeed, whereas the
    ping from Router4 (in subnet 180.10.1.0) should fail.

    Router3#ping 160.10.1.2

    Router4#ping 160.10.1.2

    4. On Router1, issue the following commands to configure extended ACL 100:

    Router1(config)#access-list 100 deny tcp host 180.10.1.2 any eq telnet


    Router1(config)#access-list 100 deny icmp host 175.10.1.2 any
    Router1(config)#access-list 100 permit ip any any
    Router1(config)#interface serial 0/0
    Router1(config-if)#ip access-group 100 in

    You can specify host 172.16.1.1 or 172.16.1.1 0.0.0.0 as a host address in an extended IP access
    list. The number range for extended IP access lists is from 100 through 199 or from 2000 through
    2699.

    3 Boson NetSim Lab Manual


    5. Router3 (175.10.1.2) should be able to telnet to Router2 but not ping it. Router4 (180.10.1.2) should
    be able to ping Router2 but not telnet to it.

    Router3#ping 160.10.1.2 (fails)

    Router3#telnet 160.10.1.2
    Password:cisco
    Router2>exit
    Router3#

    Router4#ping 160.10.1.2 (succeeds)

    Router4#telnet 160.10.1.2
    Trying 160.10.1.2 ...
    % Destination unreachable; gateway or host down

    Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

    4 Boson NetSim Lab Manual


    Sample Configuration Script
    Router1 Router1 (continued)
    Router1#show running-config cdp holdtime 20
    Building configuration... cdp timer 50
    Current configuration : 1369 bytes !
    ! banner motd ^C
    Version 15.b Unauthorized Access Prohibited^C
    service timestamps debug uptime line con 0
    service timestamps log uptime login
    no service password-encryption password cisco
    ! line aux 0
    hostname Router1 line vty 0 4
    enable secret 5 $1$lYSY$Ai2eZ8KpUCL9ptJCN1c41w login
    enable password boson !
    ! no scheduler allocate
    ip subnet-zero end
    !
    ip cef
    no ip domain-lookup
    ip host Router2 160.10.1.2
    !
    interface Loopback0
    ip address 160.10.2.1 255.255.255.0
    no ip directed broadcast
    !
    interface Serial0/0
    description Serial Link to Router3
    ip address 175.10.1.1 255.255.255.0
    no ip directed-broadcast
    clock rate 64000
    bandwidth 64
    ip access-group 100 in
    !
    interface Serial0/1
    no ip address
    no ip directed-broadcast
    shutdown
    !
    interface FastEthernet0/0
    ip address 160.10.1.1 255.255.255.0
    no ip directed-broadcast
    !
    interface FastEthernet0/1
    no ip address
    no ip directed-broadcast
    shutdown
    !
    router eigrp 100
    network 160.10.0.0
    network 175.10.0.0
    auto-summary
    !
    ip classless
    no ip http server
    !
    access-list 1 permit 175.10.1.0 0.0.0.255
    access-list 100 deny tcp host 180.10.1.2 any eq telnet
    access-list 100 deny icmp host 175.10.1.2 any
    access-list 100 permit ip any any
    !

    5 Boson NetSim Lab Manual

    You might also like