Cisco Systems CCNA 2 Phase 4: Access Control Lists

135 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Case Study Copyright © 2004, Cisco Systems, Inc.

Phase 4: Access Control Lists

While testing the network, the team leader discovers that security has not been planned for the

network. If the network configuration were installed as designed, any network user would be

able to access all network devices and workstations.

The team leader asks the technician to add access control lists (ACLs) to the routers. The

team leader has some suggestions for developing the security. Before the ACLs are added,

backup the current router configuration. Also, make sure there is complete connectivity

throughout the network before any of the ACLs are applied.

The following conditions must be taken into consideration when creating the ACLs:

• Workstation 2 and File Server 1 are on the management network. Any device on the

management network can access any other device on the entire network.

• Workstations on Eva and Boaz LANs are not permitted outside of their subnet except

to access File Server 1.

• Each router can telnet to the other routers and access any device on the network.

The team lead asks the technician to write down a short summary of the purpose of each ACL,

the interfaces upon which they will be applied, and the direction of the traffic. Then list the

exact commands that will be used to create and apply the ACLs to the router interfaces.

Before the ACLs are configured on the routers, review each of the following test conditions

and make sure that the ACLs will perform as expected:

Telnet from Boaz to Eva SUCCESSFUL

Telnet from Workstation 4 to Eva BLOCKED

TELNET from Workstation 5 to Boaz BLOCKED

TELNET from Workstation 2 to Boaz SUCCESSFUL

TELNET from Workstation 2 to Eva SUCCESSFUL

Ping from Workstation 5 to File Server 1 SUCCESSFUL

Ping from Workstation 3 to File Server 1 SUCCESSFUL

Ping from Workstation 3 to Workstation 4 SUCCESSFUL

Ping from Workstation 5 to Workstation 6 SUCCESSFUL

Ping from Workstation 3 to Workstation 5 BLOCKED

Ping from Workstation 2 to Workstation 5 SUCCESSFUL

Ping from Workstation 2 to Workstation 3 SUCCESSFUL

Ping from Router Eva to Workstation 3 SUCCESSFUL

Ping from Router Boaz to Workstation 5 SUCCESSFUL

Contents

Main I. Page Page II. Course Overview Target Audience Prerequisites Course Description Course Objectives Lab Requirements Certification Alignment Course Overview Page III. Teaching Guide for Each TI Nomenclature Page Module 1: WANs and Routers 1.1 WANs 1.1.1 Introduction to WANs 1.1.2 Introduction to routers in a WAN 1.1.3 Router LANs and WANs 1.1.4 Role of Routers in a WAN 1.1.5 Academy approach to hands-on labs 1.2 Routers 1.2.1 Introduction to WANs 1.2.2 Router physical characteristics 1.2.3 Router external connections 1.2.4 Management port connections 1.2.5 Console Port Connections 1.2.6 Connecting Router LAN interfaces 1.2.7 Connecting WAN interfaces Module 1 Summary Module 2: Introduction to Routers 2.1 Operating Cisco IOS Software 2.1.1 The purpose of Cisco IOS software 2.1.2 Router user interface 2.1.3 Router user interface modes 2.1.4 Cisco IOS software features 2.1.5 Operation of Cisco IOS software 2.2 Starting a Router 2.2.1 Initial startup of Cisco routers 2.2.2 Router LED indicators 2.2.3 The initial router bootup 2.2.4 Establish a console session 2.2.5 Router login 2.2.6 Keyboard help in the router CLI 2.2.7 Enhanced editing commands 2.2.8 Router command history 2.2.9 Troubleshooting command line errors 2.2.10 The show version command Module 2 Summary Module 3: Configuring a Router Page 3.1 Configure a Router 3.1.1 CLI command modes 3.1.2 Configuring a router name 3.1.3 Configuring router passwords 3.1.4 Examining the show commands 3.1.5 Configuring a serial interface 3.1.6 Making configuration changes 3.1.7 Configuring an Ethernet interface 3.2 Finishing the Configuration 3.2.1 Importance of configuration standards 3.2.2 Interface descriptions 3.2.3 Configuring an interface description 3.2.4 Login banners 3.2.5 Configuring message-of-the-day (MOTD) 3.2.6 Host name resolutions 3.2.7 Configuring host tables 3.2.8 Configuration backup and documentation 3.2.9 Backing up configuration files Page Module 3 Summary Module 4: Learning about Other Devices 4.1 Discovering and Connecting to Neighbors 4.1.1 Introduction to CDP 4.1.2 Information obtained with CDP 4.1.3 Implementation, monitoring, and maintenance of CDP 4.1.4 Creating a network map of the environment 4.1.5 Disabling CDP 4.1.6 Troubleshooting CDP Command Purpose 4.2 Getting Information about Remote Devices 4.2.1 Telnet 4.2.2 Establishing and verifying a Telnet connection 4.2.3 Disconnecting and suspending Telnet sessions 4.2.4 Advanced Telnet operation 4.2.5 Alternative connectivity tests Page 4.2.6 Troubleshooting IP addressing issues Module 4 Summary Module 5: Managing Cisco IOS Software 5.1 Router Boot Sequence and Verification 5.1.1 Stages of the router power-on boot sequence 5.1.2 How a Cisco device locates and loads the Cisco IOS 5.1.3 Using the boot system command 5.1.4 Configuration register 5.1.5 Troubleshooting IOS boot failure 5.2 Managing the Cisco File System 5.2.1 IOS file system overview 5.2.2 IOS naming convention 5.2.3 Managing configuration files using TFTP 5.2.4 Managing configuration files using copy and paste Page 5.2.5 Managing IOS images using TFTP 5.2.6 Managing IOS images using XModem 5.2.7 Environment variables 5.2.8 File system verification Page Module 5 Summary Module 6: Routing and Routing Protocols 6.1 Introduction to Static Routing 6.1.1 Introduction to routing 6.1.2 Static route operation Page 6.1.3 Configuring static routes 6.1.4 Configuring default route forwarding 6.1.5 Verifying static route configuration 6.1.6 Troubleshooting static route configuration Page 6.2 Dynamic Routing Overview 6.2.1 Introduction to routing protocols 6.2.2 Autonomous systems 6.2.3 Purpose of a routing protocol and autonomous systems 6.2.4 Identifying the classes of routing protocols 6.2.5 Distance vector routing protocol features 6.2.6 Link-state routing protocol features 6.3 Routing Protocols Overview 6.3.1 Path determination 6.3.2 Routing configuration 6.3.3 Routing protocols Page Module 6 Summary Module 7: Distance Vector Routing Protocols 7.1. Distance Vector Routing 7.1.1 Distance vector routing updates 7.1.2 Distance vector routing loop issues Page 7.1.3 Defining a maximum count 7.1.4 Eliminating routing loops through split horizon Page 7.1.5 Route poisoning X 7.1.6 Avoiding routing loops with triggered updates 7.1.7 Preventing routing loops with holddown timers 7.2 RIP 7.2.1 RIP routing process 7.2.2 Configuring RIP 7.2.3 Using the ip classless command 7.2.4 Common RIP configuration issues 7.2.5 Verifying RIP configuration 7.2.6 Troubleshooting RIP update issues 7.2.7 Preventing routing updates through an interface 7.2.8 Load Balancing with RIP 7.2.9 Load balancing across multiple paths 7.2.10 Integrating static routes with RIP 7.3 IGRP 7.3.1 IGRP features 7.3.2 IGRP metrics 7.3.3 IGRP routes 7.3.4 IGRP stability features 7.3.5 Configuring IGRP 7.3.6 Migrating from RIP to IGRP 7.3.7 Verifying IGRP Configuration 7.3.8 Troubleshooting IGRP Module 7 Summary Page Module 8: TCP/IP Suite Error and Control Messages 8.1 Overview of TCP/IP Error Message 8.1.1 ICMP 8.1.2 Error reporting and error correction 8.1.3 ICMP message delivery 8.1.4 Unreachable networks 8.1.5 Using ping to test destination reachability 8.1.6 Detecting excessively long routes 8.1.7 Echo messages 8.1.8 Destination unreachable message 8.1.9 Miscellaneous error reporting 8.2 TCP/IP Suite Control Messages 8.2.1 Introduction to control messages 8.2.2 ICMP redirect/change requests 8.2.3 Clock synchronization and transit time estimation 8.2.4 Information requests and reply message formats 8.2.5 Address mask requests 8.2.6 Router discovery message 8.2.7 Router solicitation message 8.2.8 Congestion and flow control messages Module 8 Summary Module 9: Basic Router Troubleshooting 9.1 Examining the Routing Table 9.1.1 The show ip route command 9.1.2 Determining the gateway of last resort 9.1.3 Determining route source and destination 9.1.4 Determining L2 and L3 addresses 9.1.5 Determining route administrative distance 9.1.6 Determining the route metric 9.1.7 Determining the route next hop 9.1.8 Determining the last routing update 9.1.9 Observing multiple paths to destination 9.2 Network Testing 9.2.1 Introduction to network testing 9.2.2 Using a structured approach to troubleshooting 9.2.3 Testing by OSI layers 9.2.4 Layer 1 troubleshooting using indicators 9.2.5 Layer 3 troubleshooting using ping 9.2.6 Layer 7 troubleshooting using Telnet 9.3 Troubleshooting Router Issues Overview 9.3.1 Troubleshooting Layer 1 using show interfaces 9.3.2 Troubleshooting Layer 2 using the show interfaces 9.3.3 Troubleshooting using show cdp 9.3.4 Troubleshooting using traceroute 9.3.5 Troubleshooting routing issues 9.3.6 Troubleshooting using show controllers 9.3.7 Introduction to debug Module 9 Summary Module 10: Intermediate TCP/IP 10.1 TCP Operation 10.1.1 TCP operation 10.1.2 Synchronization or three-way handshake 10.1.3 Denial of service attacks 10.1.4 Windowing and window size 10.1.5 Sequencing numbers 10.1.6 Positive acknowledgements 10.1.7 UDP operation 10.2 Overview of Transport Layer Ports 10.2.1 Multiple conversations between hosts 10.2.2 Ports for services 10.2.3 Ports for clients 10.2.4 Port numbering and well known port numbers 10.2.5 Example of multiple sessions between hosts 10.2.6 Comparison of MAC addresses, IP addresses, and port numbers Module 10 Summary Module 11: Access Control List (ACLs) Overview 11.1 Access Control List Fundamentals 11.1.1 Introduction to ACLs 11.1.2 How ACLs work 11.1.3 Creating ACLs Page 11.1.4 The function of a wildcard mask 11.1.5 Verifying ACLs 11.2 Access Control Lists (ACLs) 11.2.1 Standard ACLs 11.2.2 Extended ACLs 11.2.3 Named ACLs 11.2.4 Placing ACLs 11.2.5 Firewalls 11.2.6 Restricting virtual terminal access Module 11 Summary IV. Case Study Overview and Objectives Scenario and Phase 1: Project Description Page Phase 3: Basic Router and Workstation Configuration Page Phase 4: Access Control Lists Phase 5: Documenting the Network Case Study Deliverables General Documentation: Technical Documentation: Page Case Study Instructor Notes Phase 1: Project Description Phase 2: IP Addressing Phase 3: Basic Router and Workstation Configuration Phase 4: Access Control Lists Phase 5: Documenting the Network Optional Case Study Instructor Sample Outputs Phase 5: Documenting the Network Sample outputs Boaz (2500) Configuration Management documentation Boaz (2500) Page Page Security Management documentation Boaz (2500) Page Phase 5: Documenting the Network Sample outputs Centre (2500) Configuration Management documentation Page Page Security Management documentation Centre (2500) Page Phase 5: Documenting the Network Sample outputs Eva (2500) Configuration Management documentation Eva (2500) Page Page Security Management documentation Eva (2500) Page Page Appendix A: Cisco Online Tools and Utilities 1 Output Interpreter Page Page Page Page Page Page Page 9 TAC Advanced Search Appendix B: Instructional Best Practices B.1 Definition of Best Practices B.1.1 What is meant by best practices? Page Page Page B.1.4 TIMSS report B.1.5 Student-centered learning B.1.6 Multiple intelligences Page Page Page Page Page B.2 Lab-Centric Instruction B.2.1 CCNA labs Page B.2.2 CCNP labs Page B.2.3 NETLAB Page B.2.4 Simulations B.2.5 Sponsored curriculum labs Page Page Page Page Page Page B.2.7 Troubleshooting Page B.3 Project-based Instruction B.3.1 Challenges and projects Page B.3.2 Design activities Page B.3.3 Brainstorming Page B.3.4 Case studies Page B.3.5 Web research B.4 Instructional Strategies B.4.1 Instructor-led classrooms Page B.4.2 Self-paced instruction B.4.3 Cooperative/collaborative work Page Page B.4.4 Jigsaws B.4.5 Ask the right questions Page B.4.6 PMI Page Page Page Page Page Page Page Page B.4.8 Setting goals Page Page B.5 Assessment Strategies B.5.1 Review strategies B.5.2 Journals and reflection Page Page B.5.3 Rubrics Page B.5.4 Portfolio Page Page B.5.6 Lab exams Page B.5.7 Six lenses