Beruflich Dokumente
Kultur Dokumente
Lab Topology
The topology diagram below represents the NetMap in the Simulator.
Command Summary
Command Description
access-list access-list-number {deny | permit} defines an extended IP ACL for the traffic type
protocol source source-wildcard [operator [port]] specified by the protocol parameter
destination destination-wildcard [operator [port]] [log]
configure terminal enters global configuration mode from privileged
EXEC mode
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to
interface configuration mode
ip access-group {access-list-number | access-list- controls access to an interface
name} {in | out}
The IP addresses and subnet masks used in this lab are shown in the tables below:
IP Addresses
Device Interface IP Address Subnet Mask
Router1 Serial 0/0 192.168.1.1 255.255.255.252
FastEthernet 0/0 10.10.1.1 255.255.255.0
Router2 Serial 0/0 192.168.1.2 255.255.255.252
FastEthernet 0/0 10.10.2.1 255.255.255.0
FastEthernet 0/1 192.168.1.5 255.255.255.252
Router3 FastEthernet 0/0 192.168.1.6 255.255.255.252
FastEthernet 0/1 10.10.3.1 255.255.255.0
2. Allow time for the network to converge. On PC1, issue a ping to verify connectivity with PC3
(10.10.2.3) and PC6 (10.10.3.5). All pings should be successful.
3. What is an acceptable value for the access-list-number parameter in an extended ACL? ________
2. Create ACL 101, and apply it to the appropriate device and interface and in the appropriate direction;
ACL 101 should permit only Telnet traffic from the LAN A subnets to the WAN subnets on Router2
and Router3 (192.168.1.x).
3. Add statements to ACL 101 that will prevent Telnet traffic from the LAN A subnet to the LAN C
subnet and will allow all other traffic.
3. On Router3, apply the ACL to the appropriate interface and in the appropriate direction.
4. On Router3, add a rule to ACL 102 to permit ICMP traffic from the LAN connected to Router3 to any
other network.
3. Issue pings from LAN A PCs to all IP addresses configured in the topology. Attempt to telnet to all
IP addresses configured on the routers; the Telnet password is set to B0$0n. Which attempts are
successful, and which fail? _________________________________________________________
4. On Router3, verify that ACL 102 has been applied to the correct interface.
6. Issue pings from LAN C PCs to all IP addresses configured in the topology. Attempt to telnet to all
IP addresses configured on the routers; the Telnet password is set to B0$0n. Which attempts are
successful, and which fail? _________________________________________________________
7. On Router1 and Router3, display the ACLs configured on the router. How many times has each ACL
statement been implemented? ______________________________________________________
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
2. Allow time for the network to converge. On PC1, issue a ping to verify connectivity with PC3
(10.10.2.3) and PC6 (10.10.3.5). All pings should be successful.
C:>ping 10.10.2.3
C:>ping 10.10.3.5
2. You should apply extended ACLs to the interface that is as close to the source as possible. This
prevents unnecessary traffic from traversing the network and consuming bandwidth and router
resources.
Extended ACLs can identify traffic based on source and destination IP addresses as well as traffic
type, as is required in this lab. Multiple ACLs are not required to accomplish multiple tasks on the
same interface. ACLs can consist of multiple access list statements. Packets are compared to each
statement in sequence until a match is found. The permit and deny keywords are used to indicate
whether matching packets should be forwarded or dropped, respectively. If the packet does not
match any of the access list statements, the packet is dropped. This is called the implicit deny rule;
all traffic is dropped unless it matches one of the access list statements that is configured with the
permit keyword.
3. You can use any number from 100 through 199 or from 2000 through 2699 as the access-list-
number parameter in an extended ACL.
3. On Router1, issue the following commands to prevent Telnet traffic from the LAN A subnet to the
LAN C subnet and to allow all other traffic:
2. Extended ACLs should be applied as close to the source of the traffic as possible. Because the LAN
whose traffic you want to regulate is connected to Router3’s FastEthernet 0/1 interface, you should
apply ACL 102 to that interface.
3. On Router3, issue the following commands to assign ACL 102 to the appropriate interface and in the
appropriate direction:
4. On Router3, issue the following commands to create ACL 102 statements that will prevent ICMP
traffic from LAN C to any IP address on Router WAN (192.168.1.x) interfaces and that will allow all
other traffic:
Router1#show access-lists
Extended IP access list 101
10 permit tcp 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.7 eq telnet (0 matches)
20 deny tcp any 10.10.3.0 0.0.0.255 eq telnet (0 matches)
30 permit ip any any (0 matches)
3. You should be able to ping from the LAN A PCs to all IP addresses configured in the simulated
network. You should test Telnet connectivity between LAN A PCs and the routers; the Telnet
password is set to B0$0n. The Telnet connectivity to the WAN and LAN interfaces on the routers
should be successful, with the exception of a Telnet session to Router3’s LAN interface, which
should fail. The following is sample output from PC1 to Router1:
C:>ping 10.10.1.1
C:>telnet 10.10.1.1
Password:B0$0n
Router1>exit
[Connection to 10.10.1.1 closed by foreign host]
C:>telnet 10.10.3.1
Trying 10.10.3.1 ...
% Destination unreachable; gateway or host down
C:>telnet 192.168.1.1
Password:B0$0n
Router1>exit
[Connection to 192.168.1.1 closed by foreign host]
4. On Rout
Router3#show access-lists
Extended IP access list 102
10 permit tcp 10.10.3.0 0.0.0.255 any eq telnet (0 matches)
20 deny icmp 10.10.3.0 0.0.0.255 192.168.1.0 0.0.0.7 (0 matches)
30 permit ip any any (4 matches)
6. From LAN C PCs, you should be able to telnet to any of the router interfaces and ping any IP
address in any LAN subnet; the Telnet password is set to B0$0n. However, you should not be able
to ping any WAN IP address configured on the routers. The following is sample output from PC6:
C:>telnet 10.10.1.1
Password:B0$0n
Router1>exit
[Connection to 10.10.1.1 closed by foreign host]
7. By issuing the following command on Router1 and Router3, you can determine the number of times
each statement has been applied:
Router1#show access-lists
Extended IP access list 101
10 permit tcp 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.7 eq telnet (1 matches)
20 deny tcp any 10.10.3.0 0.0.0.255 eq telnet (1 matches)
30 permit ip any any (2 matches)
Router3#show access-lists
Extended IP access list 102
10 permit tcp 10.10.3.0 0.0.0.255 any eq telnet (1 matches)
20 deny icmp 10.10.3.0 0.0.0.255 192.168.1.0 0.0.0.7 (5 matches)
30 permit ip any any (1 matches)
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.