Ing. Adriana Collaguazo J..

ESCENARIOS PRACTICOS DE LISTAS DE CONTROL DE ACCESO (ACL)

1) You want users from the accounting LAN to not have access to the Human Resources server. The following access list has been created: access-list 10 deny 192.168.10.128 0.0.0.31 access-list 10 permit any According to the following diagram, which interface of which router, and in which direction, should the access list be placed to prevent accounting users from accessing the network attached to the E0 interface of Lab_B?

2) In this lab topology, the loopback interfaces on R2 simulate two Class C networks connected to the router. ACLs will be used to control access to these subnets. The loopback 0 interface will represent a network of management workstations, and the loopback 1 interface will represent a limited-access engineering network. In this network, it is necessary to have at least one management workstation on the 192.168.200.0/24 subnet along with other user workstations. The management workstation is assigned a static IP address of 192.168.200.10. The user workstations consume the rest of the IP addresses on the network. The ACL should allow the management workstation access to the networks attached to R2, but not allow access to these networks from the other hosts on the 192.168.200.0 network. A Standard ACL is being used and will be placed on R2, because R2 is closest to the destination. Create a Standard ACL on R2 to be used for access to the attached networks. This ACL will allow the 192.168.200.10 host access and deny all others. After the ACL has been created, it must be applied to an interface on the router.

Ing. Adriana Collaguazo J..

Serial 0/0/0 Interface Type DCE

Device Router 1

Host Name R1

FastEthernet 0/0 IP Address 192.168.200.1/24

Serial 0/0/0 IP Address 192.168.100.1/ 30 192.168.100.2/ 30 n/a

Loopback Interface Addresses n/a Lo0 192.168.1.1/32 Lo1 192.168.2.1/32 n/a

Router 2

R2

n/a

DTE

Switch 1

S1

n/a

n/a

3) Host 3 in this network contains proprietary information. Security requirements for this network dictate that only certain devices should be allowed access to this machine. Host 1 is the only host that will be allowed to access this computer. All other hosts on this network are used for guest access and should not be allowed access to Host 3. In addition, Host 3 is the only computer in the network that is allowed to access R1 interfaces for remote management. Extended ACLs will be used to control access on this network. Itemize the list of requirements for clarity: Host 1 can access Host 3. All other hosts (on that network only) cannot access Host 3. Any additional hosts added on other networks in the future should be able to access Host 3 because they will not be guest-accessible machines. Host 3 can access the R1 interfaces. All other devices on the network will not have access. Analyze the requirements and determine placement of Extended access control lists.

Ing. Adriana Collaguazo J..

Serial 0/0/0 Interface Type DCE DTE

Device Router 1 Router 2 Switch 1 Host 1 Host 2 Host 3

Host Name R1 R2 S1 H1 H2 H3

FastEthernet 0/0 IP Address 192.168.1.1/24 192.168.5.1/24

Serial 0/0/0/ IP Address 192.168.15.1/30 192.168.15.2/30

Default Gateway

192.168.1.10/24 192.168.1.11/24 192.168.5.10/24

192.168.1.1 192.168.1.1 192.168.5.1

4) Create a Standard ACL that will not allow hosts on the R1 LAN to Telnet to R2 but will allow hosts on the R2 LAN to Telnet to their attached router.

Device Router 1 Router 2 Switch 1 Switch 2 Host 1 Host 2 Host 3 Host 4

Host Name R1 R2 S1 S2 H1 H2 H3 H4

FastEthernet 0/0 IP Address 192.168.15.1/24 192.168.17.1/24

Serial 0/0/0 IP Address 192.168.16.1/24 192.168.16.2/24

Serial 0/0/0 Interface Type DTE DCE

Default Gateway

Enable Secret Password class class class class

Enable, vty, and Console Password cisco cisco cisco cisco

192.168.15.2/24 192.168.15.3/24 192.168.17.2/24 192.168.17.3/24

192.168.15.1 192.168.15.1 192.168.17.1 192.168.17.1

Ing. Adriana Collaguazo J.. 5) ACLs will be configured to control what services Hosts 1 and 2 can access from the server. An ACL will be created that allows Host 1 web (HTTP) and FTP access to the server but denies Host 2. Host 2 will be allowed to telnet to the server, but this service is denied to Host 1. These ACLs will be configured and verified with show commands and logging. Create an ACL based on the requirements previously outlined. This ACL is applied to R1. a. From Host 1, open a web browser and attempt to connect to the web and FTP services on the server. In the web browser address textbox, enter http://172.17.1.1. Is the web connection from Host 1 successful? __________ b. In the web browser address textbox, enter ftp://172.17.1.1. Is the FTP connection from Host 1 successful? __________ c. Attempt to connect to the web and FTP services on the server from Host 2. Are you able to connect from Host 2? __________ d. Attempt to telnet to the server from Host 1 and Host 2? Is the Telnet connection from Host 1 successful? __________ Is the Telnet connection from Host 2 successful? __________ Use the command show access-lists to display the access control list and associated statistics.

Device Router 1

Host Name R1

FastEthernet 0/0 Interface IP Address 192.168.1.1/24

Serial 0/0/0 IP Address 192.168.5.1/30

Serial 0/0/0 Interface Type DCE

Network Statements 192.168.1.0 192.168. 5.0 192.168. 5.0 172.17.0.0

Router 2 Switch 1 Host 1 Host 2 Discovery Server

R2 S1 Host 1 Host 2 Server

172.17.0.1/16

192.168.5.2/30

DTE

192.168.1.5/24 GW=192.168.1.1 192.168.1.6/24 GW=192.168.1.1 172.17.1.1/16 GW=172.17.0.1

Ing. Adriana Collaguazo J..