Lab Objective:
The objective of this lab exercise is for you to configure static routes and ACLs on Cisco routers.
Lab Purpose:
These are classic exam subjects you should be very familiar with. Rather than watch a video solution, I have provided show runs and test commands where appropriate.
Certification Level:
This lab is suitable for both CCENT and CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 5/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure the topology above. You should be able to ping across the Serial interface only because there are no routes from the Loopback networks.
Task 2:
Configure static routes with an exit interface on RouterA so it can reach the networks on the Loopbacks for RouterB. On RouterB, configure a default route so all traffic for any networks are sent out of the Serial interface. Ping all networks to check connectivity.
Task 3:
Add an extended ACL on RouterB to deny all Telnet, HTTP, and DNS traffic incoming. Ensure that you enable Telnet on the router for the vty lines for testing. Test your ACL on RouterB by telnetting to RouterB from RouterA. Testing the HTTP and DNS will be a little harder without hosts, so just compare your configuration to mine.
Task 4:
Add a named ACL on Router A so that only hosts on network 172.16.1.0 can telnet to hosts on network 192.168.1.0. Ensure that you enable Telnet on the router.
Test your ACL on RouterA by trying to telnet from both Loopbacks on RouterB.
Solution
Show Runs
RouterA interface Loopback0 ip address 192.168.1.1 255.255.255.240 ! interface Loopback1 ip address 192.168.2.1 255.255.255.224 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 10.0.0.1 255.255.255.0 ip access-group block_telnet in clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip forward-protocol nd ip route 172.16.0.0 255.255.240.0 Serial0/0 ip route 172.20.0.0 255.255.252.0 Serial0/0 ! ! no ip http server no ip http secure-server ! ip access-list extended block_telnet permit tcp 172.16.0.0 0.0.15.255 192.168.1.0 0.0.0.15 eq telnet deny tcp any any eq telnet permit ip any any ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password cisco login line vty 5 903 password cisco login ! end R1# RouterB interface Loopback0 ip address 172.16.1.1 255.255.240.0 ! interface Loopback1 ip address 172.20.1.1 255.255.252.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 10.0.0.2 255.255.255.0 ip access-group 100 in clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 Serial0/0 ! no ip http server no ip http secure-server ! access-list 100 deny tcp any any eq telnet access-list 100 deny tcp any any eq www access-list 100 deny udp any any eq domain access-list 100 deny tcp any any eq domain access-list 100 permit ip any any ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password cisco login line vty 5 903 password cisco login ! ! end
TEST:
RB#telnet 192.168.1.1 /source-interface loopback1 Trying 192.168.1.1 ... % Destination unreachable; gateway or host down RB#telnet 192.168.1.1 /source-interface loopback0 Trying 192.168.1.1 ... Open User Access Verification Password:
Note: DNS primarily uses UDP on port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. TCP is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers. Some resolver implementations use TCP for all queries. For more information on DNS, refer to the website below: http://en.wikipedia.org/wiki/Domain_Name_System