5.5.1 Packet Tracer - IPv4 ACL Implementation Challenge

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi friends welcome to world in this video we are going to solve this package tracer activity ipv4 acl implementation challenge before coming to this activity friends if you like to get any ccna version 7 online classes or any technical support you can contact our team using our website link you will get from the description below and also if you like to get these type of technical videos in future consider subscribing and don't forget to enable that bell icon so that you will get notification message whenever we upload a new video now back to this activity uh here we can see our addressing table coming to the objectives configure a router with standard named acls configure a router with extended named cls then configure a router with extended acls to meet specific communication requirements then configure an acl to control access to network device terminal lines then configure the appropriate router interfaces with acls in the appropriate direction and finally verify the operation of the configured access control list we will go through the scenario in this activity we will configure extended standard and named and extended named acls to meet specified communication requirements yes in this activity we will configure both the standard as well as extended access control list coming to the instructions step one verify connectivity in the new company network first test connectivity on the network as it is before configuring the acls all hosts should be able to ping all other host so we will verify the connectivity we will get the ip address from this addressing table we will ping from pc1 we will get the ip address of pc2 pc one command prompt ping to pc2 we get the replies we will ping to pc3 we get the replies perfect now we will ping to admin so we can see hq here we can see uh internet user and here is our admin pc so we'll ping from pc1 to this admin perfect then we will ping to enterprise web server we may get one or two request timed out when you do the con i mean when you do the ping so here we are waiting for the replies perfect it's working you'll bring two branch pc from pc dash one we may get one request timed out due to convergence yeah now we get the replies again we will ping to branch server so apparently i will get the ip address and here we can see we get the replies perfect here we'll get the ip address of internet user okay just i will get the ip address of this external web server and here we get the replies finally it's pinging we may get request timed out and we get the replies it's working step 2 configure standard and the extended access control list per requirements configure acls to meet the following requirements important guidelines do not use explicit deny any statements at the end of your acls use a shorthand that is host and any whenever possible write your acl statements to address the requirements in the order that they are specified here place your acls in the most efficient location and direction these are some important guidelines they given before configuring a standard or extended access control list coming to acl1 requirements create acl101 that means extended access control list explicitly block ftp access to the enterprise web server from the internet no icmp traffic from the internet should be allowed to any host on hq lan1 allow all other traffic okay once more we will see access control list one requirement we have to create a extended access control list using this number one zero one and explicitly block ftp access to the enterprise web server from the internet that means the devices from this internet is not allowed to access ftp from this enterprise web server okay perfect the no icmp traffic from the internet should be allowed to in a host on hq lan one that means the devices from this internet is not allowed to ping to this hq lan one that means to this network then allow all other traffic first of all we will implement the success control list then we will go to acl2 so we have to implement in this router heq okay we'll go to hq enable conf t that means configure terminal here we will create the access list one zero one and we have to deny ftp right so we will get from my tcp then we have to specify uh all the devices from this uh internet that means we can give any source device so here we can give any otherwise we can put a question mark type tcp then put space then put a question mark so that we can see any source host okay so we can give any here okay then we will give a host then we have to specify the iep address of our server that is enterprise web server we will get that from this server itself i will copy this address htq and here we can paste that command i mean that ip address then eq ftp we are going to deny ftp then press enter next policy is all the devices from this internet is not allowed to ping to this hq lan one network okay so here they given the network address for this hq lan one 192.168.1.0 and we can apply this acl to this interface that's why we give any source address okay coming to htq again here we can create access list 101 and we are going to you know deny icmp sorry we are going to deny icmp uh from any a source then we have to specify the network address to that specific network uh i will show once more here 192.168.1.0 26. 192.160 then we have to give the wild card mask they're given a slash 26 that means 0.0.0.63 perfect now press enter and clearly they specified we have to allow all other traffic that means we can give access list 101 we have to permit ip any any now we have to apply the access control is to be created to the correct interface we can apply to this interface that is uh serial 0 slash 1 slash 0 which is connecting this internet in in direction in boundary direction we can do that we will go to that interface interface serial zero slash one slash zero and here we can give ip access group one zero one in now we will go to access control list two requirements use acl number triple one no host on hq lan1 should be able to access the branch server all other traffic should be permitted we should be clear with the requirement we will create access control list triple one that means external access control list and no host on hq lan one that means the devices from this network he queue lan one should be able to access the branch server that means all these devices from this network is not allowed to access this branch server here we can say branch server all other traffic should be permitted that means we have to deny all the services from this heq lan one device uh i mean devices to this uh branch server okay we can implement uh in hq we will exit from this serial interface we will create the access list that is triple one and we are going to deny ip from any uh source uh devices that we can give any command then uh from a specific uh server right so we can give a host we have to get the ip address of that server that is a branch server we can copy from that branch server itself or you can get this address from our addressing table then paste here perfect then press enter and we have to apply this success control list right before that here we can see the specified all other traffic should be permitted okay so we should add that line also access list one one one triple one we have to permit ip any any because whenever we create an access control list using deny there will be an implicit deny of all other traffic so we must give this line to permit all other traffic so now we have to implement i mean we have to apply this access control list so we can apply in this hq uh to this interface that is uh let me verify it gigabyte zero slash zero slash zero uh in the direction of in you will go to that interface that is g zero slash zero slash and here we can give ip access group it's a triple one right we can give inbound in now coming to acl3 requirements create a named standard acl use the name vty underscore block the name of your acl must match this name exactly that means we have to block the vty only addresses from the hq land2 network should be able to access the vty lines of the hq router okay here we are going to create a named standard access control list named vty underscore block so we are going to uh block we are going to deny uh the access of virtual terminal and here we can see um the devices from this uh hq lan 2 is only allowed to access this hq router using vty lines okay we can do that coming to this hq we will exit from this interface and here we will create that with the ip access list because it's a named standard access control list ip access list then here we have to specify it's uh standard or extended it's a standard and we have to specify the name uh it's a vty underscore block we have to give the character name for the scoring purpose and here we are going to permit this network heq land2 192.168.1.64 29. we have to give the network address 192.168.1.64 then we have to specify its wild card mask we have seen they given the prefix as a slash 29 that means wild card mask will be 0.0.0.7 then we will press enter here only this network is allowed to access the virtual terminal of this router hq that means we have to go to uh line vty okay we can go to line vty 0 to 15 either we can give 0 to 4 or even we can give for all the lines from 0 to 15 and here we can apply that access control is to be created we have to give access class then we have to specify the name of our access control is to be created that is vty underscore block then we have to specify the direction in coming to the last access control list acl4 requirements create a named extended acl called branch underscore to underscore hq the name of your acl must match this name exactly no host on either of the branch lands should be allowed to access hq land1 use one access list statement for each of the branch lands all other traffic should be allowed coming to our topology as per the instruction uh the devices from this network branch lan1 and the devices from branch land2 is not allowed to access this network that is heq lan 1 so we have to create we have to deny two networks here we can see a branch land1 and branch land2 to this heqlan1 network so we can create access control list in this router branch just i will copy this access control list name it's here okay then we will go to this branch enable conf t and here we will create that access list it's extended and here is that name branch underscore to underscore hq then press enter now we are going to deny ip now we have to specify the source network address coming to topology first we will give uh 192.168.2.0 27. 192.168.2.0 then we have to specify its wildcard mask 0.0.0.31 then we have to specify um the destination network address i will put a question mark and here we can see a destination address it's 192.168.1.0.26 192.168.1.0 then we have to give it's a wildcard mask 0.0.0.63 also we have to deny the other network deny ip here we can see that 192.168.2.32 28 that means 0.0.0.15 okay 192.168.2.32 0.0.0.15 then we have to specify our destination address we can copy from here same paste here then press enter and all other traffic should be allowed so we have to permit our other traffic we have to give a permit ip any any then we have to apply this named extended access control list to a correct interface here we can apply this access control list to this interface uh serial zero slash one slash one in the out direction correct so we can do that we will go to that interface exit and go to interface that is a serial zero slash one slash one and here we can give ip access group then we have to specify our um access listing name just i will copy from here or you can type it in the out direction now coming to step three verify access control list operation perform the following connectivity test between devices in the topology note whether or not they are successful also the given endnote use the show iep access list command to verify acl operation use the clear access list counters command to reset the match counters send a ping request from a branch pc to the enterprise web server here we can see branch pc we can use this branch lan1 branch pc to this enterprise web server okay uh was it successful explain it should succeed because uh we denied to this heq lan note 2 heq lan 2 so the ping from these two networks to this hq lan 2 should succeed anyways we will test it you will get the ip address of enterprise web server we can get from here itself copy each address then coming to this branch pc command prompt will ping to that server see we get the replies even we can ping from branch server it should succeed which acl statement permitted or denied the ping between these two devices list the access list name or number the router on which it was applied and the specific line that the traffic matched so actually we um implemented that access control list in this router branch so coming to this branch you will give end you can give the show command show access list and here we can see we given this line permit i p n e n e and we got four matches attempt to ping from pc-1 on the hq lan1 to the branch server was it successful explain that means we are going to ping from this pc dash one uh to this branch server here is our branch server oh it should fail because we already given the uh we created the access control list and this network is not allowed to access any of the device from this heq lan one okay we will get the ip address of this branch server then we will go to this pc-1 command prompt we will ping to that server and we can see it says destination host unreachable which acl statement permitted or denied the ping between these two devices so here uh we can see we uh denied this network 192.168.2.32 uh to access this hq land1 uh here we can see that you will give the command show ip access list and here we given that dna command open a browser on the external server and attempt to bring up a web page store on the enterprise web server is it successful explain okay we have to get the ip address of this uh enterprise web server and i think it should succeed because we did not set any such access control list you will get the iep address of this server then we have to go to this device uh external server here we can see external web server you will go to a browser and paste that ip address here then click go and here we can see our web page it's working which acl statement permitted or denied the ping between these two devices okay here in this hq enable show ip access list and we have to check for the permit ipnene here we can see that extended ip access list 101 and with 30 line number 30 permit ipn now coming to b test connections to an internal server from the internet from the command line on the internet user pc attempt to make an ftp connection to the branch server is the ftp connection successful it should succeed because uh we created access control list uh to deny uh from this enterprise web server not from this branch server right all the devices from this internet is not allowed to access ftp from this enterprise web server so if you try to this branch server it will succeed so we will get the iep address of our branch server and we'll go to internet user command prompt here we have to give ftp to this server and we can see it's probably for the username and password let me try with the cisco password is cisco yes so we able to access this ftp service from this server which access list should be modified to prevent users from the internet to make ftp connections to the branch server obviously we have to modify uh the access control is to be cleared in hq so here we can see that acl1 requirement acl 101 explicitly block ftp access to the enterprise web server from the internet so even i will show that here show ip access list we have to modify this success list 101 which statement or statements should be added to the access list to deny this traffic okay i will show that command we can give a deny tcp any device from this internet right so we can specify any source device uh to the host branch server so we have to get the ip address of this branch server space we have to give this network address then we have to give eq 21. perfect that's all in this activity ipv4 access control list implementation challenge here we can see our completion status it shows hundred percent now dear friends if you have any doubt any suggestions regarding this package or activity please comment below or you can contact our team using our website link you will get from the description below and if you like your video give a thumb and share with all your friends stay tuned and we will meet again with the next video thank you
Info
Channel: Tech Acad
Views: 12,064
Rating: undefined out of 5
Keywords: CISCO, Packet Tracer, CCNA, Access Control Lists, CCNAv7, Routing and Switching, 200-301 CCNA
Id: 4OpFf8z7yD4
Channel Id: undefined
Length: 28min 31sec (1711 seconds)
Published: Thu Sep 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.