Académique Documents
Professionnel Documents
Culture Documents
Lab Topology
The topology diagram below represents the NetMap in the Simulator. The topology in this lab consists of
a LAN that has two switches connected by a trunk link. Each switch has two PC hosts connected. VLANs
have been implemented on both switches. The VLANs are used to create separate networks with two PC
hosts in each VLAN. A router connected to one of the switches handles interVLAN routing.
Router1
Fa0/0
Fa0/1
Fa0/2 Fa0/1
Switch1 Switch2
Fa0/3 Fa0/4 Fa0/3 Fa0/4
Command Summary
Command Description
access-list access-list-number {deny | defines an extended IP ACL for the traffic type specified by the
permit} protocol source source-wildcard protocol parameter
[operator [port]] destination destination-
wildcard [operator [port]] [log]
configure terminal enters global configuration mode from privileged EXEC mode
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
ip access-group {access-list-number | controls access to an interface
access-list-name} {in | out}
ip address ip-address subnet-mask assigns an IP address to an interface
ipconfig /all is used in NetSim to display the IP addresses and Media Access
Control (MAC) address on a workstation
The IP addresses and subnet masks used in this lab are shown in the tables below:
IP Addresses
Device Interface IP Address Subnet Mask
Router1 FastEthernet 0/0 192.168.100.1 255.255.255.0
FastEthernet 0/0.11 192.168.101.1 255.255.255.0
FastEthernet 0/0.22 192.168.102.1 255.255.255.0
Switch1 VLAN 1 192.168.100.2 255.255.255.0
Switch2 VLAN 1 192.168.100.3 255.255.255.0
Lab Tasks
All configuration passwords have been configured as cisco.
3. From PC1, attempt to ping PC3 (192.168.101.13). Is the ping successful? Why or why not? ______
______________________________________________________________________________
2. What are some differences between standard ACLs and extended ACLs? ____________________
______________________________________________________________________________
3. What are the numeric ID ranges for standard ACLs? What are the numeric ID ranges for extended
ACLs? ________________________________________________________________________
______________________________________________________________________________
4. Can access lists consist of multiple access list statements? In what order are these statements
evaluated? _____________________________________________________________________
______________________________________________________________________________
3. When PC1 sends traffic to PC2, which device on the network is responsible for moving this traffic
between networks? ______________________________________________________________
4. When PC1 sends traffic to PC4, which device on the network is responsible for moving this traffic
between networks? ______________________________________________________________
2. In order to accomplish the objective, how many extended ACLs will you need to create on the device
you noted in step 1? What is the purpose of each ACL? __________________________________
3. On the device you noted in step 1, create an entry for ACL number 111 that allows Ping traffic from
PC1 to reach any host on VLAN 22.
4. On the device you noted in step 1, create an entry for ACL 111 that allows Telnet traffic from PC1 to
reach any host on VLAN 22.
5. On the device you noted in step 1, create an entry for ACL 111 that denies any traffic other than
Telnet and Ping traffic from VLAN 11 to VLAN 22.
6. On the device you noted in step 1, create an entry for ACL 111 that permits any other traffic from
VLAN 11 to reach any destination other than VLAN 22. Keep in mind that there is an implied deny at
the end of every ACL.
7. ACL 111 has now been created, but it will not affect the traffic flow until it is assigned to an interface.
Keep in mind that ACL 111 will be used to filter traffic flowing from the PC hosts in VLAN 11. Which
interface will receive traffic from the PC hosts in VLAN 11? _______________________________
8. From the perspective of the router, which direction will the traffic flow through this interface as it
moves from the PC hosts in VLAN 11 to VLAN 22: in or out? ______________________________
9. On the device you noted in step 1, assign ACL 111 to the appropriate interface in the appropriate
direction.
2. Create an entry for ACL number 122 that allows Telnet traffic from any host on VLAN 22 to reach
PC1.
3. Create an entry for ACL number 122 that denies any traffic other than Telnet and ping traffic from
VLAN 22 to VLAN 11.
4. Create an entry for ACL number 122 that permits any other traffic from VLAN 22 to reach any
destination other than VLAN 11. Keep in mind that there is an implied deny at the end of every ACL.
6. From the perspective of the router, which direction will traffic flow through this interface as it moves
from the PC hosts in VLAN 22 to VLAN 11: in or out? ____________________________________
2. From PC1, attempt to ping PC2 (192.168.102.22) and PC4 (192.168.102.24). Are the pings
successful? ____________________________________________________________________
How do the ACLs affect the flow of traffic from PC1 to PC4? ______________________________
3. From PC3, attempt to ping PC2 (192.168.102.22) and PC4 (192.168.102.24). Are the pings
successful? ____________________________________________________________________
Briefly explain why the behavior you observe when you ping from the console of PC3 may differ from
the behavior you observe when you ping from the console of PC1. _________________________
______________________________________________________________________________
B. Verify Telnet
1. From PC1, attempt to telnet to the FastEthernet 0/0.22 interface on Router1 (192.168.102.1). Can
you successfully use Telnet to connect to this IP address? ________________________________
How do the ACLs affect the Telnet session? ___________________________________________
2. From PC3, attempt to telnet to the FastEthernet 0/0.22 interface on Router1 (192.168.102.1). Can
you successfully use Telnet to connect to this IP address? ________________________________
How do the ACLs affect the Telnet session? ___________________________________________
______________________________________________________________________________
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
Switch1#show vlan
There are several correct methods that will enable you to learn which VLAN each PC belongs
to. The best method is to issue the ipconfig /all command on each PC host to determine the
computer’s MAC address. Below is sample output for PC1; the MAC address in your output might
vary:
DNS Servers . . . . . . . . . . . :
The MAC address of PC1 in the sample output is 000C.1380.3538, which is displayed next to
Physical Address in the sample output from the ipconfig /all command issued on PC1.
You should then issue the show mac-address-table command on Switch1. The show mac-
address-table command maps each MAC address to a specific VLAN. Below is sample output for
Switch1. The MAC addresses in your output might vary.
Switch1#show mac-address-table
Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
22 000C.2638.6059 DYNAMIC Fa0/4
11 000C.1380.3538 DYNAMIC Fa0/3
1 000C.7805.1951 DYNAMIC Fa0/2
1 000C.3962.6232 DYNAMIC Fa0/1
1 000C.3962.6233 DYNAMIC Fa0/1
In this example, the show mac-address-table command output enables you to determine that the
MAC address 000C.1380.3538 is mapped to the FastEthernet 0/3 port on Switch1, which is in VLAN
11. Therefore, PC1 belongs to VLAN 11. Issuing the ipconfig /all command on PC2 will enable you
to determine that PC2 has a MAC address of 000C.2638.6059 and that PC2 is connected to the
FastEthernet 0/4 port on Switch1, which is in VLAN 22. Therefore, PC2 belongs to VLAN 22.
C:>ping 192.168.102.22
2. No, PC1 and PC2 are in different VLANs. PC1 is in VLAN 11, and PC2 is in VLAN 22.
The two VLANs are configured with different IP network addresses. The ping is successful because
PC1 determines that the destination IP address for PC2 is in a different network and therefore
forwards the traffic to its default gateway, Router1, for delivery. Router1 has subinterfaces in each
VLAN, connected by a trunk link to Switch1. Router1 handles inter-VLAN routing for the simulated
network.
3. Yes, the ping from PC1 to PC3 (192.168.101.13) is successful, because both PC1 and PC3 belong
to the same VLAN and are configured with the same network address. PC1 determines that PC3 is
in the same network and sends its traffic to PC3 directly.
C:>ping 192.168.101.13
2. Standard ACLs can filter traffic based on only the source IP address. Extended ACLs can filter traffic
based on source or destination IP addresses. In addition, extended ACLs can filter traffic based on
the type of traffic.
3. Standard ACLs are identified by a numeric ID from 1 through 99 and from 1300 through 1999.
Extended ACLs are identified by a numeric ID from 100 through 199 and from 2000 through 2699.
4. An access list can consist of multiple access list statements. These statements are evaluated from
top to bottom, so the sequence in which the statements are entered is very important. As soon as a
packet matches an access list statement, it is either forwarded or dropped, depending upon whether
the access list statement allows or denies matched packets.
5. The implicit deny rule, which is added to the end of every access list, means that if a packet has not
already been allowed or denied by one of the statements in the access list, it is automatically denied.
3. When PC1 sends traffic to PC2, Router1 is the device on the network responsible for moving this
traffic between networks. PC1 must first forward this traffic to its default gateway, 192.168.101.1,
which is the IP address of subinterface FastEthernet 0/0.11 on Router1.
4. When PC1 sends traffic to PC4, Router1 is the device on the network responsible for moving this
traffic between networks. PC1 must first forward this traffic to its default gateway, 192.168.102.1,
which is the IP address of subinterface FastEthernet 0/0.22 on Router1.
5. Telnet uses Transmission Control Protocol (TCP) as its Transport layer protocol.
2. To accomplish the objective in this lab, you will need to create two ACLs. One ACL will control the
flow of traffic from VLAN 11 to VLAN 22, and the other ACL will control the flow of traffic from VLAN
22 to VLAN 11.
The echo keyword in the access list statement will match echo request messages in ICMP packets.
When a source host attempts to ping a destination host, the source host sends an ICMP echo
request message to determine whether a destination host is reachable. If the destination host is
reachable, the destination host sends an ICMP echo reply message to the source host. An echo
reply message indicates that the destination host successfully received an echo request message.
ICMP echo message types are permitted in ACL 111, and ACL 111 is associated with the
FastEthernet 0/0.11 interface on Router1 in the inbound direction; therefore, Router1 will not drop
incoming ICMP echo request packets and Router1 will allow echo reply messages to be sent to the
initiating host specified in the access-list 111 statement.
4. On Router1, issue the following command to create an entry for ACL 111 that allows Telnet traffic
from PC1 to reach any host on VLAN 22:
5. On Router1, issue the following command to create an entry for ACL 111 that denies any traffic other
than Telnet and Ping traffic from VLAN 11 to VLAN 22:
6. On Router1, issue the following command to create an entry for ACL 111 that permits any other
traffic from VLAN 11 to reach any destination other than VLAN 22:
8. From the perspective of Router1, traffic will be flowing in, toward FastEthernet 0/0.11.
9. On Router1, issue the following commands to assign ACL 111 to the interface in the inbound
direction:
The echo-reply keyword in the access list statement will match echo reply message types in ICMP
packets.
If ACL 122 is associated with FastEthernet 0/0.22 on Router1 in the outbound direction, Router1 will
not drop echo reply messages sent in response to pings that were initiated by internal hosts and
were sent to the host IP address specified in the access-list 122 statement.
2. On Router1, issue the following command to create an entry for ACL 122 that allows Telnet traffic
from any host on VLAN 22 to reach PC1:
3. On Router1, issue the following command to create an entry for ACL 122 that denies any traffic other
than Telnet and Ping traffic from VLAN 22 to VLAN 11:
4. On Router1, issue the following command to create an entry for ACL 122 that permits any other
traffic from VLAN 22 to reach any destination other than VLAN 11:
5. The subinterface FastEthernet 0/0.22 on Router1, which has the IP address 192.168.102.1, is
configured as the default gateway for the PC hosts in VLAN 22; this interface will receive traffic from
the PC hosts in VLAN 22.
6. From the perspective of Router1, traffic will be flowing in, toward FastEthernet 0/0.22.
7. On Router1, issue the following commands to assign ACL 122 to the interface in the inbound
direction:
C:>ping 192.168.101.13
The flow of traffic from PC1 to PC3 is not affected by the ACLs on Router1. This is because PC1 and
PC3 are in the same VLAN and are configured with IP addresses in the same network; therefore,
this traffic never passes through Router1.
2. Yes, the pings from PC1 to PC2 (192.168.102.22) and PC4 (192.168.102.24) are successful.
C:>ping 192.168.102.22
C:>ping 192.168.102.24
Access list 111 is configured to allow ping traffic (ICMP echo) from PC1 (192.168.101.11) to the
192.168.102.0/24 network. PC2 and PC4 are configured with IP addresses that fall within the
192.168.102.0/24 network; therefore, the ping traffic is permitted by the access list.
3. No, the pings from PC3 to PC2 (192.168.102.22) and PC4 (192.168.102.24) fail.
C:>ping 192.168.102.22
C:>ping 192.168.102.24
Ping traffic sent from PC3 to PC2 and PC4 is forwarded to Router1, the default gateway for PC3,
because PC2 and PC4 are configured with IP addresses that are not in the same network as PC3.
ACL 111 is configured to allow ping traffic (ICMP echo) from only host PC1, not from the entire
192.168.101.0/24 network; therefore, these packets are dropped when the ping is initiated from PC3
but are forwarded when the ping is initiated from PC1.
B. Verify Telnet
1. Yes, a Telnet connection from PC1 to FastEthernet 0/0.22 of Router1 (192.168.102.1) is successful.
C:>telnet 192.168.102.1
Password:cisco
Router1>exit
[Connection to 192.168.102.1 closed by foreign host]
C:>
ACL 111 is configured to allow Telnet traffic flowing into FastEthernet 0/0.11 as long as this traffic is
coming from PC1 and is addressed to a host in the 192.168.102.0/24 network.
C:>telnet 192.168.102.1
Trying 192.168.102.1 ...
% Destination unreachable; gateway or host down
C:>
ACL 111 is configured to allow Telnet traffic flowing into interface FastEthernet 0/0.11 only if the
traffic is coming from PC1 and is addressed to a host in the 192.168.102.0/24 network. In this case,
the traffic is not coming from PC1 but is instead coming from PC3; therefore, the traffic is dropped
and the Telnet connection fails.
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.