5.5.2 Packet Tracer - Configure and Verify Extended IPv4 ACLs - Physical Mode

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this packet racer physical mode activity you have been tasked with configuring access control list on a small company's network acls are one of the simplest and most direct means of controlling layer 3 traffic after initial configuration is complete the company has some specific traffic security requirements that you will be responsible for implementing build the network and configure basic device settings cable the network as shown in the topology cable and power on the devices okay connect gigabit zero zero on r1 to server a is this connection you can be zero zero zero on r1 to server a now gigabit zero zero one to fast internet five on s1 gigabit zero zero one on the router to facilitate five on switch as well fastener of the one bit wing s1 and s2 first alternate one on both sides first of the nut one on s1 forces another one on s2 now faster than that five on s2 to gigabit zero zero one on r2 for the net five on s2 gigabit zero zero one on r2 on s1 faster not six to pci on s1 476 to pca this is pca and use the fast internet interface faster not 18 on s2 to pcb fast internet 18 on s2 to pcb this is pcb fast internet interface okay and power on the devices okay on r1 the power bottom okay s1 and s2 are connected to the power distribution device and they are power on r2 power on the server power on already pca power on and pcb okay and now use a console cable to connect a pc to each switch or router as you configure them we recommend connecting pc8 to r1 and pcb to r2 so use a console cable to connect from pca rs2302 pca to r1 console you have this connection from pca to r1 using console the another console cable from pcb port rs 232 to router r2 console okay very nice and now configure basic settings for each router okay i will use a notepad okay because these configurations will be applied on both routers and also be useful for switches okay so okay assign a device name okay the hostname calls name for example for r1 according the addressing table r1 dns disable dns lookup now ip the main lookup assign class as the privilege exact encrypted password enable secret class cisco is the console password and enable login line console 0 password cisco login cisco pty password you will enable login later in this activity okay so only the password line pty 0 to 15 all lines the password system okay exit encrypt the plain text passwords and create the banner okay service passport dash encryption banner message of the day on how to raise it access is prohibited okay and save the running configuration to the startup configuration okay and copy running config to start up copy enter enter enter okay enter to confirm okay and another enter so so you can you can use the terminal and remember r1 is connected to pc8 okay pca desktop terminal okay would you like to enter initial configuration dialog no enter enter enable configure terminal on global configuration mode copy this and paste copy and paste okay very good copy running config start config okay now for r2 remember r2 is connected the console of r2 is connected to pcb click on pcb desktop terminal okay would you like to enter initial configuration dialog now enter enter enable computer terminal okay and change here the hostname is the only one difference should be r2 according the addressing table r2 okay hostname r2 and the same configurations copy paste okay hostname r2 copy and very nice configure basic settings for each switch okay device name dns lookup privilege encrypted password console password vty password encrypt the plain text passwords banner and save the running configuration to server configurations okay the same configuration for switches hostname domain the privilege encrypted password the console password bty password encryption banner copy running config to server config is the same so change fields and change the console so remember pca is connected to pca is connected to r1 the console of r1 on s1 right click inspect rear and drag the console cable from r1 to s1 and now you have this connection from pca port rs 232 to console port on s1 so go to pca this is pca close the terminal open again okay now this is the switch command line interface enter enable configure terminal on global configuration modes okay change this to as well as one and the same configurations right click to paste okay very nice now remember pcb is connected to the console of r2 so right click on s2 expect rear and drag the console cable from r2 to s2 now you have this connection from pcb port rs 232 to console port on s2 so go to pcb close terminal open again okay okay this is the command interface command line interface on s2 in your computer terminal in global configuration modes change the host name to s2 and copies the same configuration very nice configure belongs on the switches create the vlogs on both switches create and name the required balance on each switch from the billet table okay this is the addressing table but down here is the villain table okay i will do it on notepad again okay i will use notepad and bill and 20 management field operations for the sales 999 parking lot and 1000 is not deep okay but remember be careful with the names should be case sensitive milan 20 name management will unfill the name operations below 40 name sales belong 999 name parking lot milan 1000 name tip exit okay be careful with these names okay review management operations sparking okay plot okay sensitive native copy these two s1 and s2 go to pca pca okay this is s1 enter configure terminal global configuration mode paste okay very good go to go to pcb that is connected to s2 switch s2 enter configure terminal global configuration mode based very nice configure the management interface and default gateway on each switch using the ip address information in the addressing table okay this these are the configurations okay on s1 go to s1 go to pca okay on interface vlan 20 okay interface building 20 interface interface vlan 20 iprs 10202 285 divided by zero enter okay and not shut down it's not necessary because interface will at 20 change it state to up so exit repeat get way then zero one okay go to s2 okay interface we learn 20 maybe others 10 20 0 3 285 285 255 zero okay exit ip the file alt dash gateway 10201 okay very good assign all unused ports on the switch to the parking lot below okay the induced boards on as well okay go to s1 pc8 ports in use are on 501 5 and six so the range is interface range for the terminal two two four comma first internet seven to twenty four and gigabit zero one and two okay one in use two to four five and six in use seven to twenty four and gigabit zero one and two okay you can verify the bill and table two four seven twenty four gigabit zero one two two four seven twenty four units you want to enter configure them for static access modes switch port mode axes and administratively they activate them but before these assign used ports to the parking lot milan so parking lot belong is 999. switch for access belong 999 and then administratively the active item shutdown enter exit don't forget s2 go to pcb and ports in use are faster that one for the 518 range faster than 2 to 4 comma faster than 6 to [Music] 17 19 to 24 and gigabit zero one and two okay one and use two to four five and use six to 17 18 in use 19 to 24 and you go with 01 you can verify here 2 4 6 17 19 24 gigabit zero 1 2 2 4 6 17 15 24 00 0 1 2 okay switchboard mode access switch for access villa 999 okay parking lot belong and shut down enter exit assign belongs to the correct switch interfaces assign user ports to the appropriate vlan specified in the billing table and configure them for static access modes okay for example here on s1 for satellite 6 to vlan 3d os 1 fast internet 6 billion 3d for pca okay go to s1 pca interface for settlement six switch four mode axis switch for accessibility okay operations for pca and now for s2 facility 5 to blend 20 s2 faster 5 vlan 24 router r2 go to pcb that is the command line interface of s2 interface facility 5 okay switch form of that says switch for access milan 20 okay and faster at 18 to below 40 18 on s2 to belong 4d for pcb 18 three four more dances below 40. excellent okay very good show will unbrief to verify for example on pcb and show vlan brief and you can see and 20 2005 40 to 18 when you set ports to parking lot 999 and faster than the one will be will be configured as strong on the next step okay for now it's on bilangua so configure tracking configure trunking manually configure trunking on the interface faster.one change the switchboard mode on interface faster as well to force trunking make sure to do these onboard switches okay go to switch s1 and pca okay s1 first another one switch for more trunk okay switch for more trunk set the nativiland 1000 on both switches okay remember the native language is one thousand okay so switch port trunk tbilan 1000 okay three zeros one thousand okay and wait a moment and you will uh look at this a tv language match you may see error messages temporarily while the two interfaces are configured for different native lags faster faster one on s1 is using now belong 1000 less than a tip but facilitate one on s2 is still using the belong number one as the native so they are different so that's why you will see these messages belong mismatch okay and specify that vlans 10 20 theory and 1000 are allowed to cross the trunk okay but this is incorrect because [Music] we are not using bill and 10 billion table specifies vlan 20 theory 40 and 999 and 1000. 999 is for parking lot is for induced ports so you need to permit vlan 20 30 40 and 1000 on the trunk okay and this is incorrect this should be a specified vlans 20 theory 40 and 1000 20 30 40 and 1000 are allowed to cross the track okay enter and switchboard trunk below belong 20 30 40 and 1000 okay this is very good okay okay and the same configuration ns2 go to pcb enter s2 configure terminal interface one switch port more trunk switchboard trunk tbilan 1000 okay be careful is 1000 and now you can see port consistency restored very nice switchboard trunk i always belong there with pillow 20 30 for the n1000 okay very nice this is very good 20 30 40 1000 and show interfaces trunk to verify for example on s2 and show interfaces trunk port facet another one mode on manually configured encapsulation l2 a02 that one cube status ranking native language 1000 i love it belongs 20 30 40 1000 very nice okay and manually configure s1 strong interface for 7.5 configure s1c interface faster.5 with the same trunk parameters as faster and one okay this interface for 7.1 configure a stroke okay go to s1 that is connected to pca okay s1 faster not five switch promote trunk switch portrait material one thousand and i lowered vlans okay that's it save the running configuration to start up configuration and copy running copy to setup config enter enter go to pcb copy running copy to startup copy and render configure routing compute interval and routing on r1 activate interface you go with zero zero one on the router okay this interface on r1 gigabit z001 the connection to switch s1 but i will do this at the end okay now configure sub interfaces for each vlan as specified in the addressing table okay and start with this sub interface gigabit 001.20 okay but to configure r1 change the console from s1 to r1 right click on s1 inspect rear and drag the console cable from s1 to r1 okay and go to pca close the terminal open again okay you are on the router and the console password is cisco enable the enable password is class figure terminal now you are on global configuration mode and configure gigabit 001.20 this sub interface interface here with zero zero one dot 20 ender okay all sub interfaces use ao 2.1 q encapsulation and capsulation dot one q okay and use the vlan 20. okay um vlan 20 billion 20 is management okay 120 sub interface 20 and network 20. okay enter okay and set the ip address ip address 10 20 0 1 285 325 0 and don't forget include a description okay you can use the name of the belong as the description you can use any description but i will use the name of the belong management okay now the next sub interface is theory here the theory theory the description is for theory i will use the name operations the name of the belong operations operations now for the the next for the network team for the descriptions sales okay saves saves enter and the next sub interface 1000 1000 encapsulation 1000 with specify is not deep okay remember 1000 is the native okay enter ensure the sub interface for the tbilan does not have an ip address okay no ip address for sub interface 1000 okay so description tip and true and now activate interface you go with zero zero one go to which you got it zero zero one no shut down no shut down okay very good configure interface you go with zero zero zero okay it should be gigabit zero zero zero this interface of your interface will be zero zero zero on r1 okay on r1 interface with zero zero zero ip address 172 16 1 1 35 285 285 0 not shut down okay very nice this is the connection to the server gigabit zero zero series the connection to the server show ip interface brief to verify and show ap interface brief okay gigabit zero zero zero up gigabit zero zero one up sub interfaces up configure r2 interface you go with zero zero one okay r2 this interface you'll be zero zero one the connection to the switch s2 use the addressing table okay and this configuration and change the console from s2 to r2 inspect rear drag the console cable from s2 to r2 okay click here on pcb because now pcb is connected to the console of r2 close the terminal open again okay enter console password cisco enable enable password is class configure terminal r2 global configuration mode configure this interface with zero zero one ip address 10 20 0 4 285 divided by 32.0 now shut down enter and configure a default route with the netshop10201 okay this is like the default gateway okay exit global configuration mode a default route rep rules the default route and the nethop10201 then 201 very good okay on r2 now configure remote access configure all network devices for basic ssh support okay i will do this on notepad because this will be useful for routers and switches because instruction says configure all network devices okay this includes routers and switches create a local user ssh admin with this password and the password is an encrypted password okay all notepad and render username ssh admin case sensitive the encrypted password so use the secret secret command and this this password dollar cisco one two three and exclamation enter ccna.lab.com is the domain name ip the main dash name ccna.lab.com enter generate crypto keys using a 1024 bit modulus okay crypto key generate rsa general keys 1024 configure the first five bty lines on each device to support ssh connections okay and the first five are like bty from zero to four you have the first five okay but i will use all all all lines from zero to 15 because this will be required to get the 100 percent so fields 5 is a very good configuration to configure the first five bty lines to support ssh connections but uh at the end you will not be able to get 100 percent so use all lines from zero to fifty okay and support ssh connections only transport input ssh and authenticate to the local user database to use this username and password okay login local exit okay verify username ssh admin case sensitive secret password this is the password be careful to my name be careful the crypto key very nice then copy this go to pca you are on r1 configure computer terminal from global configuration mode paste okay very good this is the generation of cryptokey go to pcb r2 global configuration mode based okay very nice on the switches don't forget that right click on s1 inspect rear drag the console from r1 to s1 on s2 right click spec rear drag the console from r2 to s2 now access pca close terminal open again enter console password is called enable class configure terminal paste a ssh configuration go to pcb close terminal open again okay sorry okay enter cisco enable class configure term paste okay very good verify connectivity but now configure pc hosts according the addressing table okay this is the pca configuration so go to pca close this ap configuration then through this hero 10 okay 285 35 285 0 10 30 001 okay and go to pcb close terminal open ipconfiguration [Music] configure this then for the 0 10 2 divided by divided by 0 10 for the zero one okay and the server a desktop ap configuration already configured okay and use this table from pca pink 104010 104010 is pcb so ping from pca to pcb go to pca close this open command prompt ping to pcb 104010 success from pca pink 10201 10201 is r1 10 20 0 1 is r1 success from pcb ping 10 theory 0 10 zero 10 pca okay from pcb pink pca go to pcb close this command prompt ping then theory d010 success from pcb ping to router r1 10201 1020 01 success from pcb ping 172 1611 another interface on r1 12 16 1 1 okay from pcb ping 172 16 1 1 success from pcb use https to access the server 172.16.1.2 the server is 172.16.12. okay go to web browser okay from pcb https column slash 172 1612 172 16 1 2 using https enter success from pca access to server using https pca https column slash 172 1612 success from pcb ssh to 10204 10204 is r2 okay from pcb go to pcb close the web browser open the telnet ssh client use ssh 10204 okay the ip address of r2 the username remember is this ssh admin case sensitive and use this password ssh admin connect password that cisco one two three exclamation very nice r2 x no and from pcb access ssh of r1 okay again go to pcb not 72 161 ssh admin okay ssh i mean connect dollar cisco one two three exclamation now you are on r1 very nice no and now configure and verify extended access control list okay when basic connectivity is verified the company requires the following security policies to be implemented okay policy one the sales network is not allowed to ssh to the management network policy too the sales network is not allowed to access the server using any web protocol policy 3 the sales network is not allowed to send icmp echo request to the operations or management networks policy form the operations network is not allowed to send icmp echo requests to the sales network and look at this policy one policy two and policy three have the the sales network as the source policy one says sales network is the source policy tool sales network is the source and policy through sales network is the source and remember sales network is billa below 40 and is also network 40. so if sales network is the source for the three policies you can use only one access list to implement these three policies okay you can use only one access list and also this exercise should be extended access control list okay it should be extended and it's recommended to configure that and it's recommended to implement the extended access list on the source close to the source okay and will be implemented close to the sales network okay and if this is the network of the sales network should be implemented on gigabit zero zero one dot 40. on this sub interface the access list the extended access list should be implemented close to the source so on youtube001.40 okay so you need to configure this on r1 okay go to r1 change the console spec re drag the console up draft the console from s1 to r1 very nice go to pca terminal okay enter cisco enable class config configure terminal okay the sales network is not the go way to ssh to the management network okay select [Music] extended access control list is not named access list is not named extended access list it's only extended access list so use a number okay we use a number list one of one okay this is a number for extended access list and it's not only a low width okay deny ssh uses tcp protocol deny tcp the source is sales network is this sales bill 140 so it's network 40. so use the network 10 40 000 in the subnet mask wildcard or imperials okay the destination is management network management is 20. so the network is 20. 10 20 000 wild cards and use ssh port equivalent to 22 okay the ssh port okay enter okay with other ssh is allow it okay i will do this at the end of the access list okay now policy two the sales network is not allowed to access server a using any web protocol http https okay the sales network is this also gain access list 101 is the same access list deny because it's not allowed the source is the sales the sales network network 4d sales network is the source but the destination is server a server a is this ip once i need to 1612 so you can specify the host 172 1612 okay and the web protocol http is port 80 okay okay and you can use this uh host cost keyword or you can use the the following wildcard zero zero zero both are valid both are the same okay import 80 for http okay the source is sales network is not a lower than i protocol tcp the destination is the server only the host not the network only the host port 80 for http and don't forget don't forget https 443 enter okay the same the same entry would change the port for https the sales network again is not allowed to send icmp echo request okay so deny icmp okay icmp protocol sales network not allow it deny not allow it deny icmp protocol souls the sales network destination operations and remember operations is milan theory network theory 10 okay 1030 wildcards and is echo request echo okay deny icmp protocol sales network operations network echo request enter also sales is not allowed to send icmp echo requests to networks and remember management is vlan 20 network 20 okay 20. so only change this then i hcmp sales network the source management network the destination echo request enter and now look at this other ssh is allowed other web traffic is allowed icmp echo request to other destinations allow it so you can use access list one permit ip from any to any to permit any other traffic okay enter okay and an extended access list is recommended to be implemented close to the source so the source is always the sales network so should be implemented close to the source on sub interface you'll be 001.40 001.40 okay ipads group 101 the number of the extended access list and the is incoming traffic okay incoming traffic peso is incoming traffic because the traffic is trying to exit they belong to access another networks ok incoming traffic if you set outgoing traffic the traffic will go to the internal villa so use in incoming traffic the traffic will go to the another networks okay enter exit and finally implement this the operations network is not allowed to send icm vehicle request to the sales network okay the sources operations network and operations network is placed on billing field and extended accessories should be implemented or is recommended to be implemented close to the source and operations network is bill and theory will inferiority and network theory so the source is the interface it will be 001.30 and if will be implemented close to the source will be implemented on r1 r1 okay so again configure on r1 you can use axis dash list 102 and not allow it deny icmp echo request icmp protocol operations network is the source is 3d 10 30 0 the wildcard the destinations sales network sales network is 40 network 40. okay turn for this heroes hero wildcard is echo request so is echo very good okay enter and icm vehicle requests to other destinations are allowed so use this access list one or two the same access list permit ip from any to any and implement close to the source the sources network theory close to the sources sub-interface theory seriously ap access group 102 incoming traffic that's it very good okay and now verify verify that security policies are being enforced by the deployed access list run the following test the expected results are shown in the table okay on the previous test all were success success success but now some results will fail okay some results will fail okay because the the access lists are implemented okay now from pca pcb 104010 okay turn forward this will change pcb okay go to pca close terminal open command prompt ping to 10 for the filter destination host unreachable okay failed very good from pca pink 10201 is router r1 10201 success success very good from pcb ping pca go to pcb close the ssh client command prompt from pcbp103d010 that is pca destination hosts unreachable fail this is very good from pcb pink 10201 is router r1 10201 destination host on range will fail so this is very good from pcb ping 172 16.11 another interface on router r1 122 16 1 1 success success very good from pcb web browser https to the server close command prompt web browser https column slash 172 16 1 2 and okay wait a moment please request timeout fail very good from pca access the server using https from pca close the command prompt open web browser https column slash 72 16 1 2 hit enter success okay success very nice from pcb access ssh to the router r2 okay from pcb go to pcb close web browser open ssh client ssh hostname or ip address it's a 1020 10204 username is ssh admin case sensitive connect wait a moment please and the current session has closed okay no fail so this is very good from pcb ssh to the router r1 for pcb 172 1611 ssh admin connect password donor cisco one two three exclamation okay again dollar cisco one two three exclamation very nice r1 exit now success very good okay completion 93 check results assessment items green green ring all in green [Music] very good connectivity test correct correct correct correct correct very nice congratulations on completing this activity okay and close but the the completion is 93 and don't worry about this all is completed thank you very much you

Info

Channel: Christian Augusto Romero Goyzueta

Views: 18,040

Rating: undefined out of 5

Keywords: ensa, enterprise networking, security, automation, ccna, version 7, ccna 7, physical mode, packet tracer, ACL, extended, numbered, http, https, ssh, icmp, vlan, intervlan routing, routing, trunk

Id: o33MvgRFmvA

Channel Id: undefined

Length: 65min 35sec (3935 seconds)

Published: Sat Feb 19 2022