Lab 8.3.4 Planning, Configuring and Verifying Extended ACLs
Step 1: Connect the equipment
- Connect the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2 using a serial cable.
- Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
- Connect a console cable to each PC to perform configurations on the routers and switch.
- Connect Host 1 to the Fa0/3 port of Switch 1 using a straight-through cable.
- Connect Host 2 to the Fa0/2 port of Switch 1 using a straight-through cable.
- Connect a crossover cable between Host 3 and the Fa0/0 interface of Router 2.
Step 2: Perform basic configuration on Router 1
- Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
- On Router 1, configure the hostname, interfaces, passwords, and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.
Step 3: Perform basic configuration on Router 2
Perform basic configuration on Router 2 and save the configuration.
Step 4: Perform basic configuration on Switch 1
Configure Switch 1 with a hostname, console, Telnet, and privileged passwords according to the addressing table and topology diagram.
Step 5: Configure the hosts with IP address, subnet mask, and default gateway
- Configure the hosts with IP address, subnet mask, and default gateway according to the addressing table and the topology diagram.
- Each workstation should be able to ping the attached router. If the pings are not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.
Step 6: Configure RIP routing and verify end to end connectivity in the network
- On R1, enable the RIP routing protocol and configure it to advertise both connected networks.
- On R2, enable the RIP routing protocol and configure it to advertise both connected networks.
- Ping from each host to the other two hosts.
Were the pings successful? __________ yes
If the answer is no, troubleshoot the router and host configurations to find the error. Ping again until they are all successful.
Step 7: Configure Extended ACLs to control traffic
Host 3 in this network contains proprietary information. Security requirements for this network dictate that only certain devices should be allowed access to this machine. Host 1 is the only host that will be allowed to access this computer. All other hosts on this network are used for guest access and should not be allowed access to Host 3.
Step 8: Test the ACL
- Ping Host 3 from both Hosts 1 and 2.
Can Host 1 ping Host 3? __________ yes
Can Host 2 ping Host 3? __________ no
b. To verify that other addresses can ping Host 3, ping Host 3 from R1.
Is the ping successful? __________ yes
c. Display the access control list again with the show access-lists command.
Step 9: Configure and test the ACL for the next requirement
- Host 3 is the only host that should be allowed to connect to R1 for remote management.
- Because the source traffic could come from any direction, this ACL needs to be applied to both interfaces on R1. The traffic to be controlled would be inbound to the router.
- Now attempt to telnet to R1 from all hosts and R2. Attempt to telnet to both R1 addresses.
Can you telnet to R1 from any of these devices? If yes, which one(s)? Jawaban : Yes, from Host 3 only.
d. View the output of the show access-lists command on R1.
Step 11: Reflection
a. Why is careful planning and testing of access control lists required? Jawaban : To verify that the intended traffic – and ONLY the intended – traffic is permitted.
What is an advantage of using Extended ACLs over Standard ACLs? Jawaban : Extended ACLs allow you to filter based on more information that just the source address.