Lab 8.3.6 Configuring and Verifying VTY Restrictions
Step 1: Connect the equipment
- Connect the S0/0/0 interface of Router 1 to the S0/0/0 interface of Router 2 using a serial cable as shown in the diagram and addressing table.
- Connect the Fa0/0 interface of Router 1 to the Fa0/1 port of Switch 1 using a straight-through cable.
- Connect Host 1 to the Fa0/2 port of Switch 1 using a straight-through cable, and connect Host 2 to the Fa0/3 port of Switch 1 using a straight-through cable.
- Connect Host 3 to the Fa0/2 port of Switch 2 using a straight-through cable, and connect Host 4 to the Fa0/3 port of Switch 2 using a straight-through cable.
Step 2: Perform basic configuration on Router 1
- Connect a PC to the console port of the router to perform configurations using a terminal emulation program.
- On Router 1, configure the hostname, interfaces, passwords and message-of-the-day banner and disable DNS lookups according to the addressing table and topology diagram. Save the configuration.
Step 3: Perform basic configuration on Router 2
Step 4: Perform basic configuration on Switch 1 and Switch 2
Step 5: Configure the hosts with IP address, subnet mask, and default gateway
- Configure the hosts IP address, subnet mask, and default gateway according to the table and the topology diagram.
- Each workstation should be able to ping the attached router. If the pings were not successful, troubleshoot as necessary. Check and verify that the workstation has been assigned a specific IP address and default gateway.
Step 6: Configure dynamic routing on the routers
- Configure RIP routing on R1. Advertise the appropriate networks.
- Configure RIP routing on R2. Advertise the appropriate networks.
Step 7: Verify connectivity
- If the network has converged, list four destinations that H1 should be able to ping: R1, R2, H2, H3, H4
- Test connectivity by pinging all the destinations. If any pings fail, troubleshoot the configurations on the routers and host PCs.
- Check the routing table on R1.
- Verify that all routes appear in the routing table. If a route is missing, troubleshoot the router configuration.
- Telnet from the hosts to both routers. All hosts should be able to Telnet to both routers. If Telnet fails, troubleshoot the router and host configurations.
Step 8: Configure and test an ACL that will limit Telnet access
- Create a standard ACL that represents the LAN attached to R1. R1(config)#access-list 1 permit 192.168.15.0 0.0.0.255
- Now that you have defined the LAN traffic, you must apply it to the vty lines. This allows users from this LAN to Telnet to this router, but will block users from other LANs from accessing Telnet on this router.
- Test the restriction.
Step 9: Create vty restrictions for R2
- Create a Standard ACL that will not allow hosts on the R1 LAN to Telnet to R2 but will allow hosts on the R2 LAN to Telnet to their attached router.
- Conduct the tests to verify that this ACL achieves its goals. If it does not, troubleshoot by viewing the output of a show running-config command to verify that the ACL is present and applied correctly.
Step 10: Reflection
Why is the vty restriction ACL a good practice when configuring a router? Jawaban : if foreign hosts can Telnet into a router, they have the ability to view and modify the configuration. Security demands that Telnet be restricted. Because vty ACLs are applied to the vty lines and not to physical interfaces, this controls Telnet access to the router regardless of from where the host(s) attempt to connect on the network.