CCNA2 Skills Activity lab Solutions_NACL

Packet Tracer 4.0 Skill Building Activity: Lab NACL Solution Document Objective Use Packet Tracer to complete the following skills · Add a device to the network · Configure static and dynamic routing · Configure a named ACL Scenario This topology represents the simplest routed network, ideal for studying rip routing behavior with ACL configuration. Required Files To complete this lab, you will need the following Packet Tracer Activity (.pka) files. · CCNA2_Skills_Activity_Step1_RIP.pka · CCNA2_Skills_Activity_Step2_Static.pka · CCNA2_Skills_Activity_Step3_NACL.pka Plan: Familiarize yourself with PT 4.0 help menu, in case you have questions. Act 1: Configure and Test RIP Routing Open the “CCNA2_Skills_Activity_Step1_RIP.pka” and follow the Instructions, which are repeated here: Step 1 Enable all interfaces, verify IP address configuration, and configure clock rates to 56000. On DALLAS, all interfaces are administratively down. Enable the FastEthernet 0/0 and Serial 0/0 interfaces with the no shutdown command. On the serial interface, set a clock rate of 56000 and enter the no shutdown command. Router(config)#int fa0/0 Router(config-if)#no shutdown Router(config-if)#int s0/0 Router(config-if)#no shutdown Router(config-if)#clock rate 56000 On HOUSTON, both Serial 0/0 and 0/1 interfaces are administratively down. Enable both interfaces up with the no shutdown command. Router(config)#int s0/0 Router(config-if)#no shutdown Router(config)#int s0/1 Router(config-if)#no shutdown On FT WORTH, all interfaces are administratively down. Enable the FastEthernet 0/0 and Serial 0/0 interfaces with the no shutdown command. On the Serial 0/0 interface, set a clock rate of 56000. Router(config)#int fa0/0 Router(config-if)#no shutdown Router(config-if)#int s0/0 Router(config-if)#no shutdown Router(config-if)#clock rate 56000 Step 2 Configure routers HOUSTON, FT.WORTH, and DALLAS with RIP advertising all necessary networks. This translates to the fact that students should only advertise networks for each correctly configured interface on each router: DALLAS(config)#router rip DALLAS(config)#network 192.168.1.0 DALLAS(config)#network 192.168.2.0 HOUSTON(config)#router rip HOUSTON(config-router)#network 192.168.2.0 HOUSTON(config-router)#network 192.168.3.0 FT WORTH(config)#router rip FT WORTH(config)#network 192.168.3.0 FT WORTH(config)#network 192.168.4.0 Step 3 Using the packet tracer inspect tool and then the CLI, view the routing tables on both routers. Test connectivity between the PCs within 192.168.0.0 networks with simple PDU and CLI pings and explain the results. View ip route tables and ensure that all routes are present. Each router should have a complete routing table showing routes to every network on the other two routers. Step 4 In simulation mode, use the event filter to view only RIP packets and use the capture/forward button to animate the RIP updates. Step 5 Experiment, trying various "what if" packet scenarios. Reflect: 1) Why is configuring a routing protocol necessary to established communications between PC0 and PC2? Because the PCs are on different LANs and no static routes have been configured. 2) As a ping packet travels from PC0 to PC2, describe which layer 2 and layer 3 addresses stay the same, and which ones change. The source IP and MAC addresses for PC0 will remain the same. The destination IP address for PC2 will also remain the same. The destination MAC address will change as the traffic crosses router interfaces, the destination MAC will change to reflect the next hop router’s MAC address. 3) Are all generated routing updates necessary? Explain. Routing updates are necessary for routers, however – updates sent through some interfaces, such as Ethernet interfaces, are unnecessary as PCs and workstations cannot use routing updates. Act 2: Add and configure devices in Packet tracer and enable static and default routing Open the “CCNA2_Skills_Activity_Step2_Static.pka” and follow the Instructions, which are repeated here: Step 1 Add a 2621 Router (Router4) to the network configuration. Refer to the network diagram above. A WIC-2T module must be added to the device to enable serial connections. Be sure power off the router to add the module and power the router on when task is completed. Attach Router4 Serial0/0 interface to the Serial 0/2 interface on HOUSTON. HOUSTON will provide clocking. The new router, Router 4, will not have a WIC, so the student will need to power off the router and install a WIC-2T module by dragging the module to the router under the Physical tab (Physical Device View) for the router. Step 2 Configure Router4 with the Display name NEW ORLEANS. Device names are case-sensitive. Configure the Serial 0/0 interface with the second IP address in the 200.200.2.0/24 network. The Display name is found under the config tab of the router. NEW ORLEANS(config)#interface Serial 0/0 NEW ORLEANS(config-if)#ip address 200.200.2.2 255.255.255.0 NEW ORLEANS(config-if)#no shutdown Step 3 Configure HOUSTON Serial 0/2 with the first IP address in the 200.200.2.0/24 network and use a clock rate of 56000. HOUSTON(config)#interface Serial 0/2 HOUSTON(config-if)#ip address 200.200.2.1 255.255.255.0 HOUSTON(config-if)#clock rate 56000 HOUSTON(config-if)#no shutdown Step 4 Add an end user device (PC3) and connect PC3 to the FastEthernet 0/0 interface on NEW ORLEANS. Because the PC3 is directly attached to the NEW ORLEANS FastEthernet interface, a crossover cable must be used for this connection. Step 5 Configure the NEW ORLEANS Fa0/0 interface with the first IP address of the 55.5.5.0/24 network. Configure PC3 with the second IP address of the 55.5.5.0/24 network. Be sure to set the default gateway on PC3. The default gateway for the LAN is 55.5.5.1, the address of the FA0/0 interface. The IP address for PC3 is 55.5.5.2, with a subnet mask of 255.255.255.0. NEW ORLEANS – router Router(config-if)#int fa0/0 Router(config-if)#ip address 55.5.5.1 255.255.255.0 Router(config-if)#no shutdown PC3 IP address: 55.5.5.2 Subnet Mask: 255.255.255.0 Default Gateway 55.5.51 Step 6 Configure a default route on HOUSTON pointing to next-hop IP address on NEW ORLEANS. Also, configure default routes on FT WORTH and DALLAS pointing to the next-hop IP address on HOUSTON. HOUSTON(config)# ip route 0.0.0.0 0.0.0.0 200.200.2.2 FT WORTH(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.1 DALLAS(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 Step 7 Configure NEW ORLEANS with a static route to the 192.168.0.0/16 address space that points to the next-hop IP address on HOUSTON. NEW ORLEANS(config)# ip route 192.168.0.0 255.255.0.0 200.200.2.1 Step 8 Using the packet tracer inspect tool and then the CLI, view the routing tables on both routers. Test connectivity between the PC1 and PC3 using a simple PDU and CLI pings. Explain the results. Step 9 In simulation mode, use the event filter to run various “what if” scenarios. Reflect: 1) Why was it necessary to configure a static route on the NEW ORLEANS router? Because without the static route, NEW ORLEANS would not know anything about how to reach 192.168.0.0 networks for DALLAS, HOUSTON, AND FT WORTH. 2) Why was it necessary to configure the default routes on FT WORTH and DALLAS to HOUSTON and not NEW ORLEANS? Because the syntax of the ip route command requires either the next-hop IP address or the outgoing interface on the router. For both FT WORTH and DALLAS, the next-hop is HOUSTON, not NEW ORLEANS. 3) What effect would removing the default route on either the FT WORTH or DALLAS routers have on the network? Any traffic destined for networks other than 192.168.1.0, 192.168.2.0, 192.168.3.0, and 192.168.4.0 would not be routed. 4) Since all routers are configured with default routes, is RIP still necessary? Explain. For communication between the LANs of DALLAS, HOUSTON, and FT WORTH, RIP is necessary because without it, the default routes merely direct the traffic for the LANs out to NEW ORLEANS. Act 3: Configure a Named ACL Open the “CCNA2_Skills_Activity_Step3_NACL.pka” and follow the Instructions, which are repeated here: Create and apply the Named ACL to implement the following security policies. Be sure to enter the statements in the order specified. Step 1 HOUSTON security policy using named ACL FW1: 1. Any Hosts outside the 192.168.0.0/16 network should be permitted HTTP (udp port 80) to host 192.168.4.2 2. Any Hosts outside the 192.168.0.0/16 network should be permitted FTP (udp port 21) access to host 192.168.4.2. 3. Any host outside the 192.168.0.0/16 netwof should be able to ping host 192.168.4.2. 4. All other access should be implicitly denied. HOUSTON(config)#ip access-list extended FW1 HOUSTON(config-ext-nacl)#permit udp any host 192.168.4.2 eq 80 HOUSTON(config-ext-nacl)#permit tcp any host 192.168.4.2 eq 21 HOUSTON(config-ext-nacl)#permit icmp any host 192.168.4.2 Step 2 Apply the FW1 named access list to the correct interface. Be sure to specify if the ACL is created for inbound or outbound filtering. NOTE** This access list should NOT affect the capabilities of any hosts within the 192.168.0.0/16 network. HOUSTON(config)#interface Serial 0/2 HOUSTON(config-if)#ip access-group FW1 in Step 3 DALLAS security policy using named ACL DAL: 1) All access from host 192.168.4.2 to host 192.168.1.2 should be blocked. 2) All other traffic from the 192.168.0.0/16 network should be allowed full access. 3) Any other traffic should be implicitly denied. DALLAS(config)#ip access-list extended DAL DALLAS(config-ext-nacl)#deny ip host 192.168.4.2 host 192.168.1.2 DALLAS(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 any Step 4 Apply the FW1 named access list to the correct interface. Be sure to specify if the ACL is created for inbound or outbound filtering. DALLAS(config)#interface FastEthernet 0/0 DALLAS(config-if)#ip access-group DAL out Step 5 Using the packet tracer inspect tool and the CLI, view the routing tables on all routers. Test connectivity between the PCs within 192.168.0.0 network and to the external network 55.5.5.0/24 with simple PDU and CLI pings and explain the results. Step 6 In simulation mode, use the event filter to run various “what if” scenarios. Use the complex PDU packets to test that host 55.5.5.2 has http (port 80) access to 192.168.4.2. Reflect: 1) A packet travels through the HOUSTON router to reach the various subnet, at what point does the router evaluate the packet to determine if it is permitted or denied access? The condition of permit or deny is not applied until the addressing on the packet matches an address in the ACL. 2) A packet travels through the DALLAS router to reach various destinations, at what point does the router evaluate the packet to determine if it is permitted or denied access? Since the ACL is applied in an outbound direction, if the packet is routable and must cross the FastEthernet 0/0 interface, the router will then check the packet against each ACL statement sequentially until a match is found. Once a match is found, the router will apply either the permit or deny in the ACL statement. 3) Do the servers and other devices on the 192.168.1.96/27 network have more limited access to devices outside the network due to the ACL configured on the HOUSTON router? The ACL on the HOUSTON router will deny all traffic other than what is specifically permitted to come through in the ACL. The nodes on the 192.168.1.96 network will be able to initiate an exchange of data because the ACL does not filter their traffic/addressing as the source of communication. However, the replies to their traffic will be implicitly denied. So indirectly, yes, the ACL does limit their access to devices outside the subnet. 4) Was a standard or extended ACL necessary to complete the requirement of the two security policies? Explain. An extended ACL is necessary because you are filtering specific protocols. Standard ACLs will not filter protocols. 5) Is the order in which the access-list statements applied important? Could the access-list on DALLAS be ordered any other way? Explain. The ACL on DALLAS has to be written to deny the specific hosts before allowing everyone else, or the ACL would not work properly. Remind the students of the ACL rule: Specific hosts should be filtered first, and groups or general filters should come last. 1 - 8 CCNP 1: Advanced Routing v3.0 - Lab 1.4.1 Copyright ( 2003, Cisco Systems, Inc. 2 - 8 CCNP 1: Advanced Routing v3.0 - Lab 1.4.1 Copyright ( 2003, Cisco Systems, Inc. 1 - 8 Packet Tracer 4.0 Activity Copyright ( 2006, Cisco Systems, Inc.