Vous êtes sur la page 1sur 12

1. The network of a company is shown as in the figure 1. In a company we have network of two PCs located in on 201.205.84.0 network.

The network connects to a router 2 located on 192.168.1.0 network. In present setup we have no ACL configured, and information can travel unrestricted between PCs. a. Configure the network, routers so that PC1, PC2 can ping Router 2. Next, configure the router 2 so PC1, PC2 can telnet to it with Username: telnet, Password: Troy. b. Configure the ACL on the router 1 so that PC1 can ping router 2, while allowing only PC2 to telnet to Joker. We will achieve this by creating three ACLs. First one would allow PC1 to ping router 2,by allowing ICMP packets to pass from FE1 to FE0. Second one would allow PC2 to telnet to router 2, by allowing TCP telnet packets from FE1 to FE0. Finally, third one would deny any traffic that comes from FE1 to FE0. You make get confused by thinking howwould other two operate if third ACL denies all traffic. Well, it is pretty simple, the thing to know is that when packet is being filtered through ACL, router checks ACL in order they were created, one by one, and if match is found, checking process is stopped, and packet can go through. In this way, all traffic denied ACL would comein play, only if two other ACL were not matched beforehand. c. Configure the ACL on the router 1 so that PC1, PC2 can ping the web server, but only PC1 can access the webpage of the server.

2. The test-bed is built as shown in the figure 2. Complete the following tasks
Asignment 6 Page 1

a. Configure a hostname of Sw1 on your lab switch, and the hostname R1 on the router as illustrated in the topology. b. Create VLAN 10 on switch Sw1 and assign port FastEthernet0/2 to this VLAN as an access port. c. Configure IP address 10.0.0.1/30 on router R1's FastEthernet0/0 interface, and IP address 10.0.0.2/30 in switch Sw2's VLAN 10 interface. Verify that R1 can ping Sw1 and vice versa. d. Configure port security on port FastEthernet0/2 on switch Sw1 so that only 1 MAC address is allowed to be learned on thatinterface. In the event of port security configuration violations, where more than 1 MAC address is observed on that interface, the switch should shut the interface down. Verifyyour configuration with port security commands in Cisco IOS.

Bi 1 a. Cu hnh mng Router 1


Router1> enable Router1# configure terminal Router1(config)# interface FastEthernet0/0 Router1(config-if)# ip address 201.205.84.1 255.255.255.0 Router1(config-if)# no shutdown Router1(config-if)# exit Router1(config)# interface FastEthernet0/1 Router1(config-if)# ip address 192.168.1.1 255.255.255.0 Router1(config-if)# no shutdown Router1(config)# exit Asignment 6 Page 2

Router1(config)# router rip Router1(config-router)# version 2 Router1(config-router)# network 192.168.1.0 Router1(config-router)# network 201.205.84.0 Router1(config-router)# no auto-summary Router1(config-router)# exit

Router 2
Router2> enable Router2# configure terminal Router2(config)# interface FastEthernet0/0 Router2(config-if)# ip address 192.168.1.3 255.255.255.0 Router2(config-if)# no shutdown Router2(config-if)# exit Router2(config)# router rip Router2(config-router)# version 2 Router2(config-router)# network 192.168.1.0 Router2(config-router)# no auto-summary Router2(config-router)# exit Sau khi cu hnh, ping t PC1 v PC2 n router2 thnh cng

Asignment 6

Page 3

Asignment 6

Page 4

Cu hnh trn Router 2 c th telnet vo vi username telnet v pasword Troy Router2(config)#username telnet password troy Router2(config)#line vty 0 4 Router2(config)#login local Router2(config)#exit

b. Access list
Cu hnh ACLs trn R1 : PC1 ping R2 nhng khng th telnet c PC2 telnet R2 nhng khng th ping R2 c

Cu hnh R1 Router1(config)#ip access-list extended 1b Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.3 0.0.0.0 Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.3 0.0.0.0 Router1(config-ext-nacl)# deny ip 201.205.84.0 0.0.0.255 192.168.1.3 0.0.0.0 Router1(config-ext-nacl)#exit Router1(config)#interface fastEthernet0/1 Asignment 6 Page 5

Router1(config-if)#ip access-group 1b in Router1(config-if)#int fa0/0 Router1(config-if)#ip access-group 1b out

Kt qu i vi [PC1]( [PC2] tng ng).

a. Cu hnh ACLs trn R1 [PC1] ping c webserver v truy cp webpage t server ny [PC2] ping c webserver nhng khng truy cp webpage t server ny c. Cc ACLs cn to ra : permit icmp host 201.205.84.15 host 192.168.1.4 (16 match(es)) permit icmp host 201.205.84.12 host 192.168.1.4 (8 match(es)) permit tcp host 201.205.84.15 host 192.168.1.4 (12 match(es)) deny ip 201.205.84.0 0.0.0.255 host 192.168.1.4 (12 match(es)) Cu hnh R1 Router1(config)#interface FastEthernet0/0 Router1(config-if)#no ip access-group 1b out Router1(config-if)#interface fastEthernet0/1 Router1(config-if)#no ip access-group 1b in Router1(config)#ip access-list extended 1c Router1(config-ext-nacl)#permit icmp 201.205.84.15 0.0.0.0 192.168.1.4 0.0.0.0 Router1(config-ext-nacl)#permit icmp 201.205.84.12 0.0.0.0 192.168.1.4 0.0.0.0
Asignment 6 Page 6

Router1(config-ext-nacl)#permit tcp 201.205.84.15 0.0.0.0 192.168.1.4 0.0.0.0 Router1(config-ext-nacl)#permit tcp 201.205.84.0 0.0.0.0 192.168.1.4 0.0.0.0 Router1(config-ext-nacl)#exit Kt qu [PC1]

Asignment 6

Page 7

[PC2]

Asignment 6

Page 8

a. i tn switch thnh SW1, router thnh R1. Router1>enable Router1#configure terminal Router1(config)#hostname R1 R1(config)# Switch1>enable Switch11#configure terminal Switch1(config)#hostname SW1 SW1(config)# b. To vlan10 trn SW1 c port-access l FastEthernet0/2. SW1(config)#vlan 10 SW1(config)#hostname Sales SW1(config)#interface fa0/2 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 10
Asignment 6 Page 9

SW1(config-if)# no shutdown SW1(config-if)#exit Kt qu kim tra vi SW1# show vlan brief Kim tra cc vlan trn SW1

c. nh a ch 10.0.0.1/30 trn Fa0/0 ca R1 v vlan interface 10.0.0.2/30 R1(config)#interface fa0/0 R1(config-if)#no shutdown R1(config-if)#ip address 10.0.0.1 255.255.255.248 R1(config-if)#exit SW1(config)#inteface vlan 10 SW1(config-if)#ip address 10.0.0.2 255.255.255.248 SW1(config-if)#no shutdown SW1(config-if)#exit
Asignment 6 Page 10

Kim tra rng R1 ping ti VLAN 10 v ngc li. R1>ping 10.0.0.3 Kt qu

d. Thc hin cu hnh port-security trn Fa0/2 i vi SW1.Ch cho php duy nht mt a ch MAC bt k c php trn Fa0/2, nu nh c MAC khc lp tc shutdown port ny. SW1(config)#int fa0/2 SW1(config-if)# switchport portsecurity SW1(config-if)# switchport portsecurity violation shutdown SW1(config-if)# switchport portsecurity maximum 1 SW1(config-if)# switchport portsecurity mac-address sticky SW1(config-if)#exit Kim tra
Asignment 6 Page 11

Ngt dy ni gia R1 v SW1, kt ni mt PC vo port Fa0/2 ca SW1 .

Khi ping t [PC] ti vlan 10 , cng lp tc b shutdown

Mun khi phc li ch cn vo interface Fa0/2 thc hin shutdown v no shutdown l cng li up li nhng cu hnh port-security vn lu gi ngha l SW1 chp nhn MAC ca [PC1] l MAC hp

Asignment 6

Page 12