Beruflich Dokumente
Kultur Dokumente
Lab Topology
The topology diagram below represents the NetMap in the Simulator.
Command Summary
Command Description
access-list access-list-number {deny | permit} defines an extended IP ACL for the traffic type
protocol source source-wildcard [operator [port]] specified by the protocol parameter
destination destination-wildcard [operator [port]] [log]
clock rate clock-rate sets the clock rate for a Data Communications
Equipment (DCE) interface
configure terminal enters global configuration mode from privileged
EXEC mode
description description-text assigns a description to an interface, a class map,
or a policy map
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
hostname host-name sets the device name
The IP addresses and subnet masks used in this lab are shown in the tables below:
IP Addresses
Device Interface IP Address Subnet Mask
Router1 Serial 0/0 192.168.2.1 255.255.255.0
FastEthernet 0/0 192.168.3.1 255.255.255.0
Router2 Serial 0/0 192.168.2.2 255.255.255.0
FastEthernet 0/0 192.168.1.129 255.255.255.128
FastEthernet 0/1 192.168.1.1 255.255.255.128
2. Configure Router2 with the appropriate host name, IP addresses, and subnet masks; refer to the IP
Addresses table. Enable the interfaces.
5. Verify the configuration by pinging from PC1 to PC2 (192.168.1.130) and from PC1 to PC4
(192.168.1.2). Both pings should be successful.
2. What is the number range that can be used as an ID with extended ACLs? ___________________
3. On what device and interface, and in which direction, should an extended ACL be created to allow
only traffic from the Administration network on the Corporate HQ network? ___________________
______________________________________________________________________________
4. On the appropriate device, create extended ACL 100 that will only allow traffic from the
Administration network on the Corporate HQ network; enable logging.
5. On the device you noted in step 3, apply ACL 100 to the correct interface and in the correct direction.
6. To verify the ACL, ping PC1 (192.168.3.2) from the four workstations on the Administration and
Network Users networks. The pings from PC2 and PC3 to PC1 should fail, but the pings from PC4
and PC5 to PC1 should succeed.
2. On the device you noted in step 1, create extended ACL 101 to block PC2 from accessing PC5;
enable logging.
3. On the device you noted in step 1, apply ACL 101 to the correct interface in the correct direction.
4. Verify the ACL by pinging from PC2 and PC3 to PC5 (192.168.1.3). The ping from PC2 to PC5
should fail, and the ping from PC3 to PC5 should succeed.
2. Verify that the ACLs are no longer applied to Router1’s FastEthernet 0/0 interface and Router2’s
FastEthernet 0/0 interface. What line of the output allows you to determine that an ACL is not applied
to the interfaces? ________________________________________________________________
2. On the device you noted in step 1, create extended ACL 102 to block all traffic originating from the
Network Users area; enable logging.
3. On the device you noted in step 1, apply ACL 102 to the correct interface in the correct direction.
4. Verify the ACL by pinging from PC2 and PC3 to PC1 (192.168.3.2). Both pings should fail.
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
Router(config)#hostname Router1
Router1(config)#interface serial 0/0
Router1(config-if)#ip address 192.168.2.1 255.255.255.0
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
Router1(config-if)#interface fastethernet 0/0
Router1(config-if)#ip address 192.168.3.1 255.255.255.0
Router1(config-if)#no shutdown
2. On Router2, issue the following commands to configure the appropriate host name, IP addresses,
and subnet masks and to enable the interfaces:
Router(config)#hostname Router2
Router2(config)#interface serial 0/0
Router2(config-if)#ip address 192.168.2.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#interface fastethernet 0/0
Router2(config-if)#ip address 192.168.1.129 255.255.255.128
Router2(config-if)#no shutdown
Router2(config-if)#interface fastethernet 0/1
Router2(config-if)#ip address 192.168.1.1 255.255.255.128
Router2(config-if)#no shutdown
3. You should issue the following commands to configure Router1 and Router2 to configure RIPv2 to
advertise each configured interface:
Router1(config-if)#router rip
Router1(config-router)#version 2
Router1(config-router)#network 192.168.2.0
Router1(config-router)#network 192.168.3.0
Router2(config-if)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 192.168.1.0
Router2(config-router)#network 192.168.2.0
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B – BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E – EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route
Router2#show ip route
<output omitted>
5. Verify the configuration by pinging from PC1 to PC2 (192.168.1.130) and from PC1 to PC4
(192.168.1.2). Both pings should be successful.
C:>ping 192.168.1.130
C:>ping 192.168.1.2
2. A number range of 100 through 199 can be used as an ID with extended ACLs. Numbered access
lists ranging from 1 through 99 are standard access lists and can identify traffic based on only the
source IP address. Extended access lists can identify traffic based on source and destination IP
addresses as well as traffic type. This scenario requires that you identify traffic based on source and
destination IP addresses as well as the type of traffic; therefore, you should use an extended access
list in your configuration.
Adding an inbound ACL on Router2’s FastEthernet 0/1 interface permitting Administration traffic
destined for Corporate HQ does not meet the requirement of this task, because this location would
not block Network Users traffic destined for Corporate HQ.
Adding an inbound ACL on Router2’s FastEthernet 0/0 interface blocking Network Users traffic
destined for Corporate HQ does not meet the requirement of this task either, because traffic from the
192.168.2.0/24 network would still reach Corporate HQ. If you were required to block Network Users
from reaching Corporate HQ (instead of allowing only traffic from Administration on Corporate HQ),
this would be the best location, direction, and device.
Adding an outbound ACL on Router2’s Serial 0/0 interface or an inbound ACL on Router1’s Serial
0/0 interface also does not meet the requirement, because 192.168.2.0 traffic from Router1 would
still reach Corporate HQ.
4. On Router1, issue the following command to create an extended ACL that only allows traffic from the
Administration network on the Corporate HQ network:
5. On Router1, issue the following commands to apply ACL 100 to the correct interface and in the
correct direction:
6. To verify the ACL, ping PC1 (192.168.3.2) from the four workstations on the Administration and
Network Users networks. The pings from PC2 and PC3 to PC1 should fail, but the pings from PC4
and PC5 to PC1 should succeed.
C:>ping 192.168.3.2
4. To verify the ACL, ping PC5 (192.168.1.3) from PC2 and PC3. The ping from PC2 to PC5 should fail,
and the ping from PC3 to PC5 should succeed.
C:>ping 192.168.1.3
2. On Router1 and Router2, issue the show ip interface command to verify that the ACLs are no
longer applied to Router1’s FastEthernet 0/0 interface and Router2’s FastEthernet 0/0 interface.
The lines Outgoing access list is not set and Inbound access list is not set on all
interfaces of both Router1 and Router2 indicate that an ACL is not applied to the interfaces. Below is
sample output:
Router1#show ip interface
<output omitted>
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.3.1/24
Broadcast address is 255.255.255.255
MTU 1500 bytes,
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP Is Enabled
Security Level Is Default
Split horizon Is Enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
<output omitted>
Router2#show ip interface
<output omitted>
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.129/25
Broadcast address is 255.255.255.128
MTU 1500 bytes,
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP Is Enabled
Security Level Is Default
Split horizon Is Enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
<output omitted>
2. On Router2, issue the following commands to create and apply ACL 102:
3. On Router2, issue the following commands to apply ACL 102 to the correct interface and in the
correct direction:
4. To verify the ACL, ping from PC2 and PC3 to PC1 (192.168.3.2). Both pings should fail.
C:>ping 192.168.3.2
5. On Router2, issue the show access-lists 102 command to display the log file for ACL 102. Below is
sample output:
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.