Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 106 views

    Exercices ACL

    Uploaded by

    Papa Niang
    This document contains questions about configuring and applying access control lists (ACLs) on a router to filter network traffic. The questions cover topics such as: - Configuring standard and extended ACLs to permit or deny traffic from certain sources or destinations - Applying ACLs to router interfaces to filter incoming or outgoing traffic - Using ACLs with network address translation (NAT) to restrict traffic from internal networks accessing the internet - Limiting specific users or traffic types using ACL statements

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Exercices ACL

    Uploaded by

    Papa Niang
    106 views9 pages
    This document contains questions about configuring and applying access control lists (ACLs) on a router to filter network traffic. The questions cover topics such as: - Configuring standard and extended ACLs to permit or deny traffic from certain sources or destinations - Applying ACLs to router interfaces to filter incoming or outgoing traffic - Using ACLs with network address translation (NAT) to restrict traffic from internal networks accessing the internet - Limiting specific users or traffic types using ACL statements

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document contains questions about configuring and applying access control lists (ACLs) on a router to filter network traffic. The questions cover topics such as: - Configuring standard and extended ACLs to permit or deny traffic from certain sources or destinations - Applying ACLs to router interfaces to filter incoming or outgoing traffic - Using ACLs with network address translation (NAT) to restrict traffic from internal networks accessing the internet - Limiting specific users or traffic types using ACL statements

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    106 views9 pages

    Exercices ACL

    Uploaded by

    Papa Niang
    This document contains questions about configuring and applying access control lists (ACLs) on a router to filter network traffic. The questions cover topics such as: - Configuring standard and extended ACLs to permit or deny traffic from certain sources or destinations - Applying ACLs to router interfaces to filter incoming or outgoing traffic - Using ACLs with network address translation (NAT) to restrict traffic from internal networks accessing the internet - Limiting specific users or traffic types using ACL statements

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 9

    Exercices sur les ACLs

    1 Which statement is true regarding ACL wildcard masks?


    The wildcard mask and subnet mask perform the same function.

    The wildcard mask is always the inverse of the subnet mask.

    A "0" in the wildcard mask identifies IP address bits that must be checked.

    A "1" in the wildcard mask identifies a network or subnet bit.

    Assuming the ACL in the graphic is correctly applied to an interface, what effect will the ACL have on network traffic?
    All traffic to network 172.16.0.0 will be denied.
    All TCP traffic will be permitted to and from network 172.16.0.0.

    All telnet traffic from the 172.16.0.0 network to any destination will be denied.

    All port 23 traffic to the 172.16.0.0 network will be denied.

    All traffic from the 172.16.0.0 network will be denied to any other network.

    3 The router IOS tests each condition statement in an ACL in sequence. Once a match is made, which of the following occurs?
    (Choose two.)
    The entire ACL must be deleted and recreated.

    The accept or reject action is performed.

    The packet is forwarded to the next hop.

    The remaining ACL statements are not checked.

    The router goes through the list again to verify that a match has been made.

    4 Select the correct statements about extended ACLs. (Choose two)


    Extended ACLs use a number range from 1-99.

    Extended ACLs end with an implicit permit statement.

    Extended ACLs evaluate the source and destination addresses.

    Port numbers can be used to add greater definition to an ACL.

    Multiple ACLs can be placed on the same interface as long as they are in the same direction.

    Assuming the ACL in the graphic is correctly applied to an interface, what effect will this ACL have on network traffic?
    Host 192.168.15.4 will be denied ftp access to any destination, but will be permitted all other access.
    All ftp traffic to host 192.168.15.4 will be denied.

    All traffic from that interface will be denied.

    No traffic will be denied because a "permit" statement does not exist in this ACL.

    6 The following commands were entered on a router:

    Router(config)# access-list 2 deny 172.16.5.24


    Router(config)# access-list 2 permit any

    What can be concluded about this set of commands?


    The access list statements are misconfigured.

    All nodes on 172.16.0.0 will be denied access when these statements are applied.

    The default ACL wildcard mask, 0.0.0.0 is assumed.

    The default ACL wildcard mask 255.255.255.255 is assumed.

    7 ACL statements operate in sequential, logical order. If a condition match is true, the rest of the ACL statements are not
    checked. If all of the ACL statements are unmatched, what happens to the packet?
    The packets will be placed in a buffer and forwarded when the ACL is removed.

    The packets will be sent to the source with an error notification message.
    The implicit permit any statement placed at the end of the list will allow the packets to flow through uninhibited.

    The implicit deny any statement placed at the end of the list will cause the packets to be dropped.

    8 Choose the command that will correctly configure a standard ACL.


    Router# access-list 10 permit any

    Router# access-list 101 permit any

    Router(config)# access-list 10 permit any


    Router(config)# access-list 101 permit any

    Router(config)# access-list 10 permit any any

    9
    Create a standard ACL that will deny traffic from 192.5.5.25 to the 210.93.105.0 network but will allow traffic from
    all other hosts. (Choose two.)
    Router(config)# access-list 22 deny 192.5.5.25 0.0.0.0
    Router(config)# access-list 22 deny host 192.5.5.25 0.0.0.0
    Router(config)# access-list 22 permit any any
    Router(config)# access-list 22 deny 192.5.5.25 0.0.0.0
    Router(config)# access-list 22 permit any
    Router(config)# access-list 22 deny host 192.5.5.25
    Router(config)# access-list 22 permit any
    Router(config)# access-list 22 deny 192.5.5.0 0.0.0.255
    Router(config)# access-list 22 permit any

    10 Choose the commands that will correctly configure a standard ACL. (Choose two.)
    Router(config)# access-list 10 permit host 192.5.5.1

    Router(config)# access-list 32 permit 210.93.105.16 0.0.0.15

    Router(config)# access-list 148 permit 201.100.11.2 0.0.0.0

    Router(config)# access-list 107 permit host 192.5.5.1 213.45.27.0 0.0.0.255 eq 23

    Router(config)# access-list 10 permit tcp 192.5.5.1 0.0.0.255 201.100.11.0 0.0.0.255 eq 80

    11

    An access list has been created that will deny the host 204.204.7.89 access to an ftp server located at 196.6.13.254.

    access-list 111 deny tcp 204.204.7.89 0.0.0.0 196.6.13.254 0.0.0.0 eq 21


    access-list 111 permit tcp any any

    Which of the following groups of commands will place this ACL in the proper location?
    Router2(config)# interface s0/0
    Router2(config-if)# ip access-group 111 in
    Router2(config)# interface fa0/0
    Router2(config-if)# ip access-group 111 out
    Router2(config)# interface fa0/0
    Router2(config-if)# ip access-group 111 in
    Router3(config)# interface fa0/0
    Router3(config-if)# ip access-group 111 in
    Router3(config)# interface s0/1
    Router3(config-if)# ip access-group 111 out
    Router3(config)# interface fa0/0
    Router3(config-if)# ip access-group 111 out
    12

    Create an access list that will prevent only the host 192.5.5.148 from accessing a web site located at 210.93.105.50.
    access-list 10 deny tcp host 192.5.5.148 host 210.93.105.50 eq 80
    access-list 10 permit ip any any
    access-list 10 deny tcp 192.5.5.148 0.0.0.0 210.93.105.50 0.0.0.0 eq 80
    access-list 10 permit ip any any
    access-list 100 deny tcp 192.5.5.148 0.0.0.0 210.93.105.50 0.0.0.0 eq 80
    access-list 100 permit ip any any
    access-list 100 deny tcp 192.5.5.148 0.0.0.255 210.93.105.50 0.0.0.255 eq 80
    access-list 100 permit ip any any
    access-list 100 deny tcp host 192.5.5.148 0.0.0.0 210.93.105.50 0.0.0.0 eq 80
    access-list 100 permit tcp any any
    13. Un LAN, composé de deux VLANs, est connecté à Internet via plusieurs lignes
    spécialisées. La configuration de son routeur frontal est donnée ci-après :

    hostname Siege

    ip access-list 1 permit 10.1.0.0 0.0.255.254 (10.1.X.xxxxxxx0) adresses paires qui


    commencement par 10.1

    00000000 11111110
    ip nat inside source list 1 interface S1 overload
    ip access-list 2 permit 10.1.0.1 0.0.255.254 (10.1.X.xxxxxxx1) adresses impaires qui
    commencement par 10.1

    00000001 11111110
    Internet
    ip nat inside source list 2 interface S2 overload S1
    ip access-list 3 permit 10.2.0.0 0.0.255.255
    ip nat inside source list 3 interface S3 overload

    interface FastEthernet0/0.1 VLAN 55


    encapsulation dot1q 11 VLAN 11
    ip address 10.1.0.1 255.255.0.0
    ip nat inside
    !
    interface FastEthernet0/0.5
    encapsulation dot1q 55
    ip address 10.2.0.1 255.255.0.0
    ip nat inside
    !
    interface Serial1
    ip address 212.1.1.2 255.255.255.252
    ip nat outside

    1- D’après la configuration ci-dessus, combien de VLAN a-t-on dans l’entreprise, donnez les
    numéros de VLANs ? Deux VLANs de numéros 11 et 55

    2- La machine ayant l’adresse 10.1.1.1 pourra t’elle sortir à Internet ? Si oui avec adresse IP
    publique ? Adresses impaires qui commencent par 10.1 sortent avec l’adresse IP de S2.

    3- La machine ayant l’adresse 10.1.1.10 pourra t’elle sortir à Internet ? Si oui avec adresse IP
    publique ? Adresses paires qui commencent par 10.1 sortent avec l’adresse IP de S1.

    4- La machine ayant l’adresse 10.2.2.2 pourra t’elle sortir à Internet ? Si oui avec adresse IP
    publique ? Adresses qui commencent par 10.2 sortent avec l’adresse IP de S3.
    5- Créez une ACL numérotée pour les utilisateurs du VLAN 55 afin de n’autorisez que les
    services DNS, WEB et WEB Sécurisé ?

    Access-list 102 permit tcp 10.2.0.0 0.0.255.255 any eq 53

    Access-list 102 permit udp 10.2.0.0 0.0.255.255 any eq 53

    Access-list 102 permit tcp 10.2.0.0 0.0.255.255 any eq 80

    Access-list 102 permit tcp 10.2.0.0 0.0.255.255 any eq 443

    Int FastEthernet0/0.5

    Ip access-group 102 in

    6- Un utilisateur, dont l’adresse IP = 10.1.2.21, utilise massivement la connexion Internet.


    Ecrivez une ACL qui lui autorise uniquement le service mail (SMTP = TCP, 25), les autres
    services devraient être bloqués pour l’utilisateur 10.1.2.21 ? Indiquez l’emplacement et le
    sens d’application de l’ACL ? Pour les autres utilisateurs laisser l’accès Internet ouvert pour
    l’ensemble des services ?

    Access-list 103 permit tcp 10.1.2.21 0.0.0.0 any eq 25

    Access-list 103 deny ip 10.1.2.21 0.0.0.0 any

    Access-list 103 permit ip any any

    Int FastEthernet0/0.1

    Ip access-group 103 in

    7- Vous souhaitez limiter l’accès telnet à deux machines : 10.1.1.1 et 10.1.1.2. Comment faire ?
    Donnez les commandes pour réaliser cette opération ?

    Access-list 3 permit 10.1.1.1

    Access-list 3 permit 10.1.1.2

    Line vty 0 4

    Access-class 3 in

    8- Donnez la configuration pour remplacez telnet par sa version sécurisée tout en maintenant
    l’ACL de la question 7 ?
    Ip domain-name test.ma

    Crypto key generate rsa

    Username admin secret test

    Line vty 0 4

    transport input ssh

    Login local

    Access-class 3 in

    9- Un serveur WEB de l’entreprise a été configuré sur la machine 10.1.0.100, on souhaite


    autoriser les accès depuis Internet à ce serveur pour des requêtes http et https. Ecrire l’ACL
    pour répondre à ce besoin ?

    Ip access-list extented internet2WEBInterne

    Permit tcp any 10.1.0.100 eq 80

    Permit tcp any 10.1.0.100 eq 443

    Interface serial 1

    Ip access-group internet2WEBInterne in

    Réponse : impossible parce que la machine 10.1.0.100 a une adresse privée qui n’est pas
    accessible depuis internet. (il faut configurer du NAT statique)

    10- Le serveur dhcp a été configuré sur la machine 10.1.0.101, l’administrateur a créé deux pools
    d’adresses IP :

    Pool1, network : 10.1.0.0/8, Default-router : 10.1.0.1, DNS Server : 8.8.8.8


    Pool2 : network : 10.2.0.0/8, Default-router : 10.2.0.1, DNS Server : 8.8.8.8

    L’administrateur a constaté que le pool1 est opérationnel alors que le Pool2 ne l’est. C’est
    quoi la cause la plus probable derrière ce problème ?

    Le routeur bloque les requêtes dhcp des clients.

    Solution : configurer un relais dhcp :

    Int FastEthernet0/0.5

    Ip helper 10.1.0.101
    Vérifier que les ACL créées ne bloquent pas le trafic dhcp ? L’ACL 102 va bloquer le service
    dhcp.

    Ajouter dans l’ACL 102 la commande suivante

    Access-list 102 permit udp 10.2.0.0 0.0.255.255 10.1.0.101 eq 67


    (67 est le port d’écoute de dhcp)
    Politique séurité :
    - Interdire 10/8 de communiquer avec 14/8
    - Autoriser le reste

    Réponse avec ACL Standard


    Syntaxe : access-list numéro action IP-Source Filtre

    A appliquer sur le routeur1 (proche de la destination)


    access-list 1 deny 10.0.0.0 0.255.255.255
    access-list 1 permit any
    int fa0/0
    ip access-group 1 out

    version named
    ip access-list standard interdire-10
    deny 10.0.0.0 0.255.255.255
    permit any
    int fa0/0
    ip access-group interdire-10 out

    Réponse avec ACL Etendue


    Syntaxe : access-list numéro action protocole IP-Source Filtre [op port] IP-destination
    filtre [op port]

    A appliquer sur le routeur 0 (proche de la source)


    access-list 101 deny ip 10.0.0.0 0.255.255.255 14.0.0.0 0.255.255.255
    access-list 101 permit ip any any
    int fa0/0
    ip access-group 101 in

    version named
    ip access-list extended interdire-10-ext
    deny ip 10.0.0.0 0.255.255.255 14.0.0.0 0.255.255.255
    permit ip any any
    ip access-group interdire-10-ext in

    You might also like