Di Posting Oleh : Simple Learning
Kategori : Security
Prerequisites: CCNP level skills.
NOTE!
Initial configuration for this lab can be downloaded here.
Topology
Pic 1. Topology Diagram.
Task 1
Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.
Task 2
Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all the destinations behind R1.
Task 3
Upon successful completion of the Task 2, remove ACL from the router.
Task 3
Upon successful completion of the Task 2, remove ACL from the router.
Solution
Task 1
Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.
R1 Config:
!
router eigrp 1
network 10.0.1.1 0.0.0.0
network 172.16.123.1 0.0.0.0
network 172.16.215.1 0.0.0.0
no auto-summary
!
R2 Config:
!
interface Serial0/0
ip address 172.16.123.2 255.255.255.0
encapsulation frame-relay
no ip split-horizon eigrp 1
clock rate 2000000
frame-relay map ip 172.16.123.1 201 broadcast
frame-relay map ip 172.16.123.2 201
frame-relay map ip 172.16.123.3 203 broadcast
no frame-relay inverse-arp
!
router eigrp 1
network 10.0.2.2 0.0.0.0
network 172.16.27.2 0.0.0.0
network 172.16.123.2 0.0.0.0
no auto-summary
!
R3 Config:
!
router eigrp 1
network 10.0.3.3 0.0.0.0
network 172.16.123.3 0.0.0.0
no auto-summary
!
R5 Config:
!
router eigrp 1
network 10.0.5.5 0.0.0.0
network 172.16.215.5 0.0.0.0
no auto-summary
!
SW1 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
network 10.0.7.7 0.0.0.0
network 172.16.27.7 0.0.0.0
no auto-summary
!
SW2 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
network 10.0.8.8 0.0.0.0
network 172.16.215.8 0.0.0.0
no auto-summary
!
Verification:
Using tcl script on R2 (tclsh = enters the shell, tclquit = leaves the shell):
foreach address {
10.0.1.1
10.0.2.2
10.0.3.3
10.0.5.5
10.0.7.7
10.0.8.8
} { ping $address }
Pic. 2 - Ping Test.
Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all destinations behind R1.
R1 Config:
!
access-list 1 deny 172.16.27.0 0.0.0.255
access-list 1 permit any
!
interface Serial0/0
ip address 172.16.123.1 255.255.255.0
ip access-group 1 in
encapsulation frame-relay
clock rate 2000000
frame-relay map ip 172.16.123.2 102 broadcast
no frame-relay inverse-arp
!
Verification:
Note!
Ping sourced off of Vlan 27 fails, but sourced off of SW1's loopback (not 172.16.27.0) the ping test succeeds.
Task 3
Upon successful completion of the Task 2, remove ACL from the router.
!
access-list 1 deny 172.16.27.0 0.0.0.255
access-list 1 permit any
!
interface Serial0/0
ip address 172.16.123.1 255.255.255.0
ip access-group 1 in
encapsulation frame-relay
clock rate 2000000
frame-relay map ip 172.16.123.2 102 broadcast
no frame-relay inverse-arp
!
Verification:
Pic. 3 - Ping Test.
Ping sourced off of Vlan 27 fails, but sourced off of SW1's loopback (not 172.16.27.0) the ping test succeeds.
Task 3
Upon successful completion of the Task 2, remove ACL from the router.
R1 Config:
!
no access-list 1
!
int s0/0
no ip access-group 1 in
!
0 Response to "lab 213 - Standard ACL"
Post a Comment