Beruflich Dokumente
Kultur Dokumente
Objective
Create Access Control Lists (ACLs) to filter traffic for security and traffic management.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 11
CCNA Discovery Designing and Supporting Computer Networks Expected Results and Success Criteria
Instructor note: This section helps the students realize why they are doing the tasks outlined in the lab. It also requires them to anticipate the end result of the lab. If possible, students should discuss the answers in this section with a partner before beginning the configuration steps. Before starting this lab, read through the tasks that you are expected to perform. What do you expect the result of performing these tasks will be? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ How is an understanding of ACLs useful in network administration? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ How will a network administrator know if the ACL is working properly? ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________
Background / Preparation
Instructor Notes: This lab reviews ACLs. Whereas ACLs were covered in detail in CCNA Discovery: Introducing Routing and Switching in the Enterprise, this lab focuses on security and ACL design. Its purpose is to emphasize data traffic control and filtering, initially at the design stage and then move to representative implementation of these policies. This is a demonstration lab that uses wildcard masks. Students should review the use of wildcard masks in the Challenge Task. This lab also uses Discovery Server to provide representative application data traffic. See CCNA Discovery Server FAQ on Academy Connection Tools. Alternately a local lab server can be set up to provide representative data traffic. If possible this should include FTP and HTTP/Web traffic. In this lab you will consider the need for data traffic control and filtering in a network, and design the policies to achieve this. The traffic security design will then be applied to an example network using ACLs. ACLs are typically applied at the Distribution Layer. This lab will use a router connected to a server that will provide sample network applications to demonstrate ACL placement and operation.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 11
b. Consider the two approaches to writing ACLs: Permit specific traffic first and then deny general traffic. Deny specific traffic first and then permit general traffic.
When would it be best to permit specific traffic first and then deny general traffic?
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 11
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 11
Perform the following tests on PC2: a. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed? ______________________________________________ Discovery Server Home Page b. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar. What web page was displayed? ______________________________________________ Discovery FTP Home Directory c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop. Did the file copy successfully? __________ Yes d. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display? ______________________________________________ Prompt for Telnet password and login to router. e. Exit the Telnet session. quit Why was each of the above connections successful? ___________________________________________________________________ There were no data access or filtering controls in place. ___________________________________________________________________ Successful connection was expected. If any of the above connections was not successful, troubleshoot the network and configurations and establish each type of connection from each host.
Step 9: Clean up
Erase the configurations and reload the routers and switches. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.
Challenge
Rewrite the Server-Access ACL used in this lab so that: 1) Administrator workstations are considered to be in the address range of 10.0.0.10 /24 to 10.0.0.15 /24 instead of a single host; and, 2) The general workstations have the address range of 10.0.0.16 /24 to 10.0.0.254 /24 instead of being a single host. ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ ip access-list extended Server-Access remark Allow PC1 to access any IP traffic permit ip host 10.0.0.0 0.0.0.15 172.17.1.1 log remark Allow PC2 to access web server
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 11
FC-CPE-1#show run Building configuration... Current configuration : 1309 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname FC-CPE-1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ! !
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 11
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 11
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 11 of 11