Lab 5.1.1.4 Applying Design Constraints
Step 1: Identify possible project constraints
a. Use word processing software to create a new Project Constraints document.
b. The identified constraints that set limits or boundaries on the network upgrade project should be
entered into the Gathered Data field of the constraints document. Brainstorm ideas with other
students to identify additional constraints.
Classify each constraint as one of the following four types:
- • Budget
- • Policy
- • Schedule
- • Personnel
Step 2: Tabulate comments based on the identified constraints
a. Using the list of constraints discovered from the FilmCompany case study, apply appropriate
comments on how the constraints affect the design.
b. Enter the comments into a table
FILM | COMPANY | CONSTRAINTS |
CONSTRAINT | GATHERED DATA | COMMENTS |
to IT personnel
| of a failure. | |
Schedule |
|
|
Personnel |
|
|
c. Save your Project Constraints checklist.
Step 3: Identify trade-offs
a. Use word processing software to create an addition to the Project Constraints document.
b. The identified constraints that set limits or boundaries on the network upgrade project will require
potential trade-offs. Discuss ideas with other students regarding trade-offs for proposed designs.
Mungkin tidak mendapatkan peralatan baru karena keterbatasan anggaran, sehingga peralatan yang ada mungkin perlu upgrade. Layanan ISP mungkin tidak optimal untuk jenis lalu lintas yang dihasilkan, sehingga sebuah ISP baru mungkin diperlukan. Anggaran tidak dapat mendukung penggantian infrastruktur yang ada; alternatif perlu dikembangkan untuk ekspansi masa depan.
c. Record the trade-offs in your Project Constraints checklist.
d. Save your Project Constraints checklist.
Step 4: Reflection
The constraints imposed on this network design project are determined by the internal requirements of the FilmCompany. Consider and discuss the identified constraints and potential trade-offs. Do the trade-offs pose a significant obstacle to the design? Are there alternate methods that can be employed to achieve the success criteria without a significant budget?
• Kurang dari empat bulan untuk menyelesaikan proyek akan membutuhkan alokasi personel lebih banyak.
• Pelatihan personil mungkin perlu dilakukan secara bertahap.
• Tidak tersedianya peralatan atau kabel dari spesifikasi teknis yang diperlukan
• Kurangnya akomodasi ke rumah usaha yang diperluas dan infrastruktur jaringannya sejakproyek dapat mengkonsolidasikan ke dalam satu lokasi.
• keterbatasan ISP mungkin memerlukan perubahan dalam desain. Haruskah ISP lain digunakan?
• Pelatihan personil mungkin perlu dilakukan secara bertahap.
• Tidak tersedianya peralatan atau kabel dari spesifikasi teknis yang diperlukan
• Kurangnya akomodasi ke rumah usaha yang diperluas dan infrastruktur jaringannya sejakproyek dapat mengkonsolidasikan ke dalam satu lokasi.
• keterbatasan ISP mungkin memerlukan perubahan dalam desain. Haruskah ISP lain digunakan?
Lab 5.1.2.4 Identifying Design Strategies for Scalability
Step 1: Identify the areas that will be used for designing a strategy that facilitates scalability
a. Use word processing software to create a new document called “Design Strategies.”
b. Use the identified constraints that set limits or boundaries on the network upgrade project and the
potential trade-offs to assist in the discussion with other students.
The strategy should cover the following areas:
- • Access Layer modules that can be added
- • Expandable, modular equipment or clustered devices that can be easily upgraded
- • Choosing routers or multilayer switches to limit broadcasts and filter traffic
- • Planned redundancy
- • An IP address strategy that is hierarchal and that supports summarization
- • Identification of VLANs needed
Step 2: Create an Access Layer module design
Using the list developed from the group discussion, create an Access Layer module (design only).
a. Create your design using the existing equipment.
The FilmCompany network equipment includes:
2 x 1841 Routers (FC-CPE-1, FC-CPE-2)
3 x 2960 Switches (FC-ASW-1, FC-ASW-2, ProductionSW)
Several servers
1 x Linksys WRT300N Wireless Router (FC-AP)
1 x ADSL Modem for Internet Access
b. Using the list of equipment, identify modules that can be added to the existing equipment to support
new features and devices without requiring major equipment upgrades.
c. Save your Design Strategies documentation.
Step 3: Select Distribution Layer devices
a. Use word processing software to create an addition to the Design Strategies document.
b. Use the identified Access Layer module diagram to create the Distribution Layer design. Equipment
selected must include existing equipment. Use Layer 3 devices at the Distribution Layer to filter and
reduce traffic to the network core.
c. With a modular Layer 3 Distribution Layer design, new Access Layer modules can be connected
without requiring major reconfiguration. Using your documentation, identify what modules can be
added to increase bandwidth.
d. Save your Design Strategies document.
Step 4: Reflection
The constraints and trade-offs identified for the FilmCompany pose many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified strategies. Do all of the strategies designed accomplish the task the same way?
Would one be less expensive or less time-consuming than the other?
• Mengembangkan skema pengalamatan IP menggunakan jaringan 10.xxx benar-benar menantang.
• Memisahkan VLAN
• Rancangan ACL unik mengingat penyaringan tidak diidentifikasi oleh klien.
• Memisahkan VLAN
• Rancangan ACL unik mengingat penyaringan tidak diidentifikasi oleh klien.
Lab 5.1.3.5 Identifying Availability Strategies
Step 1: Identify the areas that will be used for designing a strategy that facilitates availability
a. Use word processing software to create a new document called “Availability Strategies.”
b. Use the identified constraints that set limits or boundaries on the network upgrade project and the
potential trade-offs to assist in brainstorming ideas with other students.
The strategy should cover the following areas:
Availability strategies for switches:
- • Redundant power supplies and modules
- • Hot-swappable cards and controllers
- • Redundant links
- • UPS and generator power
Availability strategies for routers:
- • Redundant power supplies, UPS, and generator power
- • Redundant devices
- • Redundant links
- • Out-of-band management
- • Fast converging routing protocols
Availability strategies for Internet/Enterprise Edge:
- • Dual ISP providers or dual connectivity to a single provider
- • Co-located servers
- • Secondary DNS servers
Step 2: Create availability strategies for switches
a. Using the list developed from the brainstorming session, create a list of equipment that will be
incorporated into the availability strategy.
The FilmCompany network equipment includes:
2 x 1841 Routers (FC-CPE-1, FC-CPE-2)
3 x 2960 Switches (FC-ASW-1, FC-ASW-2, ProductionSW)
Several servers
1 x Linksys WRT300N Wireless Router (FC-AP)
1 x ADSL Modem for Internet Access
b. Using the list of equipment, identify modules and redundant power supplies that will increase
availability for the switches.
c. Identify potential hot swappable cards and controllers that can be used. Create a list that identifies
each with cost and features.
d. Develop a diagram that shows potential redundant links that can be incorporated into the network
design.
e. Identify at least two possible UPS devices that can be incorporated into the design. Create a list that
identifies the cost and features of each.
f. Save your Availability Strategies document.
Step 3: Create availability strategies for routers
a. Use word processing software to create an addition to the Availability Strategies document.
b. Using the list of equipment, identify redundant power supplies that will increase availability for the
switches.
c. Identify potential redundant devices and links that can be used. Create a list that identifies each with
cost and features.
d. Create a diagram that displays the redundant connections.
e. Develop a list of potential routing protocols that will facilitate fast convergence times.
f. Save your Availability Strategies document.
Step 4: Create availability strategies for Internet/Enterprise Edge
a. Use word processing software to create an addition to the Availability Strategies document.
b. Identify options available that would allow for dual ISP or dual connectivity to a single provider.
c. Create a design that will co-locate the servers to allow for redundancy and ease of maintenance.
d. Save your Availability Strategies document.
Step 5: Reflection
The creation of availability strategies poses many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified strategies. Do all of the strategies designed accomplish the task the same way?
Would one be less expensive or less time-consuming than the other?
• Berbagai modul dapat dibeli dengan berbagai fitur dan biaya.
• Berbagai perangkat UPS dapat dibeli dengan berbagai fitur dan biaya.
• Beberapa protokol routing dapat dipilih, tetapi mana yang paling sesuai desain?
• Berbagai perangkat UPS dapat dibeli dengan berbagai fitur dan biaya.
• Beberapa protokol routing dapat dipilih, tetapi mana yang paling sesuai desain?
Lab 5.1.5.2 Identifying Security Requirements
Step 1: Identify potential security weaknesses within the FilmCompany topology
a. Use word processing software to create a new document called “Security Strategies.”
b. Using the documents created in previous labs and the existing topology; identify potential
weaknesses in the existing design. (No firewalls, no VPNs)
c. Create a list of recommended security practices that should be employed in the FilmCompany
network.
d. Save your Security Strategies document.
Step 2: Create a security practices list
a. Using the list developed from the brainstorming session, create a finalized list of recommended
security practices for the FilmCompany.
Recommended security practices include:
- • Use firewalls to separate all levels of the secured corporate network from other unsecured
networks, such as the Internet. Configure firewalls to monitor and control the traffic, based on
a written security policy.
- • Create secured communications by using VPNs to encrypt information before it is sent
through third-party or unprotected networks.
- • Prevent network intrusions and attacks by deploying intrusion prevention systems. These
systems scan the network for harmful or malicious behavior and alert network managers.
- • Control Internet threats by employing defenses to protect content and users from viruses,
spyware, and spam.
- • Manage endpoint security to protect the network by verifying the identity of each user before
granting access.
- • Ensure that physical security measures are in place to prevent unauthorized access to
network devices and facilities.
- • Secure wireless Access Points and deploy wireless management solutions.
b. Identify what devices and software will need to be purchased to facilitate the recommended security
practices. (Hardware firewalls, intrusion detection systems etc.)
c. Save your Security Strategies document.
Step 3: Create a security strategy
a. Use word processing software to create an addition to the Security Strategies document.
b. Using the list of identified equipment, develop a chart of costs and features of the recommended
devices.
c. Using the list of identified software needed, develop a chart of costs and features of the
recommended software.
d. Save your Security Strategies document.
Step 4: Create a security design
a. Use word processing software to create an addition to the Securities Strategies document.
b. Identify which types of access to the network should be secured by incorporating VPNs.
c. Identify methods for controlling physical security at the FilmCompany building and at the stadium.
d. Identify potential ACLs that can be created to filter unwanted traffic from entering the network.
(Standard ACLS or Extended need to be identified.)
e. Identify methods for securing the wireless Access Points. Determine the best method for the
FilmCompany network. (128 bit encryption etc.)
f. Save your Security Strategies document.
Step 5: Reflection
The creation of a security strategy creates many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified challenges. Do all of the proposed strategies accomplish the task the
same way?
Would one be less expensive or less time-consuming than the other?
How could implementing a physical security plan into an existing company be difficult?
• Berbagai perangkat keras dapat dibeli dengan berbagai fitur dan biaya.
• Berbagai software keamanan dapat dibeli dengan berbagai fitur dan biaya.
• karyawan yang ada mungkin tidak menerima perubahan kebijakan keamanan mereka, jadi siapa yang perlu memastikan bahwa rencana itu ditegakkan?
• ACL dapat menyaring lalu lintas, tapi apa dampaknya pada arus lalu lintas yang akan mereka miliki? Apakah ACL diterapkan pada Akses Layer atau Pembagian Layer atau keduanya?
• Berbagai software keamanan dapat dibeli dengan berbagai fitur dan biaya.
• karyawan yang ada mungkin tidak menerima perubahan kebijakan keamanan mereka, jadi siapa yang perlu memastikan bahwa rencana itu ditegakkan?
• ACL dapat menyaring lalu lintas, tapi apa dampaknya pada arus lalu lintas yang akan mereka miliki? Apakah ACL diterapkan pada Akses Layer atau Pembagian Layer atau keduanya?
Lab 5.2.3.3 Designing the Core Layer
Step 1: Identify Core Layer Requirements
a. Use word processing software to create a new document called “Core Layer Diagram.”
b. Use the identified topology and associated equipment to determine Core Layer design requirements.
Design requirements for the Core Layer network include:
High-speed connectivity to the Distribution Layer switches
24 x 7 availability
Routed interconnections between Core devices
High-speed redundant links between Core switches and between the Core and Distribution Layer
devices
c. Brainstorm with other students to identify areas that may have been missed in the initial requirements
document.
Step 2: Create an Access Layer module design
Using the list developed from the group discussion, create an Access Layer module (design only).
a. Create your design using the existing equipment.
The FilmCompany network equipment includes:
2 x 1841 Routers (FC-CPE-1, FC-CPE-2)
3 x 2960 Switches (FC-ASW-1, FC-ASW-2, ProductionSW)
1 x ADSL Modem for Internet Access
b. Using the list of equipment, identify modules that can be added to the existing equipment to support
new features, such as redundancy.
c. Save your Core Layer Diagram document.
Step 3: Select Core Layer devices
a. Use word processing software to create an addition to the Core Layer Diagram document.
b. The identified Core Layer module diagram will be used to adjust the Distribution Layer design.
Equipment selected must include existing equipment. Use Layer 3 devices at the Core Layer in a
redundant configuration.
c. Save your Core Layer Diagram document.
Step 4: Design Redundancy
a. Use word processing software to create an addition to the Core Layer Diagram document.
b. Design a redundancy plan that combines multiple Layer 3 links to increase available bandwidth.
c. Create a design that incorporates redundancy
d. Save your Core Layer Diagram document.
Step 5: Reflection / Challenge
The design strategies for the FilmCompany pose many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified strategies. Do all of the strategies designed accomplish the task the same way?
Would one be less expensive or less time-consuming than the other?
• Apakah peralatan yang ada mampu menangani lalu lintas jaringan yang diusulkan? Jika demikian, bagaimana? Jika tidak, mengapa?
• Apa perangkat yang dapat digunakan sebagai pengganti Layer 3 switch? Dapatkah perangkat tersebut memberikan kinerja yang sama?
• Apa kelemahan potensial untuk diagram yang diusulkan?
• Apa perangkat yang dapat digunakan sebagai pengganti Layer 3 switch? Dapatkah perangkat tersebut memberikan kinerja yang sama?
• Apa kelemahan potensial untuk diagram yang diusulkan?
Lab 5.2.4.2 Creating a Diagram of the FilmCompany LAN
Step 1: Identify LAN Requirements
a. Use word processing software to create a new document called “LAN Diagram.”
b. Use the identified topology and associated equipment to determine LAN design requirements.
Design requirements for the LAN include:
High-speed connectivity to the Access Layer switches 24 x 7 availability
High-speed redundant links between switches on the LAN and the Access Layer devices
Identifying available hardware for the LAN
The current network has two VLANs.
1. General VLAN consisting of:
12 Office PCs
2 Printers
This VLAN serves the general office and managers, including reception, accounts and administration.
Addressing:
Network 10.0.0.0/24
Gateway 10.0.0.1
Hosts (dynamic) 10.0.0.200 – 10.0.0.254
Hosts (static) 10.0.0.10 – 10.0.0.20
2. Production VLAN consisting of:
9 High Performance Workstations
5 Office PCs
2 Printers
c. Brainstorm with other students to identify areas that may have been missed in the initial requirements
document.
Step 2: Determine equipment features
Using the list developed from the brainstorming session create a LAN based on technical requirements
(design only).
a. Create your design using the existing equipment.
The FilmCompany network equipment includes:
2 x 1841 Routers (FC-CPE-1, FC-CPE-2)
3 x 2960 Switches (FC-ASW-1, FC-ASW-2, ProductionSW)
1 x ADSL Modem for Internet Access
b. Using the list of equipment, identify modules that can be added to the existing equipment to support
new features, such as redundancy.
c. Save your LAN Diagram document.
Step 3: Select LAN devices
a. Use word processing software to create an addition to the LAN Diagram document.
b. The identified LAN diagram will be used to adjust the Access Layer design. Equipment selected must
include existing equipment.
c. Save your LAN Diagram document.
Step 4: Design Redundancy
a. Use word processing software to create an addition to the LAN Diagram document.
b. Design a redundancy plan that combines multiple Layer 2 links to increase available bandwidth.
c. Create a design that incorporates redundancy.
d. Save your LAN Diagram document.
Step 5: Reflection / Challenge
The design strategies for the FilmCompany LAN pose many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified strategies. Do all of the strategies designed accomplish the task the same way?
Would one be less expensive or less time-consuming than the other?
Would the chosen LAN design allow for future growth and the addition of the WLAN?
• Apakah peralatan yang ada mampu menangani lalu lintas jaringan yang diusulkan? Jika demikian, bagaimana? Jika tidak, mengapa?
• Apa perangkat yang dapat digunakan sebagai pengganti Layer 2 switch?
• Apa perangkat yang dapat digunakan sebagai pengganti Layer 2 switch?
• Apa kelemahan potensial untuk diagram yang diusulkan?
Lab 5.4.2.2 Selecting Access Points
Step 1: Identify WLAN requirements
a. Use word processing software to create a new document called “WLAN Diagram.”
b. Use the identified topology and associated equipment to determine WLAN design requirements.
Design requirements for the WLAN include:
- • Scalability
- • Availability
- • Security
- • Manageability
c. Brainstorm with other students to identify areas that may have been missed in the initial requirements
document.
Step 2: Determine equipment features
Using the list developed from the brainstorming session create a WLAN based on technical requirements
(design only).
a. Begin by creating your design using the existing equipment.
Network equipment includes:
2 x 1841 Routers (FC-CPE-1, FC-CPE-2)
3 x 2960 Switches (FC-ASW-1, FC-ASW-2, ProductionSW)
1 x Network and Business Server
1 x Linksys WRT300N Wireless Router (FC-AP)
1 x ADSL Modem for Internet Access
b. Using the list of equipment, identify the model of wireless router. Identify the features and range of the
device. Identify whether there are upgrades that can be made to extend the range, security, and existing features.
c. Create a list of features and potential upgrades and compare them to other models of wireless router.
Determine the device that can easily meet the technical requirements of the WLAN. (Standalone
Access Points for ease of installation or wireless controllers for security and management)
d. With the previous list estimate the range of coverage available with the existing wireless router.
Determine if the wireless router can provide thorough coverage of the work area. Determine if standalone access points or wireless controllers are needed for the design.
e. Save your WLAN Diagram document.
Step 3: Select WLAN devices
a. Use word processing software to create an addition to the WLAN Diagram document.
b. The identified WLAN diagram will be used to determine the type of wireless device that will be
included into the proposed network.
c. Ensure that the chosen wireless equipment meets the following requirements:
Design requirements for the WLAN include:
- • Scalability
- • Availability
- • Security
- • Manageability
d. Save your WLAN Diagram document.
Step 4: Design the WLAN
a. Use word processing software to create an addition to the WLAN Diagram document.
b. Design a WLAN that provides scalability. Annotate on the WLAN Diagram document how the design
provides scalability.
(Scalability – New lightweight Access Points can be added easily and managed centrally)
c. Design a WLAN that provides availability. Annotate on the WLAN Diagram document how the design
provides availability.
(Availability – Access Points can automatically increase their signal strength if one Access Point fails)
d. Design a WLAN that provides security. Annotate on the WLAN Diagram document how the design
provides security.
(Security – Enterprise-wide security policies apply to all layers of a wireless network, from the radio
layer through the MAC Layer and into the Network Layer. This solution makes it easier to provide
uniformly enforced security, QoS, and user policies. These policies address the specific capabilities of
different classes of devices, such as handheld scanners, PDAs, and notebook computers.
Security policies also provide discovery and mitigation of DoS attacks, and detection and denial of
rogue Access Points. These functions occur across an entire managed WLAN.)
e. Design a WLAN that provides manageability. Annotate on the WLAN Diagram document how the
design provides manageability.
(Manageability – The solution provides dynamic, system-wide radio frequency (RF) management,
including features that aid smooth wireless operations, such as dynamic channel assignment,
transmit power control, and load balancing. The single graphical interface for enterprise-wide policies
includes VLANs, security, and QoS.)
f. Save your WLAN Diagram document.
Step 5: Reflection / Challenge
The design strategies for the FilmCompany WLAN pose many challenges for the designer. What were a few of the more difficult challenges you encountered?
Consider and discuss the identified strategies. Do all of the strategies designed or hardware identified
accomplish the task the same way?
Would one be less expensive or less time-consuming than the other?
Would the current topology allow for future growth and the addition of the WLAN?
• Apakah keterbatasan throughput WLAN?
• Apakah peralatan yang ada mampu menangani lalu lintas jaringan yang diusulkan? Jika demikian, bagaimana? Jika tidak, mengapa?
• Apa perangkat dapat digunakan sebagai pengganti akses poin mandiri?
• Apakah peralatan yang ada mampu menangani lalu lintas jaringan yang diusulkan? Jika demikian, bagaimana? Jika tidak, mengapa?
• Apa perangkat dapat digunakan sebagai pengganti akses poin mandiri?
• Apa kelemahan potensial untuk diagram yang diusulkan?
Lab 5.5.3 Developing ACLs to Implement Firewall Rule Set
Step 1: Cable and connect the network as shown in the topology diagram
NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so that these can be restored at the conclusion of the lab.
a. Connect and configure the devices in accordance with the given topology and configuration.
Routing will have to be configured across the serial links to establish data communications.
b. Configure Telnet access on each router.
c. Ping between Host1, Host2, and Production Server to confirm network connectivity.
Troubleshoot and establish connectivity if the pings or Telnet fail.
Step 2: Perform basic router configurations
a. Configure the network devices according to the following guidelines:
- • Configure the hostnames on each device.
- • Configure an EXEC mode password of class.
- • Configure a password of cisco for console connections.
- • Configure a password of cisco for vty connections.
- • Configure IP addresses on all devices.
- • Enable EIGRP on all routers and configure each to advertise all of the connected networks.
- • Verify full IP connectivity using the ping command.
b. Confirm Application Layer connectivity by telneting to all routers.
Step 3: Create firewall rule set and access list statements
Using the security policy information for the FilmCompany remote access, create the firewall rules that must be implemented to enforce the policy. After the firewall rule is documented, create the access list statement that will implement the firewall rule. There may be more than one statement necessary to implement a rule.
Security Policy 1: Remote users must be able to access the Production Server to view their schedules
over the web and to enter new orders.
Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP
port 80.
Access List statement(s): permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 80
Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be
placed close as possible to the source of the traffic). For each of the following security policies:
a. Create a firewall rule.
b. Create an access list statement.
c. Determine the access list placement to implement the firewall rule.
Security Policy 2: Remote users must be able to FTP files to and from the Production Server.
Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP
ports 20 and 21.
Access List statement(s): permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 range
20 21 or two separate access-list statements, each permitting one of the ports.
Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be
placed close as possible to the source of the traffic)
Security Policy 3: Remote users can use the Production Server to send and retrieve email using IMAP
and SMTP protocols.
Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP
ports 143 and 25
Access List statement(s):
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 25
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 143
Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be
placed close as possible to the source of the traffic)
Security Policy 4: Remote users must not be able to access any other services available on the
Production Server.
Firewall Rule: Deny all other IP protocols between users on the 10.1.1.0/24 network to the
Production Server (172.17.1.1)
Access List statement(s): deny ip 10.1.1.0 0.0.0.255 host 172.17.1.1.
Access List placement: Inbound on router SR1 Fa0/1
Security Policy 5: No traffic is permitted from individual workstations at the main office to remote worker
workstations. Any files that need to be transferred between the two sites must be stored on the
Production Server and retrieved via FTP.
Firewall Rule: Deny all IP protocols from users on the 10.3.1.0/24 to the 10.1.1.0/24 network.
Access List statement(s): deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Access List placement: Inbound on router BR4 Fa0/1
Security Policy 6: No traffic is permitted from workstations at the remote site to workstations at the main
site.
Firewall Rule: Deny all IP protocols from users on the 10.1.1.0/24 to the 10.3.1.0/24 network.
Access List statement(s): deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
Access List placement: Inbound on router SR1 Fa0/1
Security Policy 7: No Telnet traffic is permitted from the remote site workstations to any devices,
except their local switch.
Firewall Rule: Deny all TCP traffic from users on the 10.1.1.0/24 network on port 23.
Access List statement(s): deny tcp 10.1.1.0 0.0.0.255 any eq 23
Access List placement: Inbound on router SR1 Fa0/1
Step 4: Create Extended ACLs
a. Review the access list placement information that you created to implement each of the
FilmCompany security policies. List all of the different access list placements that you noted above.
Inbound on router SR1 Fa0/1
Inbound on router BR4 Fa0/1
Based on the placement information, how many access lists do you have to create?
On Router SR1
1
On Router Edge2
0
On Router BR4
1
b. Based on the access list statements you developed in Task 3, create each access list that is needed
to implement the security policies. When creating access lists, remember the following principles:
- • Only one access list can be applied per protocol, per direction on each interface.
- • Access list statements are processed in order.
- • Once an access list is created and applied on an interface, all traffic that does not match any access
list statement will be dropped.
c. Use a text file to create the access lists, or write them here. Evaluate each access list statement to
ensure that it will filter traffic as intended.
Access list to be placed on SR1 Fa0/1 inbound:
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 80
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 range 20 21
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 25
permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 143
deny ip 10.1.1.0 0.0.0.255 host 172.17.1.1
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny tcp 10.1.1.0 0.0.0.255 any eq 23
permit ip any any
Access list to be placed on BR4 Fa0/1 inbound:
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
Why is the order of access list statements so important?
untuk mengurangi beban prosesor router dan menurunkan latency
0 komentar:
Posting Komentar