Professional Documents
Culture Documents
Scenario
A small company is using the topology shown below. The Public Server is actually an off-site
Database Server that contains company records. Assume that the 200.100.0.0/16 network represents
the Internet. The Dallas and Chicago Servers and hosts need to access the database server securely.
Only users in the Dallas and Chicago LANs should be able to access the database server.
Topology
The last page of the lab assignment document contains a full-page topology. Remove this
page and use it for reference to the topology and the IP addresses.
Initial Configuration
The Dallas, Chicago, and ISP Routers FastEthernet and Serial interfaces used for the lab have been
correctly configured and enabled. Unused interfaces have been shutdown. The RIP routing tables are
complete for all routers and hosts. No ACLs have been applied to any of the routers. Below is the
initial running-config file in ISP router.
version 12.3(4)T7
!
hostname ISP_Router
!
interface FastEthernet0/0
ip address 200.100.0.1 255.255.255.0
!
interface FastEthernet1/0
ip address 200.100.40.1 255.255.255.0
!
interface Serial0/0
ip address 200.100.10.1 255.255.255.0
!
interface Serial0/1
ip address 200.100.20.1 255.255.255.0
!
router rip
network 200.100.0.0
network 200.100.10.0
network 200.100.20.0
network 200.100.40.0
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
Permit SQL database traffic from the Public server to the Dallas Host.
Permit SQL database traffic from the Public server to the Dallas Server.
Permit SQL database traffic from the Public server to the Chicago Host.
Permit SQL database traffic from the Public server to the Chicago Server.
Deny all other TCP traffic from the Public server to any destination.
Permit all other traffic.
#1. Explain the meaning of the "three P's" best practice rule to create ACL in routers
One ACL per protocol- To control traffic flow on an interface, an ACL must be defined for each
protocol enabled on the interface.
One ACL per direction- ACLs control traffic in one direction at a time on an interface. Two
separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface- ACLs control traffic for an interface, for example, Fast Ethernet0/0.
#2. Explain the difference between the following two access-list commands
a) access-list 101 permit tcp any any eq 80
b) access-list 101 permit tcp any eq 80 any
a) Allows any traffic with a destination TCP port
b) Allows any traffic with a source TCP port
With the access-list 105 permit tcp any any, the eq was not specified.
On access-list 105 deny tcp host 201.11.0.3 any, it should have been input like this:
access-list 105 deny tcp any host 201.141.0.3
#5. What well-known TCP port does Oracle Database (sql net) server use?
TCP Port 1521
#6. A company is managing an Oracle Database located in a Public Server to support day-to-day
operations in Dallas and Chicago networks. The company has requested its Internet Access Provider
(ISP) to create the necessary ACL at the ISP router securing that only responses from Oracle server to
certain hosts are allowed to enter Dallas and Chicago LANs.
ISP network engineers decided to use extended ACL, and applies it to F0/0 interface in ISP router. Why
did they decide to create an extended ACL and apply it in interface F0/0 for inbound traffic?
They decided to do this because if the access list is inbound, when the router receives a packet, the
Cisco IOS software checks the criteria statements of the access list for a match. If the packet is
permitted, the software continues to process the packet. If the packet is denied, the software discards
the packet.
#7. Copy below ISP routers initial running-config file from page 2, and add the commands
needed to create and apply the ACL in the ISP router.
ISP_Router>enable
ISP_Router#config t
Enter configuration commands, one per line.
Answer all questions in the iLab Report document and upload it in Week 3 iLab Dropbox.