Topology
Addressing Table
Device
|
Interface
|
IP Address
|
Subnet Mask
|
Default Gateway
|
R1
|
G0/1
|
192.168.10.1
|
255.255.255.0
|
N/A
|
|
Lo0
|
192.168.20.1
|
255.255.255.0
|
N/A
|
|
S0/0/0 (DCE)
|
10.1.1.1
|
255.255.255.252
|
N/A
|
ISP
|
S0/0/0
|
10.1.1.2
|
255.255.255.252
|
N/A
|
|
S0/0/1 (DCE)
|
10.2.2.2
|
255.255.255.252
|
N/A
|
|
Lo0
|
209.165.200.225
|
255.255.255.224
|
N/A
|
|
Lo1
|
209.165.201.1
|
255.255.255.224
|
N/A
|
R3
|
G0/1
|
192.168.30.1
|
255.255.255.0
|
N/A
|
|
Lo0
|
192.168.40.1
|
255.255.255.0
|
N/A
|
|
S0/0/1
|
10.2.2.1
|
255.255.255.252
|
N/A
|
S1
|
VLAN 1
|
192.168.10.11
|
255.255.255.0
|
192.168.10.1
|
S3
|
VLAN 1
|
192.168.30.11
|
255.255.255.0
|
192.168.30.1
|
PC-A
|
NIC
|
192.168.10.3
|
255.255.255.0
|
192.168.10.1
|
PC-C
|
NIC
|
192.168.30.3
|
255.255.255.0
|
192.168.30.1
|
Objectives
Part 1: Set Up the Topology and
Initialize Devices
Part 2: Configure Devices and Verify
Connectivity
·
Configure basic settings on PCs,
routers, and switches.
·
Configure OSPF routing on R1,
ISP, and R3.
Part 3: Configure and Verify Extended
Numbered and Named ACLs
·
Configure, apply, and verify a
numbered extended ACL.
·
Configure, apply, and verify a
named extended ACL.
Part 4: Modify and Verify Extended
ACLs
Background / Scenario
Extended access control lists (ACLs) are
extremely powerful. They offer a much greater degree of control than standard
ACLs as to the types of traffic that can be filtered, as well as where the
traffic originated and where it is going.
In this lab, you will set up filtering
rules for two offices represented by R1 and R3. Management has established some
access policies between the LANs located at R1 and R3, which you must
implement. The ISP router between R1 and R3 does not have any ACLs placed on
it. You would not be allowed any administrative access to an ISP router as you
can only control and manage your own equipment.
Note: The routers used with CCNA hands-on labs
are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.2(4)M3
(universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release
15.0(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can
be used. Depending on the model and Cisco IOS version, the commands available
and output produced might vary from what is shown in the labs. Refer to the
Router Interface Summary Table at the end of the lab for the correct interface
identifiers.
Note: Make sure that the routers and switches have been erased and have
no startup configurations. If you are unsure, contact your instructor.
Required Resources
·
3 Routers (Cisco 1941 with
Cisco IOS Release 15.2(4)M3 universal image or comparable)
·
2 Switches (Cisco 2960 with
Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
·
2 PCs (Windows 7, Vista, or XP
with terminal emulation program, such as Tera Term)
·
Console cables to configure the
Cisco IOS devices via the console ports
·
Ethernet and serial cables as
shown in the topology
Part 1: Set Up the Topology and Initialize Devices
In Part 1, you will set up the network
topology and clear any configurations if necessary.
Step 1:
Cable the network as shown in
the topology.
Step 2:
Initialize and reload the
routers and switches.
Part 2: Configure Devices and Verify Connectivity
In Part 2, you will configure basic
settings on the routers, switches, and PCs. Refer to the Topology and
Addressing Table for device names and address information.
Step 1:
Configure IP addresses on PC-A
and PC-C.
Step 2:
Configure basic settings on R1.
a.
Disable DNS lookup.
b.
Configure the device name as
shown in the topology.
c.
Create a loopback interface on
R1.
d.
Configure interface IP
addresses as shown in the Topology and Addressing Table.
e.
Configure a privileged EXEC
mode password of class.
f.
Assign a clock rate of 128000 to the S0/0/0 interface.
g.
Assign cisco as the console and vty password and enable Telnet access.
Configure logging synchronous for
both the console and vty lines.
h.
Enable web access on R1 to
simulate a web server with local authentication for user admin.
R1(config)# ip
http server
R1(config)# ip
http authentication local
R1(config)# username
admin privilege 15 secret class
Step 3:
Configure basic settings on
ISP.
a.
Configure the device name as
shown in the topology.
b.
Create the loopback interfaces
on ISP.
c.
Configure interface IP
addresses as shown in the Topology and Addressing Table.
d.
Disable DNS lookup.
e.
Assign class as the privileged EXEC mode password.
f.
Assign a clock rate of 128000 to the S0/0/1 interface.
g.
Assign cisco as the console and vty password and enable Telnet access.
Configure logging synchronous for
both console and vty lines.
h.
Enable web access on the ISP.
Use the same parameters as in Step 2h.
Step 4:
Configure basic settings on R3.
a.
Configure the device name as
shown in the topology.
b.
Create a loopback interface on
R3.
c.
Configure interface IP
addresses as shown in the Topology and Addressing Table.
d.
Disable DNS lookup.
e.
Assign class as the privileged EXEC mode password.
f.
Assign cisco as the console password and configure logging synchronous on the console line.
g.
Enable SSH on R3.
R3(config)# ip
domain-name cisco.com
R3(config)# crypto
key generate rsa modulus 1024
R3(config)# line
vty 0 4
R3(config-line)# login local
R3(config-line)# transport input ssh
h.
Enable web access on R3. Use the
same parameters as in Step 2h.
Step 5:
(Optional) Configure basic
settings on S1 and S3.
a.
Configure the hostnames as
shown in the topology.
b.
Configure the management
interface IP addresses as shown in the Topology and Addressing Table.
c.
Disable DNS lookup.
d.
Configure a privileged EXEC
mode password of class.
e.
Configure a default gateway
address.
Step 6:
Configure OSPF routing on R1,
ISP, and R3.
a.
Assign 1 as the OSPF process ID
and advertise all networks on R1, ISP, and R3. The OSPF configuration for R1 is
included for reference.
R1(config)# router
ospf 1
R1(config-router)# network 192.168.10.0 0.0.0.255 area 0
R1(config-router)# network 192.168.20.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.3 area 0
b.
After configuring OSPF on R1,
ISP, and R3, verify that all routers have complete routing tables listing all
networks. Troubleshoot if this is not the case.
Step 7:
Verify connectivity between
devices.
Note: It is very important to verify connectivity before you configure and apply ACLs! Ensure that your network is
properly functioning before you start to filter out traffic.
a.
From PC-A, ping PC-C and the loopback
and serial interfaces on R3.
Were your pings successful? ________
b.
From R1, ping PC-C and the loopback and serial interface on R3.
Were your pings
successful? ________
c.
From PC-C, ping PC-A and the loopback and serial interface on R1.
Were your pings
successful? ________
d.
From R3, ping PC-A and the
loopback and serial interface on R1.
Were your pings successful? ________
e.
From PC-A, ping the loopback interfaces on the ISP router.
Were your pings
successful? ________
f.
From PC-C, ping the loopback interfaces on the ISP router.
Were your pings
successful? ________
g.
Open a web browser on PC-A and go to http://209.165.200.225 on ISP. You will be prompted for a
username and password. Use admin for the username and class for the password. If you are prompted to accept a signature, accept it. The router will load the Cisco Configuration
Professional (CCP) Express
in a separate window. You may be prompted for a
username and password. Use admin for the username and class for the password.
h.
Open a web browser on PC-C and go to http://10.1.1.1 on R1. You will be prompted for
a username and password. Use admin for username and class for the password. If you are prompted to accept a signature, accept it. The router will load CCP
Express in a separate window. You may be prompted for
a username and password. Use admin for the username and class for the password.
Part 3: Configure and Verify Extended Numbered and Named ACLs
Extended ACLs can filter traffic in many
different ways. Extended ACLs can filter on source IP addresses, source ports,
destination IP addresses, destination ports, as well as various protocols and
services.
Security policies are as follows:
1.
Allow web traffic originating
from the 192.168.10.0/24 network to go to any network.
2.
Allow an SSH connection to the R3
serial interface from PC-A.
3.
Allow users on 192.168.10.0.24
network access to 192.168.20.0/24 network.
4.
Allow web traffic originating
from the 192.168.30.0/24 network to access R1 via the web interface and the
209.165.200.224/27 network on ISP. The 192.168.30.0/24 network should NOT be
allowed to access any other network via the web.
In looking at the security policies
listed above, you will need at least two ACLs to fulfill the security policies.
A best practice is to place extended ACLs as close to the source as possible.
We will follow this practice for these policies.
Step 1:
Configure a numbered extended
ACL on R1 for security policy numbers 1 and 2.
You will use a numbered extended ACL on
R1. What are the ranges for extended ACLs?
_______________________________________________________________________________________
a.
Configure the ACL on R1. Use
100 for the ACL number.
R1(config)# access-list
100 remark Allow Web & SSH Access
R1(config)# access-list
100 permit tcp host 192.168.10.3 host 10.2.2.1 eq 22
R1(config)# access-list
100 permit tcp any any eq 80
What does the 80 signify in the command
output listed above?
____________________________________________________________________________________
To what interface should ACL 100 be
applied?
____________________________________________________________________________________
____________________________________________________________________________________
In what direction should ACL 100 be
applied?
____________________________________________________________________________________
____________________________________________________________________________________
b.
Apply ACL 100 to the S0/0/0
interface.
R1(config)# interface
s0/0/0
R1(config-if)# ip access-group 100 out
c.
Verify ACL 100.
1)
Open up a web browser on PC-A,
and access http://209.165.200.225 (the ISP
router). It should be successful; troubleshoot, if not.
2)
Establish an SSH connection
from PC-A to R3 using 10.2.2.1 for the IP address. Log in with admin and class for your credentials. It should be successful; troubleshoot, if
not.
3)
From privileged EXEC mode
prompt on R1, issue the show access-lists
command.
R1# show
access-lists
Extended IP access list 100
10
permit tcp host 192.168.10.3 host 10.2.2.1 eq 22 (22 matches)
20
permit tcp any any eq www (111 matches)
4)
From the PC-A command prompt,
issue a ping to 10.2.2.1. Explain your results.
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
Step 2:
Configure a named extended ACL
on R3 for security policy number 3.
a.
Configure the policy on R3.
Name the ACL WEB-POLICY.
R3(config)# ip
access-list extended WEB-POLICY
R3(config-ext-nacl)# permit tcp 192.168.30.0 0.0.0.255 host 10.1.1.1 eq 80
R3(config-ext-nacl)# permit tcp 192.168.30.0 0.0.0.255 209.165.200.224 0.0.0.31 eq 80
b.
Apply ACL WEB-POLICY to the S0/0/1
interface.
R3(config-ext-nacl)# interface S0/0/1
R3(config-if)# ip access-group WEB-POLICY out
c.
Verify the ACL WEB-POLICY.
1)
From R3 privileged EXEC mode
command prompt, issue the show ip
interface s0/0/1 command.
What, if any, is the name of the ACL? ______________________________________
In what direction is the ACL applied? _______________________________________
2)
Open up a web browser on PC-C
and access http://209.165.200.225 (the ISP
router). It should be successful; troubleshoot, if not.
3)
From PC-C, open a web session
to http://10.1.1.1 (R1). It should be successful;
troubleshoot, if not.
4)
From PC-C, open a web session
to http://209.165.201.1 (ISP router). It
should fail; troubleshoot, if not.
5)
From a PC-C command prompt,
ping PC-A. What was your result and why?
________________________________________________________________________________
Part 4: Modify and Verify Extended ACLs
Because of the ACLs applied on R1 and R3,
no pings or any other kind of traffic is allowed between the LAN networks on R1
and R3. Management has decided that all traffic between the 192.168.10.0/24 and
192.168.30.0/24 networks should be allowed. You must modify both ACLs on R1 and
R3.
Step 1:
Modify ACL 100 on R1.
a.
From R1 privileged EXEC mode,
issue the show access-lists command.
How many lines are there in this access list?
_____________________
b.
Enter global configuration mode
and modify the ACL on R1.
R1(config)# ip
access-list extended 100
R1(config-ext-nacl)# 30 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R1(config-ext-nacl)# end
c.
Issue the show access-lists command.
Where did the new line that you just
added appear in ACL 100?
____________________________________________________________________________________
Step 2:
Modify ACL WEB-POLICY on R3.
a.
From R3 privileged EXEC mode,
issue the show access-lists command.
How many lines are there in this access list?
________________________
Enter global configuration mode and
modify the ACL on R3.
R3(config)# ip
access-list extended WEB-POLICY
R3(config-ext-nacl)# 30 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
R3(config-ext-nacl)# end
b.
Issue the show access-lists command to verify that the new line was added at
the end of the ACL.
Step 3:
Verify modified ACLs.
a.
From PC-A, ping the IP address
of PC-C. Were the pings successful? ______________
b.
From PC-C, ping the IP address
of PC-A. Were the pings successful? ______________
Why did the ACLs work immediately for the
pings after you changed them?
____________________________________________________________________________________
Reflection
1.
Why is careful planning and
testing of ACLs required?
_______________________________________________________________________________________
_______________________________________________________________________________________
2.
Which type of ACL is better:
standard or extended?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
3.
Why are OSPF hello packets and
routing updates not blocked by the implicit deny any access control entry (ACE) or ACL statement of the ACLs
applied to R1 and R3?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Router Interface Summary Table
Router Interface Summary
|
||||
Router Model
|
Ethernet Interface #1
|
Ethernet Interface #2
|
Serial Interface #1
|
Serial Interface #2
|
1800
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
1900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2801
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/1/0 (S0/1/0)
|
Serial 0/1/1 (S0/1/1)
|
2811
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
Note: To find out how the router is configured, look at the interfaces
to identify the type of router and how many interfaces the router has. There
is no way to effectively list all the combinations of configurations for each
router class. This table includes identifiers for the possible combinations
of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one.
An example of this might be an ISDN BRI interface. The string in parenthesis
is the legal abbreviation that can be used in Cisco IOS commands to represent
the interface.
|
No comments:
Post a Comment