Lab 8.3.5 Configuring and Verifying Extended Named ACLs
Step 1: Connect the equipment
- Connect the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2 using a serial cable as shown in the diagram and addressing table.
- Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
- Connect Host 1 to the Fa0/2 port of Switch 1 using a straight-through cable.
- Connect Host 2 to the Fa0/3 port of Switch 1 using a straight-through cable.
Step 2: Perform basic configuration on Router 1
- Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
- On Router 1 configure the hostname, interfaces, passwords, and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.
Step 3: Perform basic configuration on Router 2
Step 4: Perform basic configuration on Switch 1
Step 5: Configure the hosts with IP address, subnet mask, and default gateway
- Configure the hosts IP address, subnet mask, and default gateway according to the addressing table and the topology diagram.
- Each workstation should be able to ping R1 and each other. If the pings are not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.
Step 6: Verify that the network is functioning
- From the attached hosts, ping the FastEthernet interface of the default gateway router.
- Use the command show ip interface brief and check the status of each interface.
- Ping from the Serial 0/0/0 interface of Router 1 to the Serial 0/0/0 interface of Router 2.
Was the ping successful? Jawaban: Yes
If the answer is no, troubleshoot the router configurations to find the error. Ping again until successful.
Step 7: Configure static and default routing on the routers.
- Configure a default route on R1. Use the next hop interface on R2 as the path.
R1(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2
b. From one of the host PCs on R1, ping R2.
Why is the ping unsuccessful? Jawaban: There is no return route configured on R2 to reach the 192.168.15.0 network.
c. Configure a static route on R2 to the R1 192.168.15.0 network. Use the next hop interface on R1 as the path.
Step 8: Configure and test a simple Named Standard ACL
- Create a Named ACL that allows H2 to reach other hosts on the local network but does not allow H2 to access remote networks. At the configuration prompt, use this command sequence:
Why do you need the third statement? Jawaban: To allow other IP traffic not covered by the ACL.
b. Apply the ACL to the interface.
Describe how you should test this ACL: Jawaban: Ping from H2 to H1 to verify that H2 can reach hosts on the local network; ping from H2 to R1 and R2. Those pings should fail. Pings from H1 to R1 or R2 should succeed.
c. Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied to the correct interface.
Step 9: Create and test a Named Extended ACL
- Create a Named ACL that does not allow H1 to ping R2 but allows H1 to reach the local network and R1. Describe how you would test this ACL:
Jawaban: Ping successfully from H1 to H2; ping unsuccessfully to R2, but ping successfully to R1.
b. Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied to the correct interface.
Step 10: Edit a Named Standard ACL
- You have decided to edit the Named Standard ACL. In privileged EXEC mode, view the access list statements.
- Add a line to this Named Standard ACL to block H1 from reaching R1, but still permit H1 and H2 to reach each other. Enter configuration commands, one per line. End with CNTL/Z.
If you added a new PC to the topology, attached it to S1, and gave it the IP address 192.168.15.4/24, would it be able to reach R1?Jawaban: Yes
Step 11: Reflection
a. Why is it good practice to perform basic configurations and verify connectivity before adding ACLs to routers? Jawaban : ACLs add many possible “error points” or places where a mistake results in traffic being disrupted. It is easier to troubleshoot if you can verify that the basic configuration is working before you add ACLs. If the basic configuration fails after adding an ACL, troubleshoot the ACL.
What advantages do Named ACLs offer? Jawaban : The ability to give ACLs logical, easy-to-remember names; unlimited numbers, rather than being limited to a specific range of numbers.