en EWAN SLM v40

[ Pobierz całość w formacie PDF ]
.5.1 Basic Access Control Liststraffic with a source address from the 192.168.11.0/24 network from accessing the LAN on R3.To remove the ACL, go to interface configuration mode for Serial 0/0/1 on R3.Use the no ip access-group STND-1 in command to remove the ACL from the interface.R3(config)#interface serial 0/0/1R3(config-if)#no ip access-group STND-1 inUse the show running-config command to confirm that the ACL has been removed from Serial 0/0/1.Step 2: Apply ACL STND-1 on S0/0/1 outbound.To test the importance of ACL filtering direction, reapply the STND-1 ACL to the Serial 0/0/1 interface.This time the ACL will be filtering outbound traffic, rather than inbound traffic.Remember to use the outkeyword when applying the ACL.R3(config)#interface serial 0/0/1R3(config-if)#ip access-group STND-1 outStep 3: Test the ACL.Test the ACL by pinging from PC2 to PC3.As an alternative, use an extended ping from R1.Notice thatthis time pings succeed, and the ACL counters are not incremented.Confirm this by issuing the show ipaccess-list command on R3.Step 4: Restore the ACL to its original configuration.Remove the ACL from the outbound direction and reapply it to the inbound direction.R3(config)#interface serial 0/0/1R3(config-if)#no ip access-group STND-1 outR3(config-if)#ip access-group STND-1 inStep 5: Apply TASK-5 to the R2 serial 0/0/0 interface inbound.R2(config)#interface serial 0/0/0R2(config-if)#ip access-group TASK-5 inStep 6: Test the ACL.Attempt to communicate to any device connected to R2 or R3 from R1 or its attached networks.Noticethat all communication is blocked; however, ACL counters are not incremented.This is because of theimplicit deny all at the end of every ACL.This deny statement will prevent all inbound traffic to serial0/0/0 from any source other than R3.Essentially, this will cause routes from R1 to be removed from therouting table.You should see messages similar to the following printed on the consoles of R1 and R2 (It will take sometime for the OSPF neighbor relationship to go down, so be patient):*Sep 4 09:51:21.757: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.11.1 onSerial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expiredOnce you receive this message, issue the command show ip route on both R1 and R2 to see whichroutes have been removed from the routing table.Remove ACL TASK-5 from the interface, and save your configurations.R2(config)#interface serial 0/0/0R2(config-if)#no ip access-group TASK-5 inR2(config)#exitR2#copy run startAll contents are Copyright � 1992 2007 Cisco Systems, Inc.All rights reserved.This document is Cisco Public Information.Page 7 of 10CCNA ExplorationAccessing the WAN: Access Control Lists (ACLs) Lab 5.5.1 Basic Access Control ListsTask 7: Document the Router ConfigurationsConfigurationsRouter 1hostname R1!enable secret class!no ip domain lookup!interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0no shutdown!interface FastEthernet0/1ip address 192.168.11.1 255.255.255.0no shutdown!interface Serial0/0/0ip address 10.1.1.1 255.255.255.252ip access-group EXTEND-1 outclockrate 64000no shutdown!router ospf 1network 10.1.1.0 0.3 area 0network 192.168.10.0 0.255 area 0network 192.168.11.0 0.255 area 0!ip access-list extended EXTEND-1deny ip 192.168.10.0 0.255 host 209.165.200.225permit ip any any!banner motd ^CUnauthorized access strictly prohibited, violators will beprosecuted to the full extent of the law.^!line con 0password ciscologging synchronouslogin!line vty 0 4password ciscologin!Router 2hostname R2!enable secret class!no ip domain lookup!All contents are Copyright � 1992 2007 Cisco Systems, Inc.All rights reserved.This document is Cisco Public Information.Page 8 of 10CCNA ExplorationAccessing the WAN: Access Control Lists (ACLs) Lab 5.5.1 Basic Access Control Listsinterface Loopback0ip address 209.165.200.225 255.255.255.224!interface FastEthernet0/1ip address 192.168.20.1 255.255.255.0no shutdown!interface Serial0/0/0ip address 10.1.1.2 255.255.255.252no shutdown!interface Serial0/0/1ip address 10.2.2.1 255.255.255.252clockrate 125000no shutdown!router ospf 1no auto-costnetwork 10.1.1.0 0.3 area 0network 10.2.2.0 0.3 area 0network 192.168.20.0 0.255 area 0network 209.165.200.224 0.31 area 0!ip access-list standard TASK-5permit 10.2.2.0 0.3permit 192.168.30.0 0.255!banner motd ^Unauthorized access strictly prohibited, violators will beprosecuted to the full extent of the law.^!line con 0password ciscologging synchronouslogin!line vty 0 4access-class TASK-5 inpassword ciscologin!Router 3hostname R3!enable secret class!no ip domain lookup!interface FastEthernet0/1ip address 192.168.30.1 255.255.255.0no shutdown!interface Serial0/0/1ip address 10.2.2.2 255.255.255.252ip access-group STND-1 outAll contents are Copyright � 1992 2007 Cisco Systems, Inc.All rights reserved.This document is Cisco Public Information [ Pobierz całość w formacie PDF ]

Archiwum