4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2

4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2

From year to year, Cisco has updated many versions with difference questions. The latest version is version 6.0 in 2018. What is your version? It depends on your instructor creating your class. We recommend you to go thought all version if you are not clear. While you take online test with netacad.com, You may get random questions from all version. Each version have 1 to 10 different questions or more. After you review all questions, You should practice with our online test system by go to "Online Test" link below.

Version 5.02Version 5.03Version 6.0Online Assessment
Chapter 4 ExamChapter 4 ExamChapter 4 ExamOnline Test
Next Chapter
Chapter 5 ExamChapter 5 ExamChapter 5 ExamOnline Test
CCNA 4 Lab Activities
 4.1.3.5 Packet Tracer – Configure Standard IPv4 ACLs
 4.2.2.10 Packet Tracer – Configuring Extended ACLs Scenario 1
 4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2
 4.2.2.12 Packet Tracer – Configuring Extended ACLs Scenario 3
 4.3.2.6 Packet Tracer – Configuring IPv6 ACLs
 4.4.2.9 Packet Tracer – Troubleshooting IPv4 ACLs
 4.4.2.10 Packet Tracer – Troubleshooting IPv6 ACLs
 4.5.1.1 Packet Tracer – Skills Integration Challenge

Packet Tracer – Configuring Extended ACLs – Scenario 2 (Answer Version)

Answer Note: Red font color or Gray highlights indicate text that appears in the Answer copy only.

Topology

4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2

4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2

Addressing Table

DeviceInterfaceIP AddressSubnet MaskDefault Gateway
RTAG0/010.101.117.49255.255.255.248N/A
G0/110.101.117.33255.255.255.240N/A
G0/210.101.117.1255.255.255.224N/A
PCANIC10.101.117.51255.255.255.24810.101.117.49
PCBNIC10.101.117.35255.255.255.24010.101.117.33
SWCVLAN110.101.117.2255.255.255.22410.101.117.1

Objectives

Part 1: Configure, Apply and Verify an Extended Numbered ACL

Part 2: Reflection Questions

Background / Scenario

In this scenario, devices on one LAN are allowed to remotely access devices in another LAN using the Telnet protocol. Besides ICMP, all traffic from other networks is denied.

Part 1: Configure, Apply and Verify an Extended Numbered ACL

Configure, apply and verify an ACL to satisfy the following policy:

  • Telnet traffic from devices on the 10.101.117.32/28 network is allowed to devices on the 10.101.117.0/27 networks.
  • ICMP traffic is allowed from any source to any destination
  • All other traffic to 10.101.117.0/27 is blocked.

Step 1: Configure the extended ACL.

  1. From the appropriate configuration mode on RTA, use the last valid extended access list number to configure the ACL. Use the following steps to construct the first ACL statement:
    1. The last extended list number is 199.
    2. The protocol is TCP.
    3. The source network is 10.101.117.32.
    4. The wildcard can be determined by subtracting 255.255.255.240 from 255.255.255.255.
    5. The destination network is 10.101.117.0.
    6. The wildcard can be determined by subtracting 255.255.255.224 from 255.255.255.255.
    7. The protocol is Telnet.
      • What is the first ACL statement?
      • access-list 199 permit tcp 10.101.117.32 0.0.0.15 10.101.117.0 0.0.0.31 eq telnet.
  2. ICMP is allowed, and a second ACL statement is needed. Use the same access list number to permit all ICMP traffic, regardless of the source or destination address. What is the second ACL statement? (Hint: Use the any keywords)
    • access-list 199 permit icmp any any
  3. All other IP traffic is denied, by default.

Step 2: Apply the extended ACL.

The general rule is to place extended ACLs close to the source. However, since access list 199 affects traffic originating from both networks 10.101.117.48/29 and 10.101.117.32/28, the best placement for this ACL might be on interface Gigabit Ethernet 0/2 in the outbound direction. What is the command to apply ACL 199 to the Gigabit Ethernet 0/2 interface?

ip access-group 199 out

Step 3: Verify the extended ACL implementation.

  1. Ping from PCB to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP addresses before continuing.
  2. Telnet from PCB to SWC. The password is cisco.
  3. Exit the Telnet service of the SWC.
  4. Ping from PCA to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP addresses before continuing.
  5. Telnet from PCA to SWC. The access list causes the router to reject the connection.
  6. Telnet from PCA to SWB. The access list is placed on G0/2 and does not affect this connection.
  7. After logging into SWB, do not log out. Telnet to SWC.

Part 2: Reflection Questions

  1. How was PCA able to bypass access list 199 and Telnet to SWC? Two steps were used: First, PCA used Telnet to access SWB. From SWB, Telnet was allowed to SWC.
  2. What could have been done to prevent PCA from accessing SWC indirectly, while allowing PCB Telnet access to SWC? Access list 199 should have been written to deny Telnet traffic from the 10.101.117.48 /29 network while permitting ICMP. It should have been placed on G0/0 of RTA.

Suggested Scoring Rubric

Activity SectionQuestion LocationPossible PointsEarned Points
Part 1: Configure, Apply and Verify an Extended Numbered ACLStep 1a4
Step 1b4
Step 24
Part 1 Total12
Part 2: Reflection QuestionsQuestion 14
Question 24
Part 2 Total8
Packet Tracer Score80
Total Score100

From year to year, Cisco has updated many versions with difference questions. The latest version is version 6.0 in 2018. What is your version? It depends on your instructor creating your class. We recommend you to go thought all version if you are not clear. While you take online test with netacad.com, You may get random questions from all version. Each version have 1 to 10 different questions or more. After you review all questions, You should practice with our online test system by go to "Online Test" link below.

Version 5.02Version 5.03Version 6.0Online Assessment
Chapter 4 ExamChapter 4 ExamChapter 4 ExamOnline Test
Next Chapter
Chapter 5 ExamChapter 5 ExamChapter 5 ExamOnline Test
CCNA 4 Lab Activities
 4.1.3.5 Packet Tracer – Configure Standard IPv4 ACLs
 4.2.2.10 Packet Tracer – Configuring Extended ACLs Scenario 1
 4.2.2.11 Packet Tracer – Configuring Extended ACLs Scenario 2
 4.2.2.12 Packet Tracer – Configuring Extended ACLs Scenario 3
 4.3.2.6 Packet Tracer – Configuring IPv6 ACLs
 4.4.2.9 Packet Tracer – Troubleshooting IPv4 ACLs
 4.4.2.10 Packet Tracer – Troubleshooting IPv6 ACLs
 4.5.1.1 Packet Tracer – Skills Integration Challenge