Demonstrate
the use of extended access control lists.
Equipment
Requirements:
Two
Routers One Switch with two VLANS set or two switches or two hubs
Two workstations
Scenario:
We
want to create an extended access control list which will prevent
telnet access from network 172.32.4.0 to Router-B. The access list
should allow all other traffic including TELNET traffic destined to
any other host on the network.
Step
1
Construct
the above circuit, using IGRP as your routing protocol.
Use
the network address 172.32.3.0/24 on the serial link between the two
routers.
Upon
completion of the configuration can the two workstations
communicate?
Step
2
Determine
an extended access list which will prevent TELNET traffic
originating from subnetwork 172.32.4.0 destined for Router-B.
The
access list should allow all other traffic including TELNET
traffic destined to any other host on the network. What is the
required access list?
Hint:
Remember that Router-B has two addresses, E0 has an IP address and
S1 has an IP address. Both addresses must be accounted for in the
access list.
Step
3
Apply
the access list accordingly so that the users on subnet 172.32.4.0
will not have TELNET access to Router-B.
Which
router did you apply the access list to?
Why
did you apply the access list to this router instead of the other
one?
Step
4
Once
you have the access list on the router, what command do you use to
apply it to a specific port on the router?
On
which port did you apply the access list?
Was
the access list applied coming in to the port or going out of the
port?
Explain
your reasons for applying the access list at the location previously
specified.
Step
5
Test the access list by TELNETing Router-B as well as to other
devices on the different subnetworks.
Are hosts on subnetwork 172.32.4.0
be able to TELNET any host on subnet 172.32.2.0?
Are hosts on subnetwork 172.32.4.0 able to TELNET to Router-B?
Reflection:
Answer
the following questions.
Why
is it important to choose the correct wildcard mask for access
lists?
Can
you selectively add or remove lines from numbered access
lists?
Typically
where should extended access lists be placed on a network?