5.5.2 Packet Tracer – Configure and Verify Extended IPv4 ACLs – Physical Mode Answers
Topology
Addressing Table
| Device | Interface | IP Address | Subnet Mask | Default Gateway |
|---|---|---|---|---|
| R1 | G0/0/1 | N/A | N/A | N/A |
| G0/0/1.20 | 10.20.0.1 | 255.255.255.0 | ||
| G0/0/1.30 | 10.30.0.1 | 255.255.255.0 | ||
| G0/0/1.40 | 10.40.0.1 | 255.255.255.0 | ||
| G0/0/1.1000 | N/A | N/A | ||
| G0/0/0 | 172.16.1.1 | 255.255.255.0 | ||
| R2 | G0/0/1 | 10.20.0.4 | 255.255.255.0 | N/A |
| S1 | VLAN 20 | 10.20.0.2 | 255.255.255.0 | 10.20.0.1 |
| S2 | VLAN 20 | 10.20.0.3 | 255.255.255.0 | 10.20.0.1 |
| PC-A | NIC | 10.30.0.10 | 255.255.255.0 | 10.30.0.1 |
| PC-B | NIC | 10.40.0.10 | 255.255.255.0 | 10.40.0.1 |
| Server-A | NIC | 172.16.1.2 | 255.255.255.0 | 172.16.1.1 |
VLAN Table
| VLAN | Name | Interface Assigned |
|---|---|---|
| 20 | Management | S2: F0/5 |
| 30 | Operations | S1: F0/6 |
| 40 | Sales | S2: F0/18 |
| 999 | ParkingLot | S1: F0/2-4, F0/7-24, G0/1-2 S2: F0/2-4, F0/6-17, F0/19-24, G0/1-2 |
| 1000 | Native | N/A |
Objectives
- Part 1: Build the Network and Configure Basic Device Settings
- Part 2: Configure VLANs on the Switches
- Part 3: Configure Trunking
- Part 4: Configure Routing
- Part 5: Configure Remote Access
- Part 6: Verify Connectivity
- Part 7: Configure and Verify Extended Access Control Lists
Background / Scenario
In this Packet Tracer Physical Mode (PTPM) activity, you have been tasked with configuring access control lists (ACLs) on a small company’s network. ACLs are one of the simplest and most direct means of controlling Layer 3 traffic. R1 will be hosting an internet connection and sharing the default route information to R2. After initial configuration is complete, the company has some specific traffic security requirements that you will be responsible for implementing.
Note: There are over 100 items scored in this activity. Therefore, Packet Tracer will display the number of items currently correct instead of the percentage score.
Instructions
Part 1: Build the Network and Configure Basic Device Settings
Step 1: Cable the network as shown in the topology.
a. Cable and power on the devices as shown in the topology diagram. Use a console cable to connect a PC to each switch or router as you configure them. To access a switch or router, you must connect a console cable between the PCs and the device you wish to configure. We recommend connecting PC-A to R1 and PC-B to R2.
b. Then, when configuring the switches, connect PC-A to S1 and PC-B to S2. After you have connected the console cable, click the PC > Desktop tab > Terminal, and then click OK, to access the command line.
When changing a console cable to a new device, such as between a router and a switch, it is easier to click the end of the console cable and drag it back to the Cable Pegboard than it is to try to connect the cable directly to another device. After attaching a console cable to a different device, you must close and reopen the Terminal window to establish a new connection.
Step 2: Configure basic settings for each router.
a. Assign a device name to the router.
Router(config)# hostname R1
b. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were host names.
R1(config)# no ip domain lookup
c. Assign class as the privileged EXEC encrypted password.
R1(config)# enable secret class
d. Assign cisco as the console password and enable login.
R1(config)# line console 0 R1(config-line)# password cisco R1(config-line)# login
e. Assign cisco as the vty password. You will enable login later in this activity.
R1(config)# line vty 0 4 R1(config-line)# password cisco
f. Encrypt the plaintext passwords.
R1(config)# service password-encryption
g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
R1(config)# banner motd $ Authorized Users Only! $
h. Save the running configuration to the startup configuration file.
R1# copy running-config startup-config
Step 3: Configure basic settings for each switch.
a. Assign a device name to the switch.
Switch(config)# hostname S1
b. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were host names.
S1(config)# no ip domain-lookup
c. Assign class as the privileged EXEC encrypted password.
S1(config)# enable secret class
d. Assign cisco as the console password and enable login.
S1(config)# line console 0 S1(config-line)# password cisco S1(config-line)# login
e. Assign cisco as the vty password. You will enable login later in this activity.
S1(config)# line vty 0 15 S1(config-line)# password cisco
f. Encrypt the plaintext passwords.
S1(config)# service password-encryption
g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
S1(config)# banner motd $ Authorized Users Only! $
h. Save the running configuration to the startup configuration file.
S1(config)# exit S1# copy running-config startup-config
Part 2: Configure VLANs on the Switches
Step 1: Create VLANs on both switches.
a. Create and name the required VLANs on each switch from the VLAN table.
S1(config)# vlan 20 S1(config-vlan)# name Management S1(config-vlan)# vlan 30 S1(config-vlan)# name Operations S1(config-vlan)# vlan 40 S1(config-vlan)# name Sales S1(config-vlan)# vlan 999 S1(config-vlan)# name ParkingLot S1(config-vlan)# vlan 1000 S1(config-vlan)# name Native S1(config-vlan)# exit S2(config)# vlan 20 S2(config-vlan)# name Management S2(config-vlan)# vlan 30 S2(config-vlan)# name Operations S2(config-vlan)# vlan 40 S2(config-vlan)# name Sales S2(config-vlan)# vlan 999 S2(config-vlan)# name ParkingLot S2(config-vlan)# vlan 1000 S2(config-vlan)# name Native S2(config-vlan)# exit
b. Configure the management interface and default gateway on each switch using the IP address information in the Addressing Table.
S1(config)# interface vlan 20 S1(config-if)# ip address 10.20.0.2 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip default-gateway 10.20.0.1 S1(config)# end S2(config)# interface vlan 20 S2(config-if)# ip address 10.20.0.3 255.255.255.0 S2(config-if)# no shutdown S2(config-if)# exit S2(config)# ip default-gateway 10.20.0.1 S2(config)# end
c. Assign all unused ports on the switch to the Parking Lot VLAN. Configure them for static access mode, and administratively deactivate them.
Note: The interface range command helps to accomplish this task with as few commands as necessary.
S1(config)# interface range f0/2 – 4, f0/7 – 24, g0/1 – 2 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 999 S1(config-if-range)# shutdown S1(config-if-range)# end S2(config)# interface range f0/2 – 4, f0/6 – 17, f0/19 – 24, g0/1 – 2 S2(config-if-range)# switchport mode access S2(config-if-range)# switchport access vlan 999 S2(config-if-range)# shutdown S2(config-if-range)# end
Step 2: Assign VLANs to the correct switch interfaces.
a. Assign used ports to the appropriate VLAN (specified in the VLAN table) and configure them for static access mode.
S1(config)# interface f0/6 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 30 S2(config)# interface f0/5 S2(config-if)# switchport mode access S2(config-if)# switchport access vlan 20 S2(config-if)# interface f0/18 S2(config-if)# switchport mode access S2(config-if)# switchport access vlan 40
b. Issue the show vlan brief command and verify that the VLANs are assigned to the correct interfaces.
S1# show vlan brief VLAN NameStatusPorts —- ——————————– ——— ——————————- 1defaultactiveFa0/1, Fa0/5 20Managementactive 30OperationsactiveFa0/6 40Salesactive 999ParkingLotactiveFa0/2, Fa0/3, Fa0/4, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gig0/1, Gig0/2 1000 Nativeactive 1002 fddi-defaultactive 1003 token-ring-defaultactive 1004 fddinet-defaultactive 1005 trnet-defaultactive S2# show vlan brief VLAN NameStatusPorts —- ——————————– ——— ——————————- 1defaultactiveFa0/1 20Managementactive 30Operationsactive 40SalesactiveFa0/18 999ParkingLotactiveFa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gig0/1, Gig0/2 1000 Nativeactive 1002 fddi-defaultactive 1003 token-ring-defaultactive 1004 fddinet-defaultactive 1005 trnet-defaultactive
Part 3: Configure Trunking
Step 1: Manually configure trunk interface F0/1.
a. Change the switchport mode on interface F0/1 to force trunking. Make sure to do this on both switches.
S1(config)# interface f0/1 S1(config-if)# switchport mode trunk S2(config)# interface f0/1 S2(config-if)# switchport mode trunk
b. As a part of the trunk configuration, set the native vlan to 1000 on both switches. You may see error messages temporarily while the two interfaces are configured for different Native VLANs.
S1(config-if)# switchport trunk native vlan 1000 S2(config-if)# switchport trunk native vlan 1000
c. As another part of trunk configuration, specify that VLANs 10, 20, 30, and 1000 are allowed to cross the trunk.
S1(config-if)# switchport trunk allowed vlan 20,30,40,1000 S2(config-if)# switchport trunk allowed vlan 20,30,40,1000
d. Issue the show interfaces trunk command to verify trunking ports, the Native VLAN and allowed VLANs across the trunk.
S1# show interfaces trunk PortModeEncapsulationStatusNative vlan Fa0/1on802.1qtrunking1000 PortVlans allowed on trunk Fa0/120,30,40,1000 PortVlans allowed and active in management domain Fa0/120,30,40,1000 PortVlans in spanning tree forwarding state and not pruned Fa0/120,30,40,1000 S2# show interface trunk PortModeEncapsulationStatusNative vlan Fa0/1on802.1qtrunking1000 PortVlans allowed on trunk Fa0/120,30,40,1000 PortVlans allowed and active in management domain Fa0/130,40,1000 PortVlans in spanning tree forwarding state and not pruned Fa0/130,40
Step 2: Manually configure S1’s trunk interface F0/5.
a. Configure S1’s interface F0/5 with the same trunk parameters as F0/1. This is the trunk to R1.
S1(config)# interface f0/5 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 1000 S1(config-if)# switchport trunk allowed vlan 20,30,40,1000
b. Save the running configuration to the startup configuration file.
S1# copy running-config startup-config
Part 4: Configure Routing
Step 1: Configure Inter-VLAN Routing on R1.
a. Activate interface G0/0/1 on the router.
R1(config)# interface g0/0/1 R1(config-if)# no shutdown
b. Configure sub-interfaces for each VLAN as specified in the Addressing Table. All sub-interfaces use 802.1Q encapsulation. Ensure the sub-interface for the Native VLAN does not have an IP address assigned. Include a description for each sub-interface.
R1(config)# interface g0/0/1.20 R1(config-subif)# description Management Network R1(config-subif)# encapsulation dot1q 20 R1(config-subif)# ip address 10.20.0.1 255.255.255.0 R1(config-subif)# interface g0/0/1.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# description Operations Network R1(config-subif)# ip address 10.30.0.1 255.255.255.0 R1(config-subif)# interface g0/0/1.40 R1(config-subif)# encapsulation dot1q 40 R1(config-subif)# description Sales Network R1(config-subif)# ip address 10.40.0.1 255.255.255.0 R1(config-subif)# interface g0/0/1.1000 R1(config-subif)# encapsulation dot1q 1000 native R1(config-subif)# description Native VLAN
c. Configure interface G0/0/1 on R1 with addressing from the Addressing Table.
R1(config)# interface g0/0/0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# no shutdown
d. Use the show ip interface brief command to verify that the sub-interfaces are operational.
R1# show ip interface brief InterfaceIP-AddressOK? Method StatusProtocol GigabitEthernet0/0/0172.16.1.1YES manual upup GigabitEthernet0/0/1unassignedYES unsetupup GigabitEthernet0/0/1.2010.20.0.1YES manual upup GigabitEthernet0/0/1.3010.30.0.1YES manual upup GigabitEthernet0/0/1.4010.40.0.1YES manual upup GigabitEthernet0/0/1.1000unassignedYES unsetupup Vlan1unassignedYES unsetadministratively down down
Step 2: Configure the R2 interface g0/0/1 using the Addressing table and a default route with the next hop 10.20.0.1
R2(config)# interface g0/0/1 R2(config-if)# ip address 10.20.0.4 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# exit R2(config)# ip route 0.0.0.0 0.0.0.0 10.20.0.1
Part 5: Configure Remote Access
Step 1: Configure all network devices for basic SSH support.
a. Create a local user with the username SSHadmin and $cisco123! as the encrypted password.
R1(config)# username SSHadmin secret $cisco123!
b. Use ccna-lab.com as the domain name.
R1(config)# ip domain name ccna-lab.com
c. Generate crypto keys using a 1024-bit modulus.
R1(config)# crypto key generate rsa general-keys modulus 1024
d. Configure the first five vty lines on each device to support SSH connections only and to authenticate to the local user database.
R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# exit
Part 6: Verify Connectivity
Step 1: Configure PC hosts.
Refer to the Addressing Table for PC host address information.
Step 2: Complete the following tests. All should be successful.
Note: If you click Check Results, you will see that the five highlighted Connectivity Tests show as incorrect. This is because you have not implemented ACLs yet. After ACLs are implemented, these five highlighted Connectivity Tests should successfully fail.
| From | Protocol | Destination | Result |
|---|---|---|---|
| PC-A | Ping | 10.40.0.10 | Success |
| PC-A | Ping | 10.20.0.1 | Success |
| PC-B | Ping | 10.30.0.10 | Success |
| PC-B | Ping | 10.20.0.1 | Success |
| PC-B | Ping | 172.16.1.1 | Success |
| PC-B | HTTPS | 172.16.1.2 | Success |
| PC-A | HTTPS | 172.16.1.2 | Success |
| PC-B | SSH | 10.20.0.4 | Success |
| PC-B | SSH | 172.16.1.1 | Success |
Part 7: Configure and Verify Extended Access Control Lists
When basic connectivity is verified, the company requires the following security policies to be implemented:
Policy 1: The Sales Network is not allowed to SSH to the Management Network (but other SSH is allowed).
Policy 2: The Sales Network is not allowed to access server-A using any web protocol (HTTP/HTTPS). All other web traffic is allowed.
Policy 3: The Sales Network is not allowed to send ICMP echo requests to the Operations or Management Networks. ICMP echo requests to other destinations are allowed.
Policy 4: The Operations network is not allowed to send ICMP echo requests to the Sales Network. ICMP echo requests to other destinations are allowed.
Step 1: Develop and apply extended access lists that will meet the security policy statements.
R1(config)# access-list 101 remark ACL 101 fulfills policies 1, 2, and 3 R1(config)# access-list 101 deny tcp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 22 R1(config)# access-list 101 deny tcp 10.40.0.0 0.0.0.255 172.16.1.2 0.0.0.0 eq 80 R1(config)# access-list 101 deny tcp 10.40.0.0 0.0.0.255 172.16.1.2 0.0.0.0 eq 443 R1(config)# access-list 101 deny icmp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 echo R1(config)# access-list 101 deny icmp 10.40.0.0 0.0.0.255 10.30.0.0 0.0.0.255 echo R1(config)# access-list 101 permit ip any any R1(config)# interface g0/0/1.40 R1(config-subif)# ip access-group 101 in R1(config)# access-list 102 remark ACL 102 fulfills policy 4 R1(config)# access-list 102 deny icmp 10.30.0.0 0.0.0.255 10.40.0.0 0.0.0.255 echo R1(config)# access-list 102 permit ip any any R1(config)# interface g0/0/1.30 R1(config-subif)# ip access-group 102 in
Step 2: Verify that security policies are being enforced by the deployed access lists.
Run the following tests. The expected results are shown in the table:
Note: Click Check Results to force Packet Tracer to run all the Connectivity Tests again.
| From | Protocol | Destination | Result |
|---|---|---|---|
| PC-A | Ping | 10.40.0.10 | Fail |
| PC-A | Ping | 10.20.0.1 | Success |
| PC-B | Ping | 10.30.0.10 | Fail |
| PC-B | Ping | 10.20.0.1 | Fail |
| PC-B | Ping | 172.16.1.1 | Success |
| PC-B | HTTPS | 172.16.1.2 | Fail |
| PC-A | HTTPS | 172.16.1.2 | Success |
| PC-B | SSH | 10.20.0.4 | Fail |
| PC-B | SSH | 172.16.1.1 | Success |
