Step 8
advertisement
CCNA 2 Practice Lab 2 Solutions Objective To increase network security with access control list. Scenario Given a 199.1.10.0 provide four subnets to support at least 25 hosts. The current network requires two of the networks and the other two will be used in the future. Use IGRP as the active routing protocol. Security to the web server hosted by the ISP must be provided. Allow all users access to the HTTP service on the web server. Host A belongs to the web administrator and will need full access including the ability to ping the web server. Deny all users from other networks access to the web server. Configure all routers with a hostname and use “cisco” for the console and enable secret passwords. Step 1 Cable the Labs according to the topology in the diagram. Attach a workstation to the Fastethernet 0 interface on RouterA. Configure the workstation with the appropriate IP address. Host A and the web server are to be assigned the fifth usable IP address on the assigned subnet. Step 2 ISP router configuration On the ISP router configure the hostname, console password, enable secret password, and telnet access. Router>enable Router#configure terminal Router(config)#hostname ISP ISP(config-line)#enable secret cisco ISP(config)#line console 0 ISP(config-line)#password cisco 1-1 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. ISP(config-line)#login ISP(config-if)#exit ISP(config)#line vty 0 4 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)# Step 3 Configure the interfaces on the ISP router. After calculating the IP address requirements the result is that the network between ISP and RouterA is.199.1.10.0 The serial interface on the ISP router is assigned the first usable IP address on the connected subnet. Use the following commands to configure the IP addresses on the ISP router interfaces: ISP(config)#interface fastethernet 0 ISP(config-if)#ip address 200.200.200.33 255.255.255.224 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface serial 0 ISP(config-if)#ip address 199.1.10.33 255.255.255.224 ISP(config-if)#clock rate 56000 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)# Step 4 Enable IGRP on the ISP router. Configure IGRP routing protocol on this router with the following commands. ISP(config)#router igrp 100 ISP(config-router)#network 199.1.10.0 ISP(config-router)#network 200.200.200.0 ISP(config-router)#exit ISP(config)# Step 5 RouterA configuration On RouterA configure the hostname, console and enable secret passwords, and telnet access. Router>enable Router#configure terminal Router(config)#hostname RouterA RouterA(config)#enable secret cisco RouterA(config)#line console 0 RouterA(config-line)#password cisco RouterA(config-line)#login RouterA(config-line)#exit RouterA(config)#line vty 0 4 RouterA(config-line)#password cisco RouterA(config-line)#login RouterA(config-line)#exit RouterA(config)# Step 6 Configure the interfaces on RouterA. After calculating the IP address requirements the result is that the network between ISP and RouterA is 199.1.10.0. The local network is 199.11.10.32. Use the following commands to configure the interfaces on RouterA. RouterA(config)#interface fastethernet 0 1-2 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. RouterA(config-if)#ip address 199.1.10.65 255.255.255.224 RouterA(config-if)#no shutdown RouterA(config-if)#exit RouterA(config)#interface serial 0 RouterA(config-if)#ip address 199.1.10.34 255.255.255.224 RouterA(config-if)#no shutdown RouterA(config-if)#exit Step 7 Enable IGRP on RouterA. Configure IGRP routing protocol on this router with the following commands. RouterA(config)#router igrp 100 RouterA(config-router)#network 199.1.10.0 RouterA(config-router)#end RouterA# Step 8 Test routing on RouterA Use the show ip route command to check the routing table. RouterA#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set I 200.200.200.0/24 [100/80135] via 199.1.10.33, 00:00:53, Serial0 199.1.10.0/27 is subnetted, 2 subnets C 199.1.10.64 is directly connected, FastEthernet0 C 199.1.10.32 is directly connected, Serial0 Use the ping command to test connectivity to the ISP router and the web server. RouterA#ping 200.200.200.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms RouterA#ping 200.200.200.38 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.38, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms Step 9 Test the routing on ISP Use the show ip route command on the ISP router to verify that the ISP router learns about the local network on RouterA.. ISP#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 200.200.200.0/27 is subnetted, 1 subnets C 200.200.200.32 is directly connected, FastEthernet0 199.1.10.0/27 is subnetted, 2 subnets I 199.1.10.64 [100/80135] via 199.1.10.34, 00:00:25, Serial0 C 199.1.10.32 is directly connected, Serial0 1-3 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. Use the ping command to test connectivity with host A. ISP#ping 199.1.10.68 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 199.1.10.68, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms Verify that Host A can communicate with the web server. From the command prompt on Host A ping the web server. C:\>ping 200.200.200.38 Pinging 200.200.200.38 with 32 bytes of data: Reply from 200.200.200.38: bytes=32 time=23ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Ping statistics for 200.200.200.38: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 23ms, Average = 20ms Step 10 Configure an ACL To implement security you will create an access control list on the ISP router. Use the following commands to create the access control list. ISP#configure terminal ISP(config)#access-list 100 permit tcp 199.1.10.64 0.0.0.31 host 200.200.200.38 eq 80 ISP(config)#access-list 100 permit ip host 199.1.10.68 host 200.200.200.38 ISP(config)#access-list 100 permit icmp host 199.1.10.68 host 200.200.200.38 Apply the access list to the interface. ISP(config)#interface fastethernet 0 ISP(config-if)#ip access-group 100 out ISP(config-if)#exit Test the access control list From Host A ping the web server. From Host A use a web browser to connect to the web server using the IP address 200.200.200.38. C:\>ping 200.200.200.38 Pinging 200.200.200.38 with 32 bytes of data: Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Reply from 200.200.200.38: bytes=32 time=20ms TTL=126 Ping statistics for 200.200.200.38: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 20ms, Average = 20ms Change the IP address for Host A to 195.111.222.40 and try to ping the web server. Use the web browser to access the web server. C:\>ping 200.200.200.38 Pinging 200.200.200.38 with 32 bytes of data: Reply from 199.1.10.33: Destination net unreachable. Reply from 199.1.10.33: Destination net unreachable. Reply from 199.1.10.33: Destination net unreachable. Reply from 199.1.10.33: Destination net unreachable. Ping statistics for 200.200.200.38: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms 1-4 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. You should still able to browse the web page. View the active configuration on the ISP ISP#show running-config Building configuration... Current configuration : 899 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ISP ! enable secret 5 $1$qgwz$oQRmbgjWD2ffgOtJb4opd0 ! memory-size iomem 25 ip subnet-zero ! ! ! ! ! ! interface FastEthernet0 ip address 200.200.200.33 255.255.255.224 ip access-group 100 out speed auto ! interface Serial0 ip address 199.1.10.33 255.255.255.224 clockrate 56000 1-5 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. ! interface Serial1 no ip address shut ! router igrp 100 network 199.1.10.0 network 200.200.200.0 ! ip classless no ip http server ip pim bidir-enable ! access-list 100 permit tcp 199.1.10.64 0.0.0.31 host 200.200.200.38 eq www access-list 100 permit ip host 199.1.10.68 host 200.200.200.38 access-list 100 permit icmp host 199.1.10.68 host 200.200.200.38 ! ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login line vty 5 login ! no scheduler allocate end View the active configuration on the RouterA RouterA#show running-config Building configuration... Current configuration : 603 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterA ! enable secret 5 $1$uszn$tPjMEwUxpqbWaApy549/J. ! memory-size iomem 25 ip subnet-zero ! ! ! ! interface FastEthernet0 ip address 199.1.10.65 255.255.255.224 speed auto ! interface Serial0 ip address 199.1.10.34 255.255.255.224 no fair-queue ! interface Serial1 no ip address shutdown ! 1-6 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. router igrp 100 network 199.1.10.0 ! ip classless no ip http server ! ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! no scheduler allocate end Other command screen shots after proper configuration RouterA#show interface fastethernet 0 FastEthernet0 is up, line protocol is up Hardware is PQUICC_FEC, address is 0002.1761.7998 (bia 0002.1761.7998) Internet address is 199.1.10.65/27 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:27, output 00:00:01, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 473 packets input, 42594 bytes Received 292 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 360 packets output, 62748 bytes, 0 underruns 6 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 6 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out RouterA#show interface serial 0 Serial0 is up, line protocol is up Hardware is PowerQUICC Serial Internet address is 199.1.10.34/27 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:09, output hang never Last clearing of "show interface" counters 00:29:58 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 262 packets input, 18135 bytes, 0 no buffer Received 230 broadcasts, 0 runts, 0 giants, 0 throttles 3 input errors, 0 CRC, 3 frame, 0 overrun, 0 ignored, 0 abort 271 packets output, 16646 bytes, 0 underruns 1-7 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. 0 output errors, 0 collisions, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up ISP#show interface fastethernet 0 FastEthernet0 is up, line protocol is up Hardware is PQUICC_FEC, address is 0007.50ef.1b19 (bia 0007.50ef.1b19) Internet address is 200.200.200.33/27 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:23, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 404 packets input, 33505 bytes Received 217 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 326 packets output, 34434 bytes, 0 underruns 7 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 7 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ISP#show interface serial 0 Serial0 is up, line pr Hardware is PowerQUICC Serial Internet address is 199.1.10.33/27 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:05, output 00:00:08, output hang never Last clearing of "show interface" counters 00:32:03 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/32 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 284 packets input, 17498 bytes, 0 no buffer Received 249 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 273 packets output, 18718 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 6 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up ISP#show ip interface brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0 200.200.200.33 YES manual up up Serial0 199.1.10.33 YES manual up up Serial1 unassigned YES unset administratively down dow RouterA#show ip interface brief 1-8 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc. Interface IP-Address OK? Method Status Prot ocol FastEthernet0 199.1.10.65 YES manual up up Serial0 199.1.10.34 YES SLARP up up Serial1 unassigned YES unset administratively down dow 1-9 CCNA 2: Routers and Routing Basics v3.0 Copyright 2003, Cisco Systems, Inc.
