Learn Cisco: Security

Post Top Ad

Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Lab 222 - Zone-Based Firewall Part 1

April 29, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

Solution

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

R1 Config:

! Current routing configuration on R1:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!
!
! Current routing on BB3:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!

Zone-base firewall configuration on R1:

Step 1
Define the zones.

!
zone security INSIDE
zone security OUTSIDE
!

Step 2
Classify interesting traffic (traffic that is allowed from INSIDE to OUTSIDE).
Classify the traffic exceptions.


!
class-map type inspect match-all ICMP
 match protocol icmp
class-map type inspect match-all UDP
 match protocol udp
class-map type inspect match-all TCP
 match protocol tcp
!
! Traffic Exceptions
!
ip access-list extended SSH_TO_R1
 permit tcp any host 192.0.2.1 eq 22
!
class-map type inspect match-any OUTSIDE_TO_SELF_EXCEPTIONS
 match protocol bgp
 match access-group name SSH_TO_R1
!


Step 3
Configure policy regarding the interesting traffic.

!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
 class type inspect TCP
  inspect
 class type inspect UDP
  inspect
 class type inspect ICMP
  inspect
!
!
policy-map type inspect OUTSIDE_TO_SELF_POLICY
 class type inspect OUTSIDE_TO_SELF_EXCEPTIONS
  pass
 class class-default
  drop log
!


Step 4
Configure associations between zones. Apply policy map to the zone pairings.

!
zone-pair security INSIDE_TO_OUTSIDE_PAIRING source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
!
!
zone-pair security OUTSIDE_TO_SELF_PAIRING source OUTSIDE destination self
 service-policy type inspect OUTSIDE_TO_SELF_POLICY
!

Step 5
Assign interfaces to the zones.

!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 zone-member security OUTSIDE
 speed 100
 full-duplex
!
!
interface Serial0/0
 description INSIDE
 ip address 172.16.123.1 255.255.255.0
 zone-member security INSIDE
 encapsulation frame-relay
 clock rate 2000000
 frame-relay map ip 172.16.123.2 102 broadcast
 no frame-relay inverse-arp
!

Verification:
Pic. 2 Traffic INSIDE_TO_OUTSIDE.


Pic. 3 - Traffic OUTSIDE_TO_INSIDE (BB3_TO_SW1).
Pic. 4 - OUTSIDE_TO_R1 using SSH.

KEEP THE CONFIGURATION FOR THE NEXT LAB!
Read More
Label:

Lab 221 - CBAC

April 25, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Solution

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

BB3 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!


R1 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!

Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

R5 Config:
!
ip http server
!

Verification:
Pic. 2 - WWW Access from BB3.

Pic. 3 - WWW Access from BB3.


Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Step 1
Configure and apply ACL on the OUTSIDE interface blocking all the traffic.

R1 Config:
!
ip access-list extended OUTSIDE_INBOUND
 permit tcp any host 10.0.5.5 eq www
!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 speed 100
 full-duplex
!
interface Serial0/0
 description INSIDE
!

Step 2 
Configure inspection rules allowing all traffic out. Apply the rules on the OUTSIDE interface.

R1 Config:
!
ip inspect name ALL_TRAFFIC_OUT tcp
ip inspect name ALL_TRAFFIC_OUT udp
ip inspect name ALL_TRAFFIC_OUT icmp
!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 ip inspect ALL_TRAFFIC_OUT out
 speed 100
 full-duplex
!

Verification:
Pic. 4 - Traffic OUTSIDE --> OUT.
 Pic. 5 - Traffic OUTSIDE --> IN.

Step 3
DMZ configuration.

R1 Config:
!
ip access-list extended DMZ_INBOUND
permit eigrp any any
 deny   ip any any
!
ip inspect name HTTP_TRAFFIC http
!
!
interface FastEthernet0/1
 description DMZ
 ip address 172.16.215.1 255.255.255.0
 ip access-group DMZ_INBOUND in
 ip inspect HTTP_TRAFFIC out
 speed 100
 full-duplex
!

Verification:
Both R2 (inside host address) and BB3 (outside host addres) can reach WWW (10.0.5.5). R1 show ip inspection session, shows entries. Pinging does not work

REMOVE CBAC CONFIGURATION BEFORE NEXT LAB!
Read More
Label:

Lab 220 - TCP Intercept

April 24, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

Solution

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

R3 Config:
!
ip access-list extended WEB_VLAN215
 permit tcp any 172.16.215.0 0.0.0.255 eq www
!
ip tcp intercept list WEB_VLAN215
ip tcp intercept max-incomplete low 3000
ip tcp intercept max-incomplete high 4000
ip tcp intercept one-minute low 300
ip tcp intercept one-minute high 400
ip tcp intercept mode watch
!

Verification:
show tcp intercept connections
show tcp intercept statistics
Read More
Label:

Lab 219 - Reflexive ACL

March 12, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

Solution

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

BB1 Config:
!
ip route 10.0.0.0 255.255.0.0 203.0.113.3
ip route 172.16.0.0 255.255.0.0 203.0.113.3
!
! For testing purpose let's enable HTTP server on BB1.
ip http server
!

R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
 redistribute static
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!
interface FastEthernet0/0
 ip address 203.0.113.3 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 speed 100
 full-duplex
!


Verification:

Pic. 2 - BB1 Connectivity towards 172.16.x.0/24 and 10.0.x.0/24.


Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

R1 Config:
!
ip access-list extended OUTBOUND
 permit ip 172.16.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
 permit ip 10.0.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
!
ip access-list extended INBOUND
 evaluate ALLOW_THIS_IN
 permit udp any 172.16.0.0 0.0.255.255 gt 33433
 permit udp any 10.0.0.0 0.0.255.255 gt 33433!


Verification:

Pic. 3 - Traffic from the INSIDE towards BB1.
 
Pic. 4 - Stateful Entry Created on R3.

Pic. 5 - Traffic Originated from BB1 towards our INSIDE subnets.
NOTE!
Traceroute in Cisco IOS sends UDP datagrams starting at port 33434 with the ttl max 30 hops.
Read More
Label:

Lab 218 - Dynamic ACL (Lock-and-Key)

March 11, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On R2 configure ACL which allows the user Jimmy with the password CISCO123, to access web server on R1 (or any other web server behind R2) if the authentication is initiated from VLAN 27. R2 should use telnet access as the authenticating method. All other traffic should be allowed.

Solution

Task 1
On R2 configure ACL which allows the user Jimmy with the password CISCO123, to access web server on R1 (or any other web server behind R2) if the authentication is initiated from VLAN 27. R2 should use telnet access as the authenticating method. All other traffic should be allowed.
R1 Config:
!
ip http server
!

R2 Config:
!
username Jimmy password CISCO123
!
access-list 100 permit tcp 172.16.27.0 0.0.0.255 host 172.16.27.2 eq 23
access-list 100 dynamic DYN_ACL permit tcp any any eq 80
access-list 100 deny tcp any any eq 80
access-list 100 permit ip any any
!
int f0/0
 ip access-group 100 in
!
line vty 0 4
 login local
 autocommand  access-enable !

Verification:

Pic. 2 - Accessing Web Server on R1 without Authentication (ACL applied).

Pic. 3 - Accessing Web Server on R1 with Authentication (ACL applied)

Pic. 4 - Dynamic ACL Entry Created Above Deny DPORT 80.
  
Remove the configuration created in this lab.
Read More
Label:

Lab 217 - ACL Complex Matching

March 04, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5' Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Solution

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

SW1 Config:
!
int Lo1
ip address 182.17.77.7 255.255.255.0
!
int Lo2
ip address 182.81.77.7 255.255.255.0
!
int Lo3
ip address 190.17.73.7 255.255.255.0
!
int Lo4
ip address 190.81.73.7 255.255.255.0
!
int Lo5
ip address 190.81.77.7 255.255.255.0
!
int Lo6
ip address 182.17.73.7 255.255.255.0
!
int Lo7
ip address 182.81.73.7 255.255.255.0
!
int Lo8
ip address 190.17.77.7 255.255.255.0
!
router eigrp 1
 network 10.0.7.7 0.0.0.0
 network 172.16.27.7 0.0.0.0
 network 182.0.0.0 0.255.255.255
 network 190.0.0.0 0.255.255.255
 no auto-summary
!

Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5's Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Pic. 2 - Routing Table of R1 (loopbacks advertised).
R1 Config:
!
access-list 100 deny ip 10.0.5.0 0.0.0.255 182.17.73.0 8.64.4.255
access-list 100 permit ip any any
!
interface FastEthernet0/1
 ip address 172.16.215.1 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!


Explanation:

Group bytes 1-3 and find the bits that do change in order to find the wildcard mask.
Pic. 3 - Wildcard Mask.
Read More
Label:

Lab 216 - ACL Matching Even Network Numbers

March 03, 2013
Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On R5 configure loopback interfaces with the following addresses:
  • Lo1: 150.1.20.5/24
  • Lo2: 150.1.21.5/24
  • Lo3: 150.1.22.5/24
  • Lo4: 150.1.23.5/24
Advertise the subnets into EIGRP AS 1.

Task 2
For security reasons configure EIGRP update filtering on R2 so that it accepts the odd subnets configured on R5 in Task 1. Use standard ACL to match the interesting subnets. Use the fewest lines possible.

Solution


Task 1
On R5 configure loopback interfaces with the following addresses:
  • Lo1: 150.1.20.5/24
  • Lo2: 150.1.21.5/24
  • Lo3: 150.1.22.5/24
  • Lo4: 150.1.23.5/24
Advertise the subnets into EIGRP AS 1.

R5 Config:
!
interface Loopback1
 ip address 150.1.20.5 255.255.255.0
!
interface Loopback2
 ip address 150.1.21.5 255.255.255.0
!
interface Loopback3
 ip address 150.1.22.5 255.255.255.0
!
interface Loopback4
 ip address 150.1.23.5 255.255.255.0
!
router eigrp 1
 network 10.0.5.5 0.0.0.0
 network 150.1.0.0
 network 172.16.215.5 0.0.0.0
 no auto-summary
!

Task 2

Task 2
For security reasons configure EIGRP update filtering on R2 so that it accepts the odd subnets configured on R5 in Task 1. Use standard ACL to match the interesting subnets. Use the fewest lines possible.


Pic. 2 - Routing Table on R2 Before Filtering.

R2 Config:
!
access-list 5 deny   150.1.20.0 0.0.2.0
access-list 5 permit any
!
router eigrp 1
 network 10.0.2.2 0.0.0.0
 network 172.16.27.2 0.0.0.0
 network 172.16.123.2 0.0.0.0
 distribute-list 5 in Serial0/0
 no auto-summary
!

Verification:
Pic. 3 - Routing Table on R2 After Filtering.


Explanation:
20 - 000101000   
22 - 000101010

The highlighted bit is the only one that changes. It should be masked using 1 (ignore: value=2). All the remaining bits do not change, so they should be masked with 0 (check).

After verification, remove ACL configured in Task 2.
Read More
Label:

Lab 215 - Extended ACL Established

February 17, 2013
Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1
On BB1 enable static routing towards 172.16.0.0 subnets using R3 as the gateway. Create Loopback0 address on BB2 with the address of 10.101.101.254/24. Ensure R3 is the gateway of last resort for EIGRP AS 1. You can use a static route to accomplish the task.

Task 2
Configure an extended ACL on R3 allowing all TCP traffic from EIGRP AS 1 reach 10.100.100.0/24 only if it was originated from EIGRP AS 1.

Solution


Task 1
On BB1 enable static routing towards 172.16.0.0 subnets using R3 as the gateway. Create Loopback0 address on BB2 with the address of 10.101.101.254/24. Ensure R3 is the gateway of last resort for EIGRP AS 1. You can use a static route to accomplish the task.

BB1 Config:
!
interface Loopback0
 ip address 10.101.101.254 255.255.255.0
!
ip route 172.16.0.0 255.255.0.0 203.0.113.3
!

R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!


Verification:
Pic. 2 - Ping/Traceroute Test.
 
Task 2
Configure an extended ACL on R3 allowing all TCP traffic from EIGRP AS 1 reach 10.100.100.0/24 only if it was originated from EIGRP AS 1.

R3 Config:
!
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
!
interface FastEthernet0/0
 ip address 203.0.113.3 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!

Verification:
Pic. 3 - TCP Traffic Originated From EIGRP AS 1.

Pic. 4 - Traffic Originated Outside EIGRP AS 1.

REMOVE the ACL configured in Task 2.
Read More
Label:

Lab 214 - Extended ACL

February 17, 2013
Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1
Enable HTTP service on R5 for testing purposes.

Task 2
On R5 configure ACL which is going to block HTTP traffic from Vlan 27 towards R5's loopback address (10.0.5.5). HTTP traffic from any source towards 172.16.215.5 destination should be allowed. All other traffic should be allowed as well.

Solution

Task 1
Enable HTTP service on R5 for testing purposes.

R5 Config:
!
ip http server
!


Task 2
On R5 configure ACL which is going to block HTTP traffic from Vlan 27 towards R5's loopback address (10.0.5.5). HTTP traffic from any source towards 172.16.215.5 destination should be allowed. All other traffic should be allowed as well.

 
R5 Config:
!
access-list 100 deny   tcp 172.16.27.0 0.0.0.255 host 10.0.5.5 eq www
access-list 100 permit ip any any!
interface FastEthernet0/1
 ip address 172.16.215.5 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!

Verification:
Pic. 2 - Telnet Test.
 
Read More
Label:

lab 213 - Standard ACL

February 17, 2013
Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1
Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.

Task 2
Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all the destinations behind R1.

Task 3
Upon successful completion of the Task 2, remove ACL from the router.

Solution

Task 1
Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.

R1 Config:
!
router eigrp 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!

R2 Config:
!
interface Serial0/0
 ip address 172.16.123.2 255.255.255.0
 encapsulation frame-relay
 no ip split-horizon eigrp 1
 clock rate 2000000
 frame-relay map ip 172.16.123.1 201 broadcast
 frame-relay map ip 172.16.123.2 201
 frame-relay map ip 172.16.123.3 203 broadcast
 no frame-relay inverse-arp
!
router eigrp 1
 network 10.0.2.2 0.0.0.0
 network 172.16.27.2 0.0.0.0
 network 172.16.123.2 0.0.0.0
 no auto-summary
!

R3 Config:
!
router eigrp 1
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!

R5 Config:
!
router eigrp 1
 network 10.0.5.5 0.0.0.0
 network 172.16.215.5 0.0.0.0
 no auto-summary
!

SW1 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
 network 10.0.7.7 0.0.0.0
 network 172.16.27.7 0.0.0.0
 no auto-summary
!

SW2 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
 network 10.0.8.8 0.0.0.0
 network 172.16.215.8 0.0.0.0
 no auto-summary
!

Verification:
Using tcl script on R2 (tclsh = enters the shell, tclquit = leaves the shell):

foreach address {
10.0.1.1
10.0.2.2
10.0.3.3
10.0.5.5
10.0.7.7
10.0.8.8
} { ping $address }


Pic. 2 - Ping Test.

Task 2
Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all destinations behind R1

R1 Config:
!
access-list 1 deny   172.16.27.0 0.0.0.255
access-list 1 permit any
!
interface Serial0/0
 ip address 172.16.123.1 255.255.255.0
 ip access-group 1 in
 encapsulation frame-relay
 clock rate 2000000
 frame-relay map ip 172.16.123.2 102 broadcast
 no frame-relay inverse-arp
!

Verification:
Pic. 3 - Ping Test.
Note!
Ping sourced off of Vlan 27 fails, but sourced off of SW1's loopback (not 172.16.27.0) the ping test succeeds.


Task 3
Upon successful completion of the Task 2, remove ACL from the router.

R1 Config:
!
no access-list 1
!
int s0/0
 no ip access-group 1 in
!
Read More
Label:

Post Top Ad