Topology Diagram Addressing Table Device Interface IP Address !bnet "as# Defa!lt $ate%ay &' ()()( 10.1.0.1 255.255.255.0 N/A *a()' 10.1.1.254 255.255.255.0 N/A &2 ()()( 10.1.0.2 255.255.255.0 N/A ()()' 10.3.0.1 255.255.255.0 N/A Lo ( 10.13.205.1 255.255.0.0 N/A &+ ()()' 10.3.0.2 255.255.255.0 N/A *a()' 10.3.1.254 255.255.255.0 N/A PC ' ,IC 10.1.1.1 255.255.255.0 10.1.1.254 PC + ,IC 10.3.1.1 255.255.255.0 10.3.1.254 All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 1 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge Learning -b.ectives %o coplete this la(- /esign nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s. Apply nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s. %est nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s. %ro&(leshoot nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s. Tas# ': Prepare the ,et%or# tep ': Cable a net%or# that is similar to the one in the Topology Diagram. 0o& can &se any c&rrent ro&ter in yo&r la( as long as it has the re1&ire$ inter)aces sho2n in the topology $iagra. Note- ") yo& &se a 1700! 2500! or 2300 ro&ter! the ro&ter o&tp&ts an$ inter)ace $escriptions ay appear $i))erent. tep 2: Clear any e/isting config!rations on the ro!ters. Tas# 2: Perform 0asic &o!ter Config!rations. Con)ig&re the 41! 42! an$ 43 ro&ters accor$ing to the )ollo2ing g&i$elines- Con)ig&re the ro&ter hostnae. /isa(le /NS loo5&p. Con)ig&re an *6*C o$e pass2or$. Con)ig&re a essage7o)7the7$ay (anner. Con)ig&re a pass2or$ )or console connections. Con)ig&re a pass2or$ )or 8%0 connections. Con)ig&re "' a$$resses on all $e#ices. Create a loop(ac5 inter)ace on 42. *na(le 9S': area 0 on all ro&ters )or all net2or5s. 8eri)y )&ll "' connecti#ity &sing the ping coan$. &' hostname R1 no ip domain-lookup enable secret class ! interface FastEthernet0/1 ip address 10.1.1.254 255.255.255.0 no shutdon ! interface serial 0/0/0 ip address 10.1.0.1 255.255.255.0 clock rate 125000 no shutdon All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 2 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge ! router ospf 1 netork 10.1.0.0 0.0.0.255 area 0 netork 10.1.1.0 0.0.0.255 area 0 ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.! ! line con 0 lo((in( s$nchronous passord cisco lo(in ! line &t$ 0 4 passord cisco lo(in ! &2 hostname R2 enable secret class no ip domain lookup ! interface )oopback0 ip address 10.1*.205.1 255.255.0.0 ! interface +erial0/0/0 ip address 10.1.0.2 255.255.255.0 no shutdon ! interface +erial0/0/1 ip address 10.*.0.1 255.255.255.0 clockrate 125000 no shutdon ! router ospf 1 netork 10.1.0.0 0.0.0.255 area 0 netork 10.*.0.0 0.0.0.255 area 0 netork 10.1*.0.0 0.0.255.255 area 0 ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.! ! line con 0 passord cisco lo((in( s$nchronous lo(in ! line &t$ 0 4 passord cisco lo(in ! &+ All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 3 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge hostname R* ! enable secret class no ip domain lookup ! interface FastEthernet0/1 ip address 10.*.1.254 255.255.255.0 no shutdon ! interface +erial0/0/1 ip address 10.*.0.2 255.255.255.0 no shutdon ! router ospf 1 netork 10.*.0.0 0.0.0.255 area 0 netork 10.*.1.0 0.0.0.255 area 0 ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.! ! line con 0 passord cisco lo((in( s$nchronous lo(in ! line &t$ 0 4 passord cisco lo(in ! Tas# +: Config!ring tandard ACLs Con)ig&re stan$ar$ nae$ AC.s on the 41 an$ 43 8%0 lines! peritting hosts connecte$ $irectly to their :ast*thernet s&(nets to gain %elnet access. /eny an$ log all other connection attepts. /oc&ent yo&r testing proce$&res. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; &' ip access-list standard ,-./)012) permit 10.1.1.0 0.0.0.255 den$ an$ lo( ! line &t$ 0 4 access-class ,-./)012) in ! &+ ip access-list standard ,-./)012) permit 10.*.1.0 0.0.0.255 All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 4 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge den$ an$ lo( ! line &t$ 0 4 access-class ,-./)012) in Attept to telnet to 43 )ro 'C1! 41! an$ 42. %hese tests sho&l$ )ail. Attept to telnet to 41 )ro 'C3! 42! an$ 43. %hese tests sho&l$ )ail. Attept to telnet to 41 )ro 'C1. %est sho&l$ pass Attept to telnet to 43 )ro 'C3. %est sho&l$ pass. Tas# 1: Config!ring 2/tended ACLs <sing e+ten$e$ AC.s on 42! coplete the )ollo2ing re1&ireents- %he .ANs connecte$ to 41 an$ 43 are &se$ )or st&$ent cop&ter la(s. %he net2or5 a$inistrator has notice$ that st&$ents in these la(s are playing gaes across the ,AN 2ith the reote st&$ents. =a5e s&re that yo&r AC. pre#ents the .AN attache$ to 41 )ro reaching the .AN at 43 an$ that the .AN on 43 cannot reach the .AN on 41. >e speci)ic in yo&r stateents so that any ne2 .ANs a$$e$ to either 41 or 43 are not a))ecte$. 'erit all 9S': tra))ic. 'erit "C=' tra))ic to the 42 local inter)aces. All net2or5 tra))ic $estine$ to %C' port ?0 sho&l$ (e allo2e$ an$ logge$. Any other tra))ic sho&l$ (e $enie$. Any tra))ic not speci)ie$ a(o#e sho&l$ (e $enie$. Note- %his ay re1&ire <iple access lists. 8eri)y yo&r con)ig&ration an$ $oc&ent yo&r testing proce$&re. ,hy is the or$er o) access list stateents so iportant@ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Access lists are processe$ )ro the top $o2n. ") a pac5et atches a line! the atche$ action is per)ore$ an$ the actions a)ter that are ignore$. &2 ip access-list e'tended 3)014/R1 den$ ip 10.1.1.0 0.0.0.255 10.*.1.0 0.0.0.255 permit ospf an$ an$ permit icmp an$ host 10.1.0.2 permit icmp an$ host 10.*.0.2 permit icmp an$ host 10.1*.205.1 permit tcp an$ an$ e5 60 lo(
ip access-list e'tended 3)014/R* den$ ip 10.*.1.0 0.0.0.255 10.1.1.0 0.0.0.255 permit ospf an$ an$ permit icmp an$ host 10.1.0.2 permit icmp an$ host 10.*.0.2 permit icmp an$ host 10.1*.205.1 permit tcp an$ an$ e5 60 lo( All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 5 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge interface serial 0/0/0 ip access-(roup 3)014/R1 in ! interface serial 0/0/1 ip access-(roup 3)014/R* in Tas# 5: 3erifying an ACL %est each protocol that yo& are trying (loc5! an$ a5e s&re that peritte$ tra))ic is allo2e$. %his re1&ires testing ping! A%%'! %elnet! an$ 9S':. tep ': Test &' to &+ traffic and &+ to &' traffic. 'ing )ro 'C1 to 'C3. 'ing )ro 'C3 to 'C1. >oth sho&l$ )ail. tep 2: Test port 4( access. %o test port ?0 )&nctionality! ena(le the A%%' ser#er on 42- R27confi(89ip http server :ro 'C1! open a 2e( (ro2ser to the 42 Serial 0/0/0 inter)ace. %his sho&l$ (e s&ccess)&l. tep +: 3erify -P* ro!tes. No ro&tes sho&l$ (e lost. Con)ir 2ith sho% ip ro!te. tep 1: Test ping to &2. 'ing to 42 )ro 41 an$ 'C1. 'ing to 42 )ro 43 an$ 'C3. >oth sho&l$ s&ccee$. tep 5: Perform other ping tests to confirm that all other traffic is denied. Tas# 5: Doc!ment the &o!ter Config!rations Config!rations &' hostname R1 enable secret class no ip domain lookup ! interface FastEthernet0/1 ip address 10.1.1.254 255.255.255.0 no shutdon ! interface +erial0/0/0 All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 3 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge ip address 10.1.0.1 255.255.255.0 clockrate 125000 no shutdon ! router ospf 1 no auto-cost netork 10.1.0.0 0.0.0.255 area 0 netork 10.1.1.0 0.0.0.255 area 0 ! ip access-list standard ,-./)012) permit 10.1.1.0 0.0.0.255 den$ an$ lo( ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.! ! line con 0 passord cisco lo((in( s$nchronous lo(in ! line &t$ 0 4 access-class ,-./)012) in passord cisco lo(in ! &2 hostname R2 enable secret class no ip domain lookup ! interface )oopback0 ip address 10.1*.205.1 255.255.0.0 ! interface +erial0/0/0 ip address 10.1.0.2 255.255.255.0 ip access-(roup 3)014/R1 in no shutdon ! interface +erial0/0/1 ip address 10.*.0.1 255.255.255.0 ip access-(roup 3)014/R* in clockrate 125000 no shutdon ! router ospf 1 no auto-cost netork 10.1.0.0 0.0.0.255 area 0 netork 10.*.0.0 0.0.0.255 area 0 netork 10.1*.0.0 0.0.255.255 area 0 ! ip access-list e'tended 3)014/R1 den$ ip 10.1.1.0 0.0.0.255 10.*.1.0 0.0.0.255 permit ospf an$ an$ All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 7 o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge permit icmp an$ host 10.1.0.2 permit icmp an$ host 10.*.0.2 permit icmp an$ host 10.1*.205.1 permit tcp an$ an$ e5 60 lo(
ip access-list e'tended 3)014/R* den$ ip 10.*.1.0 0.0.0.255 10.1.1.0 0.0.0.255 permit ospf an$ an$ permit icmp an$ host 10.1.0.2 permit icmp an$ host 10.*.0.2 permit icmp an$ host 10.1*.205.1 permit tcp an$ an$ e5 60 lo( ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.! ! line con 0 passord cisco lo((in( s$nchronous lo(in ! line &t$ 0 4 passord cisco lo(in ! &+ hostname R* ! enable secret class no ip domain lookup ! interface FastEthernet0/1 ip address 10.*.1.254 255.255.255.0 no shutdon ! interface +erial0/0/1 ip address 10.*.0.2 255.255.255.0 no shutdon ! router ospf 1 no auto-cost netork 10.*.0.0 0.0.0.255 area 0 netork 10.*.1.0 0.0.0.255 area 0 ! ip access-list standard ,-./)012) permit 10.*.1.0 0.0.0.255 den$ an$ lo( ! banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be prosecuted to the full e'tent of the la.!1 ! line con 0 passord cisco lo((in( s$nchronous All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age ? o) 9 CCNA *+ploration Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge lo(in ! line &t$ 0 4 access-class ,-./)012) in passord cisco lo(in ! Tas# 6: Clean 7p *rase the con)ig&rations an$ reloa$ the ro&ters. /isconnect an$ store the ca(ling. :or 'C hosts that are norally connecte$ to other net2or5s! s&ch as the school .AN or the "nternet! reconnect the appropriate ca(ling an$ restore the %C'/"' settings. All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 9 o) 9