CCNP-ACCESS LIST
15
MẠNG IP Assignment 6 Access List 1. The network of a company is shown as in the figure 1. In a company we have network of two PCs located in on 201.205.84.0 network. The network connects to a router 2 located on 192.168.1.0 network. In present setup we have no ACL configured, and information can travel unrestricted between PCs. a. Configure the network, routers so that PC1, PC2 can ping Router 2. Next, configure the router 2 so PC1, PC2 can telnet to it with Username: telnet, Password: Troy. b. Configure the ACL on the router 1 so that PC1 can ping router 2, while allowing only PC2 to telnet to Joker. We will achieve this by creating three ACLs. First one would allow PC1 to ping router 2,by allowing ICMP packets to pass from FE1 to FE0. Second one would allow PC2 to telnet to router 2, by allowing TCP telnet packets from FE1 to FE0. Finally, third one would deny any traffic that comes from FE1 to FE0. You make get confused by thinking howwould other two operate if third ACL denies all traffic. Well, it is pretty simple, the thing to know is that when packet is being filtered through ACL, router checks ACL in order they were created, one by one, and if match is found, checking process is stopped, and packet can go through. In this way, all traffic denied ACL would comein play, only if two other ACL were not matched beforehand. c. Configure the ACL on the router 1 so that PC1, PC2 can ping the web server, but only PC1 can access the webpage of the server. Asignment 6 Page 1
description
Command in access list
Transcript of CCNP-ACCESS LIST
MẠNG IP
Assignment 6
Access List1. The network of a company is shown as in the figure 1. In a company we have network of two PCs located in on 201.205.84.0 network. The network connects to a router 2 located on 192.168.1.0 network. In present setup we have no ACL configured, and information can travel unrestricted between PCs.
a. Configure the network, routers so that PC1, PC2 can ping Router 2. Next, configure the router 2 so PC1, PC2 can telnet to it with Username: telnet, Password: Troy.
b. Configure the ACL on the router 1 so that PC1 can ping router 2, while allowing only PC2 to telnet to Joker. We will achieve this by creating three ACLs. First one would allow PC1 to ping router 2,by allowing ICMP packets to pass from FE1 to FE0. Second one would allow PC2 to telnet to router 2, by allowing TCP telnet packets from FE1 to FE0. Finally, third one would deny any traffic that comes from FE1 to FE0. You make get confused by thinking howwould other two operate if third ACL denies all traffic. Well, it is pretty simple, the thing to know is that when packet is being filtered through ACL, router checks ACL in order they were created, one by one, and if match is found, checking process is stopped, and packet can go through. In this way, all traffic denied ACL would comein play, only if two other ACL were not matched beforehand.
c. Configure the ACL on the router 1 so that PC1, PC2 can ping the web server, but only PC1 can access the webpage of the server.
2. The test-bed is built as shown in the figure 2. Complete the following tasks
Asignment 6 Page 1
a. Configure a hostname of Sw1 on your lab switch, and the hostname R1 on the router as illustrated in the topology.
b. Create VLAN 10 on switch Sw1 and assign port FastEthernet0/2 to this VLAN as an access port.
c. Configure IP address 10.0.0.1/30 on router R1's FastEthernet0/0 interface, and IP address 10.0.0.2/30 in switch Sw2's VLAN 10 interface. Verify that R1 can ping Sw1 and vice versa.
d. Configure port security on port FastEthernet0/2 on switch Sw1 so that only 1 MAC address is allowed to be learned on thatinterface. In the event of port security configuration violations, where more than 1 MAC address is observed on that interface, the switch should shut the interface down. Verifyyour configuration with port security commands in Cisco IOS.
Bài 1
a. Cấu hình mạngRouter 1Router1> enableRouter1# configure terminalRouter1(config)# interface FastEthernet0/0Router1(config-if)# ip address 201.205.84.1 255.255.255.0Router1(config-if)# no shutdownRouter1(config-if)# exitRouter1(config)# interface FastEthernet0/1Router1(config-if)# ip address 192.168.1.1 255.255.255.0Router1(config-if)# no shutdownRouter1(config)# exit
Asignment 6 Page 2
Router1(config)# router ripRouter1(config-router)# version 2Router1(config-router)# network 192.168.1.0Router1(config-router)# network 201.205.84.0Router1(config-router)# no auto-summaryRouter1(config-router)# exit
Router 2Router2> enableRouter2# configure terminalRouter2(config)# interface FastEthernet0/0Router2(config-if)# ip address 192.168.1.3 255.255.255.0Router2(config-if)# no shutdownRouter2(config-if)# exit
Router2(config)# router ripRouter2(config-router)# version 2Router2(config-router)# network 192.168.1.0Router2(config-router)# no auto-summaryRouter2(config-router)# exit
Sau khi cấu hình, ping từ PC1 và PC2 đến router2 thành công
Asignment 6 Page 3
Asignment 6 Page 4
Cấu hình trên Router 2 để có thể telnet vào với username telnet và pasword TroyRouter2(config)#username telnet password troyRouter2(config)#line vty 0 4Router2(config)#login localRouter2(config)#exit
b. Access list
Cầu hình ACLs trên R1 để :
PC1 ping R2 nhưng không thể telnet được PC2 telnet R2 nhưng không thể ping R2 được
Cấu hình R1
Router1(config)#ip access-list extended 1b
Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.3 0.0.0.0
Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.3 0.0.0.0
Router1(config-ext-nacl)# deny ip 201.205.84.0 0.0.0.255 192.168.1.3 0.0.0.0
Router1(config-ext-nacl)#exit
Router1(config)#interface fastEthernet0/1
Router1(config-if)#ip access-group 1b in
Asignment 6 Page 5
Router1(config-if)#int fa0/0
Router1(config-if)#ip access-group 1b out
Kết quả đối với [PC1]( [PC2] tương ứng).
a. Cấu hình ACLs trên R1 để [PC1] ping được webserver và truy cập webpage từ server này [PC2] ping được webserver nhưng không truy cập webpage từ server này được.
Các ACLs cần tạo ra :
permit icmp host 201.205.84.15 host 192.168.1.4 (16 match(es))
permit icmp host 201.205.84.12 host 192.168.1.4 (8 match(es))
permit tcp host 201.205.84.15 host 192.168.1.4 (12 match(es))
deny ip 201.205.84.0 0.0.0.255 host 192.168.1.4 (12 match(es))
Cấu hình R1
Router1(config)#interface FastEthernet0/0
Router1(config-if)#no ip access-group 1b out
Router1(config-if)#interface fastEthernet0/1
Router1(config-if)#no ip access-group 1b in
Router1(config)#ip access-list extended 1c
Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.4 0.0.0.0
Router1(config-ext-nacl)#permit icmp 201.205.84.12 0.0.0.0 192.168.1.4 0.0.0.0
Router1(config-ext-nacl)#permit tcp 201.205.84.15 0.0.0.0 192.168.1.4 0.0.0.0
Asignment 6 Page 6
Router1(config-ext-nacl)#permit tcp 201.205.84.0 0.0.0.0 192.168.1.4 0.0.0.0
Router1(config-ext-nacl)#exit
Kết quả
[PC1]
Asignment 6 Page 7
[PC2]
Asignment 6 Page 8
2
a. Đổi tên switch thành SW1, router thành R1.
Router1>enable
Router1#configure terminal
Router1(config)#hostname R1
R1(config)#
Switch1>enable
Switch11#configure terminal
Switch1(config)#hostname SW1
SW1(config)#
b. Tạo vlan10 trên SW1 có port-access là FastEthernet0/2.
SW1(config)#vlan 10
SW1(config)#hostname Sales
SW1(config)#interface fa0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)# no shutdown
Asignment 6 Page 9
SW1(config-if)#exit
Kết quả kiểm tra với
SW1# show vlan brief Kiểm tra các vlan trên SW1
c. Định địa chỉ 10.0.0.1/30 trên Fa0/0 của R1 và vlan interface 10.0.0.2/30
R1(config)#interface fa0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 10.0.0.1 255.255.255.248
R1(config-if)#exit
SW1(config)#inteface vlan 10
SW1(config-if)#ip address 10.0.0.2 255.255.255.248
SW1(config-if)#no shutdown
SW1(config-if)#exit
Asignment 6 Page 10
Kiểm tra rằng R1 ping tới VLAN 10 và ngược lại.
R1>ping 10.0.0.3
Kết quả
d. Thực hiện cấu hình port-security trên Fa0/2 đối với SW1.Chỉ cho phép duy nhất một địa chỉ MAC bất kì được phép trên Fa0/2, nếu như có MAC khác lập tức shutdown port này.
SW1(config)#int fa0/2
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security violation shutdown
SW1(config-if)# switchport port-security maximum 1
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)#exit
Asignment 6 Page 11
Kiểm tra
Ngắt dây nối giữa R1 và SW1, kết nối một PC vào port Fa0/2 của SW1 .
Khi ping từ [PC] tới vlan 10 , cổng lập tức bị shutdown
Muốn khôi phục lại chỉ cần vào interface Fa0/2 thực hiện shutdown và no shutdown là cổng lại up lại nhưng cấu hình port-security vẫn lưu giữ nghĩa là SW1 chấp nhận MAC của [PC1] là MAC hợp
Asignment 6 Page 12
