ACCESS LIST SCENARIO

for BTEGITIM REMOTE LAB

 

 

1. SCENARIO: ACME COMPANY – Network Access Policy

 

Purpose: This lab is designed to improve your practical skills on the following Cisco Networking Academy Program topics:

 

 

 

Description: Acme Inc. is a multinational company, whose headquarters are located in Istanbul. The Istanbul office is subdivided into three departments:

 

 

As Acme company’s network grows, the network support team decided to implement an access policy by means of both security and efficiency. The aim of this policy is to restrict network traffic flow between the Sales and Engineering Departments. Management Department however, should be able to communicate with the other departments without any obligations.

 

 

Objective: Fulfill the basic configuration tasks on Management, Sales and Engineering Routers. Provide end-to-end connectivity inside the company’s network using RIP as routing protocol. Then implement the access policy described in the following  paragraphs.

 

 

Tasks:

1. Erase initial router configurations. Fulfill the basic configuration tasks on Management, Berlin and Paris Routers:

 

 

 

2. Implement the following basic traffic filtering policy using standard access lists (Refer to Departments)

 

 

 

3. Check your access-list configurations

 

Note: After implementing the basic access policy as described above, users started to complain about your strict rules. Restricting all network traffic between Sales and Engineering Departments caused inefficiency, since these departments are not completely separated from each other. Therefore, a wiser choice would be to restrict the usage of some services while permitting the others.

 

That’s why you decided to implement a more granular policy as described below:

 

 

4. Implement the following traffic filtering policy using extended access lists (Refer to Servers)

 

 

 

 

2. TOPOLOGY

 

  1. Initial Topology

 

 

 

 

  1. Departments

 

 

 

 

 

  1. Servers

 

 

 

 

 

3. CONFIGURATION

 

!!! Important Note: You should realize that there are more than one solution for each step of this lab. You can always use different combinations of access-lists while working on this scenario.

 

Note: Before you start the lab, make sure that you are familiar with the commands listed below.

 

Basic Commands

Line Commands

Interface Commands

Routing protocol configuration commands

Show Commands

Debug Commands

erase start

line vty

interface

router rip

show controllers

Debug ip rip

copy run start

line console

ip address

network

show ip route

 

reload

login

shutdown

 

 show access-lists

 

enable

password

clock rate

 

 show ip access-lists

 

conf t

 

access-group

 

 

 

hostname

 

 

 

 

 

end

 

 

 

 

 

ping

 

 

 

 

 

telnet

 

 

 

 

 

access-list

 

 

 

 

 

 

 

Step 1

 

Task: Erase initial router configurations. Fulfill the basic configuration tasks on Istanbul, Engineering and Paris Routers:

 

 

Note: In this lab it is assumed that you are familiar with these basic configuration steps, therefore a step by step explanation for Step 1 is out of the Scope of this lab. If you have difficulties with this step, it is recommended that you first practice BTEgitim CCNALab. Also you can copy and paste the configurations for Step 1.

 

Click to view the Solution

 

 

Step 2

 

Task: Implement the following traffic filtering policy using standard access lists. To fulfill this task you will create a standard IP access-list (Use number 10) on each router and apply these to the Ethernet0 interfaces as inbound access-lists. To represent the policy more clearly, a matrix of the demanded access policy is given below.

 

 

Management

Engineering

Sales

Management

­

R

R

Engineering

R

­

T

Sales

R

T

­

 

Click to view the Solution

 

 

Step 3

 

Task: Check your access-list configurations:

 

 

Click to view the Solution

 

 

Step 4

 

Task: Implement the following traffic filtering policy using extended access lists. To fulfill this task you will create an extended IP access-list (Use number 110) on each router and apply these to the Ethernet0 interfaces as inbound access-lists. To represent the policy more clearly, a matrix of the demanded access policy is given below.

 

 

 

Enginnering

Management

Sales

Enginnering App Server

R

R

T

Enginnering IRC Server

R

R

T

Sales App Server

T

R

R

Management File Server

T

R

T

Central App Server

R

R

R

DNS Server

R

R

R

 

 

Note: Application Servers use TCP port 23, File Servers use TCP ports 20&21, IRC Servers use TCP port 194 and DNS Servers uses TCP Port 53.

 

Click to view the Solution

 

 

Step 5

 

Task: Check your access-list configurations for Application Servers.

 

 

Click to view the Solution

 

 

 

4. SOLUTIONS

 

 

Solution for Step 1

 

Note: If you can’t fulfill the required tasks for Step 1, you can upload the configurations listed below to the appropriate routers and provide connectivity. To do this:

 

1.       Copy the configurations to the clipboard.

2.       Paste the configuration while the Router is in global config mode.

 

ENGINEERING

 

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ENGINEERING

!

enable secret 5 $1$56AM$rhB5dH1DVpK7/UnDPiyTj1

!

ip subnet-zero

!

!

!

interface Ethernet0

 ip address 192.168.11.1 255.255.255.0

 no ip directed-broadcast

 no shutdown

!

interface Serial0

 ip address 192.168.1.2 255.255.255.0

 no ip directed-broadcast

 clockrate 64000

 no shutdown

!        

interface Serial1

 no ip address

 no ip directed-broadcast

 shutdown

!

interface Ethernet0/0

 ip address 192.168.11.1 255.255.255.0

 no ip directed-broadcast

 no shutdown

!

interface Serial0/0

 ip address 192.168.1.2 255.255.255.0

 no ip directed-broadcast

 no ip mroute-cache

 no fair-queue

 clockrate 64000

 no shutdown

!

router rip

 network 192.168.1.0

 network 192.168.11.0

!

ip classless

!

!

line con 0

 password btegitim

 login

 transport input none

line aux 0

line vty 0 4

 password btegitim

 login

!

end

 

 

MANAGEMENT

 

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname MANAGEMENT

!

enable secret 5 $1$4ooN$glNetx..6d9C5mfbJ9bnB0

!

ip subnet-zero

!

!

!

interface Ethernet0/0

 ip address 192.168.12.1 255.255.255.0

 no ip directed-broadcast

 no shutdown

!

interface Serial0/0

 ip address 192.168.1.1 255.255.255.0

 no ip directed-broadcast

 no ip mroute-cache

 no fair-queue

 clockrate 64000

 no shutdown

!

interface Serial0/1

 ip address 192.168.2.1 255.255.255.0

 no ip directed-broadcast

 clockrate 64000

 no shutdown

!

interface Ethernet0

 ip address 192.168.12.1 255.255.255.0

 no ip directed-broadcast

 no shutdown

!

interface Serial0

 ip address 192.168.1.1 255.255.255.0

 no ip directed-broadcast

 clockrate 64000

 no shutdown

!        

interface Serial1

 ip address 192.168.2.1 255.255.255.0

 no ip directed-broadcast

 clockrate 64000

 no shutdown

!

router rip

 network 192.168.2.0

 network 192.168.1.0

 network 192.168.12.0

!

ip classless

!

!

line con 0

 exec-timeout 0 0

 password btegitim

 login

 transport input none

line aux 0

line vty 0 4

 password btegitim

 login

!

no scheduler allocate

end

 

SALES

 

!

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname SALES

!

enable se