Monavathia's Blog

CCNA 3 Labskill Chapter 8

Posted on: December 24, 2010

Lab 8.3.6 Configuring and Verifying VTY Restrictions

Step 1: Connect the equipment

  1. Connect the S0/0/0 interface of Router 1 to the S0/0/0 interface of Router 2 using a serial cable as shown in the diagram and addressing table.
  2. Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
  3. Connect Host 1 to the Fa0/2 port of Switch 1 using a straight-through cable, and connect Host 2 to the Fa0/3 port of Switch 1 using a straight-through cable.
  4. Connect Host 3 to the Fa0/2 port of Switch 2 using a straight-through cable, and connect Host 4 to the Fa0/3 port of Switch 2 using a straight-through cable.

Step 2: Perform basic configuration on Router 1

  1. Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
  2. On Router 1, configure the hostname, interfaces, passwords and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.

Step 3: Perform basic configuration on Router 2

Step 4: Perform basic configuration on Switch 1 and Switch 2

Step 5: Configure the hosts with IP address, subnet mask, and default gateway

  1. Configure the hosts IP address, subnet mask, and default gateway according to the table and the topology diagram.
  2. Each workstation should be able to ping the attached router. If the pings were not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.

Step 6: Configure dynamic routing on the routers

  1. Configure RIP routing on R1. Advertise the appropriate networks.
  2. Configure RIP routing on R2. Advertise the appropriate networks.

Step 7: Verify connectivity

  1. If the network has converged, list four destinations that H1 should be able to ping: R1, R2, H2, H3, H4
  2. Test connectivity by pinging all the destinations. If any pings fail, troubleshoot the configurations on the routers and host PCs.
  3. Check the routing table on R1.
  4. Verify that all routes appear in the routing table. If a route is missing, troubleshoot the router configuration.
  5. Telnet from the hosts to both routers. All hosts should be able to Telnet to both routers. If Telnet fails, troubleshoot the router and host configurations.

 

Step 8: Configure and test an ACL that will limit Telnet access

  1. Create a standard ACL that represents the LAN attached to R1. R1(config)#access-list 1 permit 192.168.15.0 0.0.0.255
  2. Now that you have defined the LAN traffic, you must apply it to the vty lines. This allows users from this LAN to Telnet to this router, but will block users from other LANs from accessing Telnet on this router.
  3. Test the restriction.

Step 9: Create vty restrictions for R2

  1. Create a Standard ACL that will not allow hosts on the R1 LAN to Telnet to R2 but will allow hosts on the R2 LAN to Telnet to their attached router.
  2. Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied correctly.

Step 10: Reflection

Why is the vty restriction ACL a good practice when configuring a router? Jawaban: if foreign hosts can Telnet into a router, they have the ability to view and modify the configuration. Security demands that Telnet be restricted. Because vty ACLs are applied to the vty lines and not to physical interfaces, this controls Telnet access to the router regardless of from where the host(s) attempt to connect on the network.

Lab 8.3.5 Configuring and Verifying Extended Named ACLs

Step 1: Connect the equipment

  1. Connect the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2 using a serial cable as shown in the diagram and addressing table.
  2. Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
  3. Connect Host 1 to the Fa0/2 port of Switch 1 using a straight-through cable.
  4. Connect Host 2 to the Fa0/3 port of Switch 1 using a straight-through cable.

Step 2: Perform basic configuration on Router 1

  1. Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
  2. On Router 1 configure the hostname, interfaces, passwords, and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.

Step 3: Perform basic configuration on Router 2

Step 4: Perform basic configuration on Switch 1

Step 5: Configure the hosts with IP address, subnet mask, and default gateway

  1. Configure the hosts IP address, subnet mask, and default gateway according to the addressing table and the topology diagram.
  2. Each workstation should be able to ping R1 and each other. If the pings are not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.

Step 6: Verify that the network is functioning

  1. From the attached hosts, ping the FastEthernet interface of the default gateway router.
  2. Use the command show ip interface brief and check the status of each interface.
  3. Ping from the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2.

Was the ping successful? Jawaban:  Yes

If the answer is no, troubleshoot the router configurations to find the error. Ping again until successful.

Step 7: Configure static and default routing on the routers.

  1. Configure a default route on R1. Use the next hop interface on R2 as the path.

R1(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2

  1. From one of the host PCs on R1, ping R2.

Why is the ping unsuccessful? Jawaban: There is no return route configured on R2 to reach the 192.168.15.0 network.

  1. Configure a static route on R2 to the R1 192.168.15.0 network. Use the next hop interface on R1 as the path.

Step 8: Configure and test a simple Named Standard ACL

  1. Create a Named ACL that allows H2 to reach other hosts on the local network but does not allow H2 to access remote networks. At the configuration prompt, use this command sequence:

Why do you need the third statement?  Jawaban: To allow other IP traffic not covered by the ACL.

  1. Apply the ACL to the interface.

Describe how you should test this ACL:  Jawaban: Ping from H2 to H1 to verify that H2 can reach hosts on the local network; ping from H2 to R1 and R2. Those pings should fail. Pings from H1 to R1 or R2 should succeed.

  1. Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied to the correct interface.

Step 9: Create and test a Named Extended ACL

  1. Create a Named ACL that does not allow H1 to ping R2 but allows H1 to reach the local network and R1. Describe how you would test this ACL:

Jawaban: Ping successfully from H1 to H2; ping unsuccessfully to R2, but ping successfully to R1.

  1. Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied to the correct interface.

Step 10: Edit a Named Standard ACL

  1. You have decided to edit the Named Standard ACL. In privileged EXEC mode, view the access list statements.
  2. Add a line to this Named Standard ACL to block H1 from reaching R1, but still permit H1 and H2 to reach each other. Enter configuration commands, one per line. End with CNTL/Z.

If you added a new PC to the topology, attached it to S1, and gave it the IP address 192.168.15.4/24, would it be able to reach R1?Jawaban: Yes

Step 11: Reflection

  1. Why is it good practice to perform basic configurations and verify connectivity before adding ACLs to routers? Jawaban:  ACLs add many possible “error points” or places where a mistake results in traffic being disrupted. It is easier to troubleshoot if you can verify that the basic configuration is working before you add ACLs. If the basic configuration fails after adding an ACL, troubleshoot the ACL.
  2. What advantages do Named ACLs offer? Jawaban: The ability to give ACLs logical, easy-to-remember names; unlimited numbers, rather than being limited to a specific range of numbers.

Lab 8.3.4 Planning, Configuring and Verifying Extended ACLs

Step 1: Connect the equipment

  1. Connect the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2 using a serial cable.
  2. Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
  3. Connect a console cable to each PC to perform configurations on the routers and switch.
  4. Connect Host 1 to the Fa0/3 port of Switch 1 using a straight-through cable.
  5. Connect Host 2 to the Fa0/2 port of Switch 1 using a straight-through cable.
  6. Connect a crossover cable between Host 3 and the Fa0/0 interface of Router 2.

Step 2: Perform basic configuration on Router 1

  1. Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
  2. On Router 1, configure the hostname, interfaces, passwords, and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.

Step 3: Perform basic configuration on Router 2

Perform basic configuration on Router 2 and save the configuration.

Step 4: Perform basic configuration on Switch 1

Configure Switch 1 with a hostname, console, Telnet, and privileged passwords according to the addressing table and topology diagram.

Step 5: Configure the hosts with IP address, subnet mask, and default gateway

  1. Configure the hosts with IP address, subnet mask, and default gateway according to the addressing table and the topology diagram.
  2. Each workstation should be able to ping the attached router. If the pings are not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.

Step 6: Configure RIP routing and verify end to end connectivity in the network

  1. On R1, enable the RIP routing protocol and configure it to advertise both connected networks.
  2. On R2, enable the RIP routing protocol and configure it to advertise both connected networks.
  3. Ping from each host to the other two hosts.

Were the pings successful? __________ yes

If the answer is no, troubleshoot the router and host configurations to find the error. Ping again until they are all successful.

Step 7: Configure Extended ACLs to control traffic

Host 3 in this network contains proprietary information. Security requirements for this network dictate that only certain devices should be allowed access to this machine. Host 1 is the only host that will be allowed to access this computer. All other hosts on this network are used for guest access and should not be allowed access to Host 3.

Step 8: Test the ACL

  1. Ping Host 3 from both Hosts 1 and 2.

Can Host 1 ping Host 3? __________ yes

Can Host 2 ping Host 3? __________ no

  1. To verify that other addresses can ping Host 3, ping Host 3 from R1.

Is the ping successful? __________ yes

  1. Display the access control list again with the show access-lists command.

Step 9: Configure and test the ACL for the next requirement

  1. Host 3 is the only host that should be allowed to connect to R1 for remote management.
  2. Because the source traffic could come from any direction, this ACL needs to be applied to both interfaces on R1. The traffic to be controlled would be inbound to the router.
  3. Now attempt to telnet to R1 from all hosts and R2. Attempt to telnet to both R1 addresses.

Can you telnet to R1 from any of these devices? If yes, which one(s)?  Jawaban: Yes, from Host 3 only.

  1. View the output of the show access-lists command on R1.

Step 11: Reflection

  1. Why is careful planning and testing of access control lists required? Jawaban: To verify that the intended traffic – and ONLY the intended – traffic is permitted.
  2. What is an advantage of using Extended ACLs over Standard ACLs? Jawaban: Extended ACLs allow you to filter based on more information that just the source address.

Lab 8.3.3 Configuring and Verifying Standard ACLs

Step 1: Connect the equipment

  1. Connect the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2 using a serial cable.
  2. Connect the Fa0/0 interface of Rourter 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
  3. Connect a console cable to the PC to perform configurations on the routers and switch.
  4. Connect H1 to the Fa0/2 port of Switch 1 using a straight-through cable.

Step 2: Perform basic configuration on Router 1

  1. Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
  2. On Router 1, configure the hostname, interfaces, passwords, and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.

Step 3: Perform basic configuration on Router 2

Perform basic configuration on Router 2 and save the configuration.

Step 4: Perform basic configuration on Switch 1

Configure Switch 1 with a hostname and passwords according to the addressing table and topology diagram.

Step 5: Configure the host with IP address, subnet mask, and default gateway

  1. Configure the host with the proper IP address, subnet mask, and default gateway. The host should be assigned the address 192.168.200.10/24 and the default gateway of 192.168.200.1.
  2. The workstation should be able to ping the attached router. If the ping is not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.

Step 6: Configure RIP routing and verify end-to-end connectivity in the network

  1. On Router 1, enable the RIP routing protocol and configure it to advertise both connected networks.
  2. On Router 2, enable the RIP routing protocol and configure it to advertise all three connected networks.
  3. Ping from Host 1 to the two loopback interfaces on Router 2.

Were the pings from Host 1 successful? __________ yes

If the answer is no, troubleshoot the router and host configurations to find the error. Ping again until they are both successful.

Step 7: Configure and test a standard ACL

Step 8: Test the ACL

  1. From Host 1, ping the 192.168.1.1 loopback address.

Is the ping successful? No

  1. From Host 1, ping the 192.168.2.1 loopback address.

Is the ping successful? No

  1. Issue the show access-list command again.

How many matches are there for the first ACL statement (permit)?

Answers will vary but there should be at least 8-16 matches if the pings to the loopbacks were done.

Step 9: Reflection

  1. Why is careful planning and testing of access control lists required? Jawaban: To verify that the intended traffic – and ONLY the intended – traffic is permitted.
  2. What is the main limitation of standard ACLs? Jawaban: They can only filter based on source address.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: