CCNA Exercise Lab 9

7. Apply the access list to the correct interface.

8. Configure an IPX SAP access list that prevents any file service SAP messages other than those from IPX address 45.0000.0000.0001 from leaving the Ethernet 0 network.

Ans- #ip access-list ipxsap
#interface ethernet 0/0
#access-list deny any any
#access-list perit 45.0000.0000.0001 0.0.0.0

9. Apply the IPX SAP access list to the Ethernet interface.

Hands-on Labs

In this section, you will complete three labs. To complete these labs, you will need at least three 2500 series routers, or the RouterSim product.

Lab 9.1: Standard IP Access Lists Lab
9.2: Extended IP Access Lists Lab
9.3: Standard IPX Access Lists
All of the labs will use Figure 9.3 for configuring the routers.

FIGURE 9.3 Access list lab figure

Lab 9.1: Standard IP Access Lists

In this lab, you will allow only Host B from network 172.16.30.0 to enter network 172.16.10.0.

1. Go to 2501A and enter global configuration mode by typing config t.
2. From global configuration mode, type access-list? to get a list of all the different access lists
3. Choose an access list number that will allow you to create an IP standard access This is a number between 1 and 99.
4. Choose to permit host 172.16.30.2:
   

   2501A(config)#access-list 10 permit 172.16.30.2?
   A.B.C.D Wildcard bits
   
   To specify only host 172.16.30.2, use the wildcards 0.0.0.0:
   RouterA(config)#access-list 10 permit 172.16.30.2
   0.0.0.0

5. Now that the access list is created, you must apply it to an interface to make it work:
   2501A(config)#int e0
   2501A(config-if)#ip access-group 10 out
6. Verify your access lists with the following commands:
   RouterA#sh access-list
   Standard IP access list 10 permit 172.16.30.2
   RouterA#sh run
   
   -cut-
   interface Ethernet0
   ip address 172.16.10.1 255.255.255.0
   ip access-group 10 out ipx network 10A
7. Test your access list by pinging from Host B (172.16.30.2) to Host A (172.16.10.2).
8. Ping from 2501B and 2501C to Host A (172.16.10.2); this should fail if your access list is correct.

Lab 9.2: Extended IP Access Lists

In this lab, you will use an extended IP access list to stop host 172.16.10.2 from creating a Telnet session to router 2501B (172.16.20.2). However, the host still should be able to ping the 2501B router. IP extended lists should be placed closest to the source, so add the extended list on router 2501A.

1. Remove any access lists on 2501A and add an extended list to 2501A.
2. Choose a number to create an extended IP list. The IP extended lists use 100–199.
3. Use a deny statement (you’ll add a permit statement in step 7 to allow other traffic to still work).
   2501A(config)#access-list 110 deny?
   < 0-255 > An IP protocol number
   ahp Authentication Header Protocol
   eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload
   gre Cisco's GRE tunneling
   icmp Internet Control Message Protocol
   igmp Internet Gateway Message Protocol
   igrp Cisco's IGRP routing protocol
   ip Any Internet Protocol
   ipinip IP in IP tunneling
   nos KA9Q NOS compatible IP over IP tunneling
   ospf OSPF routing protocol pcp Payload Compression Protocol
   tcp Transmission Control Protocol
   udp User Datagram Protocol
4. Since you are going to deny Telnet, you must choose TCP as a Transport layer protocol:

   2501A(config)#access-list 110 deny tcp?
   A.B.C.D Source address any Any source host
   host A single source host

5. Add the source IP address you want to filter on, then add the destina- tion host IP address. Use the host command instead of wildcard bits.
   2501A(config)#access-list 110 deny tcp host
   172.16.10.2 host 172.16.20.2?
   ack Match on the ACK bit
   eq Match only packets on a given port number
   established Match established connections fin Match on the FIN bit fragments Check fragments
   gt Match only packets with a greater port number
   log Log matches against this entry log-input Log matches against this entry,
   including input interface
   lt Match only packets with a lower port number
   neq Match only packets not on a given port number
   precedence Match packets with given precedence value
   psh Match on the PSH bit
   range Match only packets in the range of port numbers
   rst Match on the RST bit
   syn Match on the SYN bit
   tos Match packets with given TOS value
   urg Match on the URG bit
   
6. At this point, you can add the eq telnet command. The log command can also be used at the end of the command so that whenever the access-list line is hit, a log will be generated on the console.
   2501A(config)#access-list 110 deny tcp host
   172.16.10.2 host 172.16.20.2 eq telnet log
7. It is important to add this line next to create a permit statement.
   2501A(config)#access-list 110 permit ip any 0.0.0.0
   255.255.255.255
8. Apply the access list to the Ethernet 0 on 2501A to stop the Telnet traffic as soon as it hits the first router interface.
   RouterB(config)#int e0
   RouterB(config-if)#ip access-group 110 in
   RouterB(config-if)#^Z
9. From host 172.16.10.2: >telnet 172.16.20.2
   On Router B’s console, this should appear as follows:
   01:11:48: %SEC-6-IPACCESSLOGP: list 110 denied tcp
   172.16.10.2(1030) -> 172.16.20.2(23), 1 packet
   01:13:04: %SEC-6-IPACCESSLOGP: list 110 denied tcp
   172.16.10.2(1030) -> 172.16.20.2(23), 3 packets

Lab 9.3: Standard IPX Access Lists

In this lab, you will configure IPX to allow only IPX traffic from IPX Net- work 30 and not from IPX Network 50.

1. Remove any existing access lists on the 2501A router. Because this is an IPX standard access list, the filtering can be placed anywhere on the network since it can filter based on IPX source and destination IP addresses.
2. Verify that you have the IPX network working as shown in Figure 3. Use the show ipx route command to see all networks on your routers.
3. Configure an access list on 2501A to allow only IPX traffic from Net- work 30 and to deny IPX Network 50. IPX standard lists use the access list numbers 800–899.
   2501A#config t
   RouterC(config)#access-list 810?
   deny Specify packets to reject
   permit Specify packets to permit
4. First, deny IPX Network 50, then permit everything else. The –1 is a wildcard in IPX.
   2501A(config)#access-list 810 deny?
   -1 Any IPX net
   < 0-FFFFFFFF > Source net
   N.H.H.H Source net.host address
5. Choose Network 30 as a source address: 2501A(config)#access-list 810 deny 50
   -1 Any IPX net
   <0-FFFFFFFF>Destination net
   N.H.H.H Destination net.host address
   < cr >
6. Choose Network 10 as the destination network:
   2501A(config)#access-list 810 permit 50 10
7. Permit everything else with an IPX wildcard:
   2501A(config)#access-list 810 permit –1 -1
8. Apply the list to the serial interface of 2501A to stop the packets as they reach the router:
   2501A(config)#int s0
   2501A(config-if)#ipx access-group 810 in
   2501A(config-if)#^Z
9. Verify the list by looking at the IPX routing table. Network 50 should not be in the 2501A IPX routing table. Also, use the show access- list and show ipx access-list commands to vary the list.

Review Questions

1. IP standard access lists use which of the following as a basis for permitting or denying packets?

1. Source address
2. Destination address
3. Protocol
4. Port
5. Ans- A

2. IP extended access lists use which of the following as a basis for per- mitting or denying packets?

1. Source address
2. Destination address
3. Protocol
4. Port
5. All of the above
6. Ans- E

3. To specify all hosts in the Class B IP network 172.16.0.0, which wild- card access list mask would you use?

1. 255.255.0.0
2. 255.255.255.0
3. 0.0.255.255
4. 0.255.255.255
5. 0.0.0.255
6. Ans- C

4. Which of the following are valid ways to refer only to host 172.16.30.55 in an IP access list?

1. 172.16.30.55 0.0.0.255
2. 172.16.30.55 0.0.0.0
3. any 172.16.30.55
4. host 172.16.30.55
5. 0.0.0.0 172.16.30.55
6. ip any 172.16.30.55
7. Ans- A

5. Which of the following access lists will allow only WWW traffic into network 196.15.7.0?

1. access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
2. access-list 10 deny tcp any 15.7.0 eq www
3. access-list 100 permit 15.7.0 0.0.0.255 eq www
4. access-list 110 permit ip any 15.7.0 0.0.0.255
5. access-list 110 permit www 196.15.7.0 0.0.0.255
6. Ans- C

6. Which of the following commands will show the ports that have IP access lists applied?

1. show ip port
2. show access-list
3. show ip interface
4. show access-list interface
5. show running-config
6. Ans- B

7. What wildcard would you use to filter networks 172.16.16.0 through 172.16.23.0?

1. 172.16.16.0 0.0.0.255
2. 172.16.255.255 255.255.0.0
3. 172.16.0.0 0.0.255.255
4. 172.16.16.0 0.0.8.255
5. 172.16.16.0 0.0.7.255
6. 172.16.16.0 0.0.15.255
7. Ans- E

8. Which of the following is a valid IPX standard access list?

1. access-list 800 permit 30 50
2. access-list 900 permit 30 50
3. access-list permit all 30 50
4. access-list 800 permit 30 50 eq SAP
5. access-list 900 permit –1 50
6. Ans- D

9. What wildcard would you use for the following networks? 172.16.32.0 through 172.16.63.0

1. 172.16.0.0 0.0.0.255
2. 172.16.255.255 0.0.0.0
3. 0.0.0.0 255.255.255.255
4. 172.16.32.0 0.0.0.255
5. 172.16.32.0 0.0.0.31
6. 172.16.32.0 0.0.31.255
7. 172.16.32.0 0.31.255.255
8. 172.16.32.0 0.0.63.255
9. Ans- F

10. Which of the following commands will apply IPX SAP access list 1050 for incoming traffic, assuming you’re already at interface configuration?

1. ipx access-group 1050 in
2. ipx input-sap-filter 1050
3. ipx access-list 1050 in
4. ipx input-sap-filter 1050 in
5. ipx access group1050
6. Ans- D

11. Which of the following commands will show extended access list 187?

1. sh ip int
2. sh ip access-list
3. sh access-list 187
4. sh access-list 187 extended
5. Ans- C

12. What is the IP extended access list range?

1. 1–99
2. 200–299
3. 1000–1999
4. 100–199
5. Ans- D

13. Which of the following commands is valid for creating an extended IP access list?

1. access-list 101 permit ip host 16.30.0 any eq 21
2. access-list 101 permit tcp host 172.16.30.0 any eq 21 log
3. access-list 101 permit icmp host 172.16.30.0 any ftp log
4. access-list 101 permit ip any eq 16.30.0 21 log
5. Ans- A

14. What is the extended IPX access list range?

1. 100–199
2. 900–999
3. 1000–1999
4. 700–799
5. Ans- B

15. What does the –1 mean in an extended IPX access list?

1. Deny this host
2. Deny any network or host
3. Local network only, no hops
4. Any host or any network
5. Ans- D

16. What are three commands you can use to monitor IP access lists?

1. sh int
2. sh ip interface
3. sh run
4. sh access-list
5. Ans- A,B,D

17. Which of the following commands should follow this command? access-list 110 deny tfp any any eq ftp

1. access-list 110 deny ip any any
2. access-list 110 permit tcp any any
3. access-list 110 permit ip any
4. access-list 110 permit ip any 0.0.0.0 255.255.255.255
5. Ans- B

18. Which access configuration allows only traffic from network 172.16.0.0 to enter int s0?

1. Access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list 10 in
2. Access-group 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list 10 out
3. Access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 in
4. Access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 out
5. Ans- C

19. Where should you place standard access lists in a network?

1. On the closest switch
2. Closest to the source
3. Closest to the destination
4. On the Internet
5. Ans- C

20. Where should you place extended access lists in a network?

1. On the closest switch
2. Closest to the source
3. Closest to the destination
4. On the Internet
5. Ans- B