OSPF With Access List

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

http://www.howtonetwork.

net

OSPF with Access List


Lab 2: OSPF with access-list
Lab exercise
Your task is to configure the network in Figure 19–2 to allow full connectivity using OSPF.

Router A is to block ICMP from Router C, and Router C is to deny any traffic on port 80.

Please feel free to try the lab without following the lab walk-through section.

Figure 19–2: OSPF with access-list

Text written in monospaced type indicates commands that can be entered on the router.

Purpose
A three-router lab is the typical scenario you will face in the CCNA exam. You must be comfortable

with configuring three routers with a basic config and then applying a routing protocol

and access-list.

Lab objectives
1. Use the IP-addressing scheme depicted in Figure 19–2.

2. Set telnet access for the router to use the local login permissions of username “banbury”

and the password “ccna”.

3. Configure the “enable password” to be “cisco”.

4. Configure IP addressing on all three routers.

5. Configure OSPF areas 0, 1, and 2.

6. Add an access-list on the serial interfaces of both routers A and C. Router A is to block

all ping traffic from network 192.168.2.0. Router C is to block all http traffic from

any network.

Lab walk-through
1. Follow the configuration from the previous lab.

2. Configure the access-lists on both Routers A and C and apply them to the serial interfaces.
RouterA(config)#

RouterA(config)#access-list 100 deny icmp 192.168.2.0 0.0.0.255 any

RouterA(config)#access-list 100 permit ip any any

RouterA(config)#interface serial 0

RouterA(config-if)#ip access-group 100 in

RouterC(config)#access-list 100 deny tcp any any eq 80

RouterC(config)#access-list 100 permit ip any any

RouterC(config)#ip http server

RouterC(config)#interface serial 0

RouterC(config-if)#ip access-group 100 in

3. Telnet from Router A to Router C. A normal telnet will work. However, a telnet on port

53 (DNS) will fail.

RouterA#telnet 192.168.2.2

Trying 192.168.2.2 ... Open

User Access Verification

Username: « Press Ctrl+Shift+6 (all together) and then “X”

RouterA#

RouterA#telnet 192.168.2.2 80

Trying 192.168.2.2, 80 ... Open

exit

HTTP/1.0 501 Not Implemented

Date: Mon, 01 Mar 1993 00:22:17 UTC

Content-type: text/html

Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>501 Not Implemented</H1>


[Connection to 192.168.2.2 closed by foreign host]

4. Now ping Router A from Router C. The ping from the serial interface (the blocked network)

will fail. A ping from loopback 0 (10.0.0.1) will however, work.

RouterC#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

RouterC#ping

Protocol [ip]:

Target IP address: 192.168.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.0.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/64 ms

RouterC#

Show runs
RouterA#show run

Building configuration...
Current configuration : 900 bytes

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RouterA

enable secret 5 $1$rujI$BJ8GgiK8U9p5cdfXyApPr/

username banbury password 0 ccna

ip subnet-zero

interface Loopback0

ip address 172.16.1.1 255.255.0.0

interface Loopback1

ip address 172.20.1.1 255.255.0.0

interface Ethernet0

no ip address

shutdown

interface Serial0

ip address 192.168.1.1 255.255.255.252

ip access-group 100 in

interface Serial1

no ip address

shutdown

!
router ospf 20

log-adjacency-changes

network 172.16.0.0 0.0.255.255 area 1

network 192.168.1.0 0.0.0.3 area 0

ip classless

no ip http server

access-list 100 deny icmp 192.168.2.0 0.0.0.255 any

access-list 100 permit ip any any

line con 0

password letmein

login

line 1 8

line aux 0

line vty 0 4

login local

end

---

RouterB#show run

Building configuration...

Current configuration : 827 bytes

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RouterB
!

enable secret 5 $1$oXft$UMJZc/BQzbfpeHVCApF3H0

username banbury password 0 ccna

ip subnet-zero

interface Loopback0

ip address 172.30.1.1 255.255.0.0

interface Loopback1

ip address 172.31.1.1 255.255.0.0

interface Ethernet0

no ip address

shutdown

interface Serial0

ip address 192.168.1.2 255.255.255.252

clockrate 64000

interface Serial1

ip address 192.168.2.1 255.255.255.252

clockrate 64000

router ospf 20

log-adjacency-changes

network 192.168.1.0 0.0.0.3 area 0

network 192.168.2.0 0.0.0.3 area 0

ip classless

no ip http server

line con 0

password letmein
login

line aux 0

line vty 0 4

login local

end

RouterB#

---

RouterC#show run

Building configuration...

Current configuration:

version 11.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RouterC

enable secret 5 $1$1AZx$UzhYsYlIpc7I4vJI3ZI4U.

username banbury password 0 cisco

ip subnet-zero

interface Loopback0

ip address 10.0.0.1 255.255.0.0

interface Ethernet0

no ip address

shutdown

!
interface Serial0

ip address 192.168.2.2 255.255.255.252

ip access-group 100 in

no ip mroute-cache

interface Serial1

no ip address

shutdown

router ospf 20

network 10.0.0.0 0.0.255.255 area 2

network 192.168.2.0 0.0.0.3 area 0

ip classless

access-list 100 deny tcp any any eq www

access-list 100 permit ip any any

line con 0

line 1 16

line aux 0

line vty 0 4

login local

end

RouterC#

© 2006-2011 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited.

You might also like