[ Pobierz całość w formacie PDF ]
.All rights reserved.This document is Cisco Public Information.Page 4 of 10CCNA ExplorationAccessing the WAN: Access Control Lists (ACLs) Lab 5.5.1 Basic Access Control Listsneeds to enforce both source and destination, an extended ACL is needed.In this task, you are configuring an extended ACL on R1 that blocks traffic originating from any device onthe 192.168.10.0/24 network to access the 209.165.200.255 host (the simulated ISP).This ACL will beapplied outbound on the R1 Serial 0/0/0 interface.A typical best practice for applying extended ACLs is toplace them as close to the source as possible.Before beginning, verify that you can ping 209.165.200.225 from PC1.Step 1: Configure a named extended ACL.In global configuration mode, create a named extended ACL called EXTEND-1.R1(config)#ip access-list extended EXTEND-1Notice that the router prompt changes to indicate that you are now in extended ACL configuration mode.From this prompt, add the necessary statements to block traffic from the 192.168.10.0/24 network to thehost.Use the host keyword when defining the destination.R1(config-ext-nacl)#deny ip 192.168.10.0 0.255 host 209.165.200.225Recall that the implicit  deny all blocks all other traffic without the additional permit statement.Add thepermit statement to ensure that other traffic is not blocked.R1(config-ext-nacl)#permit ip any anyStep 2: Apply the ACL.With standard ACLs, the best practice is to place the ACL as close to the destination as possible.Extended ACLs are typically placed close to the source.The EXTEND-1 ACL will be placed on the Serialinterface, and will filter outbound traffic.R1(config)#interface serial 0/0/0R1(config-if)#ip access-group EXTEND-1 out logR1(config-if)#endR1#copy run startStep 3: Test the ACL.From PC1, ping the loopback interface on R2.These pings should fail, because all traffic from the192.168.10.0/24 network is filtered when the destination is 209.165.200.225.If the destination is anyother address, the pings should succeed.Confirm this by pinging R3 from the 192.168.10.0/24 networkdevice.Note: The extended ping feature on R1 cannot be used to test this ACL, since the traffic will originatewithin R1 and will never be tested against the ACL applied to the R1 serial interface.You can further verify this by issuing the show ip access-list on R1 after pinging.R1#show ip access-listExtended IP access list EXTEND-110 deny ip 192.168.10.0 0.255 host 209.165.200.225 (4 matches)20 permit ip any anyTask 5: Control Access to the VTY Lines with a Standard ACLIt is good practice to restrict access to the router VTY lines for remote administration.An ACL can beapplied to the VTY lines, allowing you to restrict access to specific hosts or networks.In this task, you willconfigure a standard ACL to permit hosts from two networks to access the VTY lines.All other hosts aredenied.All contents are Copyright © 1992 2007 Cisco Systems, Inc.All rights reserved.This document is Cisco Public Information.Page 5 of 10CCNA ExplorationAccessing the WAN: Access Control Lists (ACLs) Lab 5.5.1 Basic Access Control ListsVerify that you can telnet to R2 from both R1 and R3.Step 1: Configure the ACL.Configure a named standard ACL on R2 that permits traffic from 10.2.2.0/30 and 192.168.30.0/24.Denyall other traffic.Call the ACL TASK-5.R2(config)#ip access-list standard TASK-5R2(config-std-nacl)#permit 10.2.2.0 0.3R2(config-std-nacl)#permit 192.168.30.0 0.255Step 2: Apply the ACL.Enter line configuration mode for VTY lines 0 4.R2(config)#line vty 0 4Use the access-class command to apply the ACL to the vty lines in the inbound direction.Note that thisdiffers from the command used to apply ACLs to other interfaces.R2(config-line)#access-class TASK-5 inR2(config-line)#endR2#copy run startStep 3: Test the ACLTelnet to R2 from R1.Note that R1 does not have IP addresses in the address range listed in the ACLTASK-5 permit statements.Connection attempts should fail.R1# telnet 10.1.1.2Trying 10.1.1.2 &% Connection refused by remote hostFrom R3, telnet to R2.You will be presented with a prompt for the VTY line password.R3# telnet 10.1.1.2Trying 10.1.1.2 & OpenCUnauthorized access strictly prohibited, violators will be prosecutedto the full extent of the law.User Access VerificationPassword:Why do connection attempts from other networks fail even though they are not specifically listed in theACL?__________________________________________________________________________________________________________________________________________________________________Task 6: Troubleshooting ACLsWhen an ACL is improperly configured or applied to the wrong interface or in the wrong direction, networktraffic may be affected in an undesirable manner.Step 1: Remove ACL STND-1 from S0/0/1 of R3.In an earlier task, you created and applied a named standard ACL on R3.Use the show running-configcommand to view the ACL and its placement.You should see that an ACL named STND-1 wasconfigured and applied inbound on Serial 0/0/1.Recall that this ACL was designed to block all networkAll contents are Copyright © 1992 2007 Cisco Systems, Inc.All rights reserved.This document is Cisco Public Information [ Pobierz caÅ‚ość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

wblaskucienia.xlx.pl