CCNA Routing and Switching

Connecting Networks

Chapter 5 SIC: SNMP and ACLs

A few things to keep in mind while completing this activity:
1.      Do not use the browser Back button or close or reload any Exam windows during the
exam.
2.      Do not close Packet Tracer when you are done. It will close automatically.
3.      Click the Submit Assessment button to submit your work.
Introduction
In this practice Packet Tracer Skills Based Assessment, you will:
        Configure SNMP community strings.
        Configure standard and extended IPv4 ACLs to filter network traffic.
        Configure an IPv6 ACLs to filter network traffic.

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway

S0/0/0 209.165.200.225 255.255.255.252 N/A

S0/0/1 192.31.7.1 255.255.255. 252 N/A
ISP
G0/0 192.135.250.1 255.255.255. 0 N/A
G0/1 192.51.100.1 255.255.255. 0  
S0/0/0 209.165.200.226 255.255.255.252 N/A
G0/0 192.168.10.1 255.255.255.0 N/A
172.16.10.1 255.255.255.0 N/A
Main G0/1 2001:DB8:ABCD:A::1/64
N/A
Link Local: FE80::1
2001:DB8:ABCD:E::1/64
S0/0/1 N/A
Link Local: FE80::1
2001:DB8:ABCD:E::2/64
S0/0/1 N/A
Link Local: FE80::2
S0/0/0 192.31.7.2 255.255.255.252 N/A
HS
172.18.10.1 255.255.255.0  
G0/0 2001:DB8:ABCD:B::1/64
N/A
Link Local: FE80::1
ISP DNS Svr NIC 192.51.100.5 255.255.255.0 192.51.100.1
Ext. Web Svr NIC 192.135.250.10 255.255.255.0 192.135.250.1
External-PC NIC 192.135.250.5 255.255.255.0 192.135.250.1
172.16.10.10 255.255.255.0 172.16.10.1
SD Web Svr NIC
2001:DB8:ABCD:A::10/64 FE80::1
172.16.10.5 255.255.255.0 172.16.10.1
SD DNS Svr NIC
2001:DB8:ABCD:A::5/64 FE80::1
SD-Admin-PC NIC 192.168.10.5 255.255.255.0 192.168.10.1
SD-User-PC NIC 192.168.10.11 255.255.255.0 192.168.10.1
172.18.10.5 255.255.255.0 172.18.10.1
HS-Admin-PC NIC
2001:DB8:ABCD:B::5/64 FE80::1
172.18.10.10 255.255.255.0 172.18.10.1
HS-User-PC NIC
2001:DB8:ABCD:B::10/64 FE80::1

Step 1: Configure SNMP Community Strings on the Main router.

a.      Configure a Read Only SNMP community string hq-monitor .
b.      Configure a Read/Write SNMP community string hq-inside.

Step 2: Configure an ACL for NAT on the Main router.

a. Configure standard access list numbered 1 to allow NAT for hosts in
network 192.168.10.0 /24. 

Step 3: Configure a standard ACL to restrict remote access to the

Main router.
Configure a standard ACL numbered 12 to restrict remote access to
Main.

 Allow only the SD-Admin-PC to access the Main router

remotely via VTY.
 All other remote connections should fail.

Step 4: Configure two extended ACLs to restrict access to SNMP

operation.
a. Configure an extended ACL named SNMPACCESS.

 The SNMP operation runs UDP on port 161.

 Allow only the SD-Admin-PC to access the Main router for the
SNMP connection.
 SNMP connections from other hosts on the SD LAN should
fail.
 Allow all other IP traffic.
  Apply this ACL on the Main router, G0/0 interface.

b. Configure an extended ACL named SNMPDENY.

 Deny any hosts to make connections to SNMP on the Main

router.
 Allow all other IP traffic.
 Apply this ACL on the Main router, G0/1 interface.

Step 5: Configure an extended ACL to restrict access to the SD LAN

from the Internet.
Configure an extended IPv4 ACL named INTOHQ.

 Allow any hosts from the Internet to access the SD DNS Svr.
There should be two ACEs, one for TCP and the other UDP.
Both use port 53.
 Allow any hosts from the Internet to access the SD Web Svr.
Only port 80 is needed.
 Allow return TCP traffic from the Internet that was initiated
from the hosts in the Main networks to pass (with
the establishedkeyword).
 Apply the ACL to the Main S0/0/0 interface.

Step 6: Configure an extended ACL to restrict access to the DMZ

network.
Configure an extended IPv4 ACL named IN-DMZ.

 Allow any hosts to access the SD DNS Svr. There should be

two ACEs, one for TCP and the other UDP. Both use port 53.
 Allow any hosts to access the SD Web Svr. Only port 80 is
needed.
 Allow only the SD-Admin-PC to have FTP access to the SD
Web Svr. There should be two ACEs, for ports 20 and 21.
 Apply the ACL to the Main G0/1 interface.

Step 7: Configure an IPv6 ACL to restrict access to the DMZ network from the
HS Network 

Note: The order of the ACL statements is significant because of the scoring
requirements of Packet Tracer.
Configure an IPv6 ACL named DMZFTP. 
  Deny any host outside of the SD-LAN-SW network access to
the SNMP operation of the Main router.
 Allow only HS-Admin-PC to have FTP access to the SD Web
Svr. There should be two ACEs, for ports 20 and 21.
 Allow any hosts in the HS Network to access the SD Web
Svr. Only port 80 is needed.
 Apply the ACL to the Main router S0/0/1 interface.

Connectivity Tests
a.      SD-Admin-PC can access FTP service on SD Web Svr. 
b.      SD-User-PC cannot access FTP service on SD Web Svr. 
c.      HS-Admin-PC can access FTP service on SD Web Svr. 
d.      HS-User-PC cannot access FTP service on SD Web Svr. 
e.      SD-Admin-PC, SD-User-PC, and External-PC can visit SD Web Svr
with URL www.hq.com .
f.       SD-Admin-PC, SD-User-PC, and External-PC can visit External Web
Srv with URL www.ext-web.com.
g.     HS-Admin-PC and HS-User-PC can visit SD Web Svr with its IPv6
address. 
h.     HS-Admin-PC and HS-User-PC can visit External Web Srv with
URL www.ext-web.com.
 
ID:1
Last updated: January, 2018

Version 1.1
Created in Packet Tracer 6.3.0.0008 and PT Marvel 2.0.5
All contents are Copyright © 1992 - 2018 Cisco Systems, Inc. All rights
reserved. This document is Cisco Public Information.