Scribd
Upload
0 views

5.5.2 Lab - Configure and Verify Extended IPv4 ACLs Submission Document

The document outlines a lab exercise for configuring and verifying extended IPv4 Access Control Lists (ACLs) on a network topology involving routers, switches, and PCs. It includes detailed steps for building the network, configuring basic device settings, VLANs, trunking, routing, remote access, and verifying connectivity. The final part focuses on implementing specific security policies through ACLs to control traffic between different network segments.

Uploaded by

ron roswei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
0 views

5.5.2 Lab - Configure and Verify Extended IPv4 ACLs Submission Document

The document outlines a lab exercise for configuring and verifying extended IPv4 Access Control Lists (ACLs) on a network topology involving routers, switches, and PCs. It includes detailed steps for building the network, configuring basic device settings, VLANs, trunking, routing, remote access, and verifying connectivity. The final part focuses on implementing specific security policies through ACLs to control traffic between different network segments.

Uploaded by

ron roswei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 22

Lab - Configure and Verify Extended IPv4 ACLs

Topology

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway

R1 G0/0/1 N/A N/A N/A


N/A

R1
G0/0/1.20 10.20.0.1 255.255.255.0
N/A

R1
G0/0/1.30 10.30.0.1 255.255.255.0
N/A

R1
G0/0/1.40 10.40.0.1 255.255.255.0
N/A

R1
G0/0/1.1000 N/A N/A
N/A

R1
Loopback1 172.16.1.1 255.255.255.0
R2 G0/0/1 10.20.0.4 255.255.255.0 N/A
S1 VLAN 20 10.20.0.2 255.255.255.0 10.20.0.1
S2 VLAN 20 10.20.0.3 255.255.255.0 10.20.0.1
PC-A NIC 10.30.0.10 255.255.255.0 10.30.0.1
PC-B NIC 10.40.0.10 255.255.255.0 10.40.0.1

VLAN Table
VLAN Name Interface Assigned

20 Management S2: F0/5


30 Operations S1: F0/6
40 Sales S2: F0/18

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

VLAN Name Interface Assigned

S1: F0/2-4, F0/7-24, G0/1-2


999 ParkingLot S2: F0/2-4, F0/6-17, F0/19-24, G0/1-2
1000 Native N/A

Objectives
Part 1: Build the Network and Configure Basic Device Settings
Part 2: Configure and Verify Extended Access Control Lists

Background / Scenario
You have been tasked with configuring access control lists on small company’s network. ACLs are one of the
simplest and most direct means of controlling layer 3 traffic. R1 will be hosting an internet connection
(simulated by interface Loopback 1) and sharing the default route information to R2. After initial configuration
is complete, the company has some specific traffic security requirements that you are responsible for
implementing.
Note: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4
(universalk9 image). The switches used in the labs are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2)
(lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model
and Cisco IOS version, the commands available and the output produced might vary from what is shown in
the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Ensure that the routers and switches have been erased and have no startup configurations. If you are
unsure contact your instructor.

Required Resources
 2 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
 2 Switches (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
 2 PCs (Windows with a terminal emulation program, such as Tera Term)
 Console cables to configure the Cisco IOS devices via the console ports
 Ethernet cables as shown in the topology

Instructions

Part 1: Build the Network and Configure Basic Device Settings.


Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each router.


Open configuration window

a. Assign a device name to the router.


b. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were host names.
c. Assign class as the privileged EXEC encrypted password.
d. Assign cisco as the console password and enable login.

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

e. Assign cisco as the VTY password and enable login.


f. Encrypt the plaintext passwords.
g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
h. Save the running configuration to the startup configuration file.
Close configuration window

Step 3: Configure basic settings for each switch.


Open configuration window

a. Assign a device name to the switch.


b. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were host names.
c. Assign class as the privileged EXEC encrypted password.
d. Assign cisco as the console password and enable login.
e. Assign cisco as the VTY password and enable login.
f. Encrypt the plaintext passwords.
g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
h. Save the running configuration to the startup configuration file.
Close configuration window

Part 2: Configure VLANs on the Switches


Step 1: Create VLANs on both switches.
Open configuration window

a. Create and name the required VLANs on each switch from the table above.
b. Configure the management interface and default gateway on each switch using the IP address
information in the Addressing Table.
c. Assign all unused ports on the switch to the Parking Lot VLAN, configure them for static access mode,
and administratively deactivate them.
Note: The interface range command is helpful to accomplish this task with as few commands as
necessary.

Step 2: Assign VLANs to the correct switch interfaces.


a. Assign used ports to the appropriate VLAN (specified in the VLAN table above) and configure them for
static access mode.
b. Issue the show vlan brief command and verify that the VLANs are assigned to the correct interfaces.
Close configuration window

Part 3: Configure Trunking


Step 1: Manually configure trunk interface F0/1.
Open configuration window

a. Change the switchport mode on interface F0/1 to force trunking. Make sure to do this on both switches.
b. As a part of the trunk configuration, set the native vlan to 1000 on both switches. You may see error
messages temporarily while the two interfaces are configured for different native VLANs.
c. As another part of trunk configuration, specify that VLANs 20, 30, 40, and 1000 are allowed to cross the
trunk.
d. Issue the show interfaces trunk command to verify trunking ports, the Native VLAN and allowed VLANs
across the trunk.

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

Step 2: Manually configure S1’s trunk interface F0/5.


a. Configure S1’s interface F0/5 with the same trunk parameters as F0/1. This is the trunk to the router.
b. Save the running configuration to the startup configuration file.
c. Issue the show interfaces trunk command to verify trunking.
Close configuration window

Part 4: Configure Routing


Step 1: Configure Inter-VLAN Routing on R1.
Open configuration window

a. Activate interface G0/0/1 on the router.


b. Configure sub-interfaces for each VLAN as specified in the IP addressing table. All sub-interfaces use
802.1Q encapsulation. Ensure the sub-interface for the native VLAN does not have an IP address
assigned. Include a description for each sub-interface.
c. Configure interface Loopback 1 on R1 with addressing from the table above.
d. Use the show ip interface brief command to verify the sub-interfaces are operational.

Step 2: Configure the R2 interface g0/0/1 using the address from the table and a default route
with the next hop 10.20.0.1
Close configuration window

Part 5: Configure Remote Access


Step 1: Configure all network devices for basic SSH support.
Open configuration window

a. Create a local user with the username SSHadmin and the encrypted password $cisco123!
b. Use ccna-lab.com as the domain name.
c. Generate crypto keys using a 1024-bit modulus.
d. Configure the first five VTY lines on each device to support SSH connections only and to authenticate to
the local user database.

Step 2: Enable secure, authenticated web services on R1.


a. Enable the HTTPS server on R1.
R1(config)# ip http secure-server
b. Configure R1 to authenticate users attempting to connect to the web server.
R1(config)# ip http authentication local
Close configuration window

Part 6: Verify Connectivity


Step 1: Configure PC hosts.
Refer to the Addressing Table for PC host address information.

Step 2: Complete the following tests. All should be successful.


Note: You may have to disable the PC firewall for pings to be successful.

From Protocol Destination

PC-A Ping 10.40.0.10

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

From Protocol Destination

PC-A Ping 10.20.0.1


PC-B Ping 10.30.0.10
PC-B Ping 10.20.0.1
PC-B Ping 172.16.1.1
PC-B HTTPS 10.20.0.1
PC-B HTTPS 172.16.1.1
PC-B SSH 10.20.0.4
PC-B SSH 172.16.1.1

Part 7: Configure and Verify Extended Access Control Lists.


When basic connectivity is verified, the company requires the following security policies to be implemented:
Policy 1: The Sales Network is not allowed to SSH to the Management Network (but other SSH is allowed).
Policy 2: The Sales Network is not allowed to access IP addresses in the Management network using any
web protocol (HTTP/HTTPS). The Sales Network is also not allowed to access R1 interfaces using any web
protocol. All other web traffic is allowed (note – Sales can access the Loopback 1 interface on R1).
Policy 3: The Sales Network is not allowed to send ICMP echo-requests to the Operations or Management
Networks. ICMP echo requests to other destinations are allowed.
Policy 4: The Operations network is not allowed to send ICMP echo-requests to the Sales network. ICMP
echo requests to other destinations are allowed.
Step 1: Analyze the network and the security policy requirements to plan ACL implementation.
Step 2: Develop and apply extended access lists that will meet the security policy statements.
Step 3: Verify security policies are being enforced by the deployed access lists.
Run the following tests. The expected results are shown in the table:

From Protocol Destination Result

PC-A Ping 10.40.0.10 Fail


PC-A Ping 10.20.0.1 Success
PC-B Ping 10.30.0.10 Fail
PC-B Ping 10.20.0.1 Fail
PC-B Ping 172.16.1.1 Success
PC-B HTTPS 10.20.0.1 Fail
PC-B HTTPS 172.16.1.1 Success
PC-B SSH 10.20.0.4 Fail
PC-B SSH 172.16.1.1 Success

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

Document your work here:

1. Paste in a screenshot (to include the time and date) of your NetLab screen with Lab 5.5.2 open.

Paste screenshot here:

2. Run ipconfig on PCA, and paste a screenshot of that here:

Paste screenshot here:

3. Run ipconfig on PCB, and paste a screenshot of that here:

Paste screenshot here:

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

4. On R1, run the following command in priviledged EXEC mode:


show run | exclude !

Highlight your entire running config in the R1 window. From the drop-down menu for R1, select
Copy Selected Text.

R1#show run | exclude !


Building configuration...

Current configuration : 5076 bytes


version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 75000
hostname R1
boot-start-marker
boot-end-marker
enable secret 5 $1$x3mn$VoyuT9tVsZNaVdEmCdcg.1

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

no aaa new-model
no ip domain lookup
ip domain name ccna-lab.com
login on-success log
subscriber templating
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-244286773
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-244286773
revocation-check none
rsakeypair TP-self-signed-244286773
crypto pki certificate chain TP-self-signed-244286773
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343432 38363737 33301E17 0D323530 34323130 31333831
335A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 34323836
37373330 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 A8465887 383060B1 FADF60CE E614D296 8A687F86 38F43D12 89929081
D915B8B7 5144CEC3 F1210D80 6F378587 DFDC3F73 C7936A39 F20B2ED3 282ABEA4
6E8A2539 8A5E2E8F DA52AF80 17367BC7 8EF68483 2B596AC6 DC9233F1 107434E9
79FD43D6 152A500C AC23139E 81DBA4E2 D164C727 5C0E0053 06B4F71C 3470CE69
57E84059 E461A674 8C5EEC4D 1036F422 B10BD72A E538B97C 5E6F6B0E DA4EE555
AC11D20A B32A6D76 5ED9382C 2E5BE0CF 5EE108E3 F47B107C 03C4E726 2E46126A
8228797D 52546EE6 0BFC9443 83EB21B6 961339B4 4F0865B1 BF8A4D8B 7852704F
6C73DB93 B5278F01 024FC8E9 1BC33953 D967E251 46287B2C 9FC39D70 13CF4EFE
70C1AF13 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 16801485 2E75FCD5 8305B468 467A4995 601119D9 9AE25030
1D060355 1D0E0416 0414852E 75FCD583 05B46846 7A499560 1119D99A E250300D
06092A86 4886F70D 01010505 00038201 01002D82 1D5EE94A 5E5598EA 8C79D198
AE7157E0 7B3F4E6F 909A87B9 980EBCEF 07852236 73E3C114 FE5BE126 D24A7443
FC1EA2B7 84933032 7FF025AA C5E4D2AD 37F31289 2CA27934 5A69B2A5 640A9FC8
C3DC1C37 CA26130B F72313F4 02384E8F 1FF053F8 D28AEEB4 3C2C0A91 5B9BA6C6
28A9ACA8 920E24EB DC1EE4A6 B55BCB63 06AE0C4A 1C57350F 5170BE98 4503B457
933E016F AA61A6EA 85D48BB8 990EA4B2 EB2DB400 A0B6BEE0 865B8734 75F5C6E8
661A938B D645F588 88F7F960 BFC71E5F 6175AFED A65A5351 54002C25 6AC4C65E
C75F8BAE 8061305B D1660A71 A0EA73A8 DD200F2E C32A0204 3CB6D922 68293DA2
53DBC2DA E47221CC B2A850E1 D86BC75A 7B83

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

quit
license udi pid ISR4221/K9 sn FJC2339A1NN
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
spanning-tree extend system-id
username SSHadmin secret 5 $1$p63j$mvXQ1ovNLCcrw2qyu5DoF0
redundancy
mode none
interface Loopback1
ip address 172.16.1.1 255.255.255.0
interface GigabitEthernet0/0/0
no ip address
negotiation auto
interface GigabitEthernet0/0/1
no ip address
negotiation auto
interface GigabitEthernet0/0/1.20
description Management Network
encapsulation dot1Q 20
ip address 10.20.0.1 255.255.255.0
interface GigabitEthernet0/0/1.30
description Operations Network
encapsulation dot1Q 30
ip address 10.30.0.1 255.255.255.0
ip access-group 102 in
interface GigabitEthernet0/0/1.40
description Sales Network
encapsulation dot1Q 40
ip address 10.40.0.1 255.255.255.0
ip access-group 101 in
interface GigabitEthernet0/0/1.1000
description Native VLAN
encapsulation dot1Q 1000 native
ip forward-protocol nd
no ip http server

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

ip http authentication local


ip http secure-server
ip access-list extended 101
remark ACL 101 fulfills policies 1, 2, and 3
deny tcp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 22
deny tcp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq www
deny tcp 10.40.0.0 0.0.0.255 host 10.30.0.1 eq www
deny tcp 10.40.0.0 0.0.0.255 host 10.40.0.1 eq www
deny tcp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 443
deny tcp 10.40.0.0 0.0.0.255 host 10.30.0.1 eq 443
deny tcp 10.40.0.0 0.0.0.255 host 10.40.0.1 eq 443
deny icmp 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255 echo
deny icmp 10.40.0.0 0.0.0.255 10.30.0.0 0.0.0.255 echo
permit ip any any
ip access-list extended 102
remark ACL 102 fulfills policy 4
deny icmp 10.30.0.0 0.0.0.255 10.40.0.0 0.0.0.255 echo
permit ip any any
control-plane
line con 0
password 7 13061E010803
logging synchronous
login
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 00071A150754
login local
transport input ssh
line vty 5 15
password 7 060506324F41
login
end

5. On R2, run the following command in priviledged EXEC mode:


show run | exclude !

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

Highlight your entire running config in theR2 window. From the drop-down menu forR2, select
Copy Selected Text.

Paste in the running Config for R2 here:


R2#show run | exclude !
Building configuration...

Current configuration : 3818 bytes


version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 75000
hostname R2
boot-start-marker
boot-end-marker
enable secret 5 $1$HLKg$3r13rZQvM/cOoQ8HNceB71
no aaa new-model
no ip domain lookup
ip domain name ccna-lab.com
login on-success log
subscriber templating
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1621746638
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1621746638
revocation-check none
rsakeypair TP-self-signed-1621746638
crypto pki certificate chain TP-self-signed-1621746638
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363231 37343636 3338301E 170D3235 30343231 30313431
34305A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323137
34363633 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

0A028201 0100D0B6 ACA7EE29 2E7B956C B80A322C E7A11AD8 5BD8F147 17532BCD


2706A096 3EC9FC9E 4609CA51 0B16C040 3DAB4936 38820E48 46FBFC7A B810C1F3
C8C8F42B BB812868 D0969D27 FDCC5206 EE2AB79D 75C17AE4 BB773787 46C7ADCE
35129C85 483832C3 4B103E95 BF8A4DDA 66F2BB42 AFBAFF98 BB385826 C32F84A5
DEF2A863 F9C968AF 0BB0DEED 84E72B28 46133C7F 3E55CFA1 15F5304A 1312372A
975B60F6 C594451D 77AC654A E02F093B 3BD6913D F7129BFB 95B5A567 683243A7
AE1748D7 C1042B8D 7309E14A 9B68AB26 106E7E3C 9343A23B 5FE36514 807E8CBC
18D45AE5 EDF0CAB7 DFBC1DDA 216F489B D5C9FF4C 37F5E1A3 0C2DD547 A8400750
4C0D9C1C E48F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 148B7756 335F7DB8 D006A36A 9F2A9B49 1D94829A
03301D06 03551D0E 04160414 8B775633 5F7DB8D0 06A36A9F 2A9B491D 94829A03
300D0609 2A864886 F70D0101 05050003 82010100 5C0154ED E08F210F E468BAF4
0E914E22 8CF00597 C319D9ED 254E52CE 9BB19715 675AC855 D5EFEA12 FF69B297
C956B6B1 463BFB28 F75AF1E1 BBD2EB65 F1A615BC 3431D077 3A1AD930 7B2E13C6
88C42989 C1FB3B14 C23F64FC 2CD73168 074C65F1 DCF9FCBF 5E0A9C32 7E241DDF
33BA3E03 26527E93 68BABC4B 478B26BC D7B8BF91 1128AC18 DB7F1EC0 0EAC14B6
221B811D C625ADCB FBC8F1EF 25E1FD45 0484BF5B FB4B4276 DAB05380 8AF7DEC4
CFD448EB A166E2E5 C1C7CB48 0E2C91E0 1958D153 CF7D385E 87807ACB BDE28C50
29A57449 1A7C35E3 D09ED680 7E009A4C 995C0F52 68257373 0DE04EFE 211E2359
854B4FD4 1595F546 73DC5216 6ABCB0F7 53947DF3
quit
license udi pid ISR4221/K9 sn FJC2339A1MV
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
spanning-tree extend system-id
username SSHadmin secret 5 $1$W3xo$wVAjwkMPQQ/49Z2ywN67x1
redundancy
mode none
interface GigabitEthernet0/0/0
no ip address
negotiation auto
interface GigabitEthernet0/0/1
ip address 10.20.0.4 255.255.255.0
negotiation auto
ip forward-protocol nd

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.20.0.1
control-plane
line con 0
password 7 14141B180F0B
logging synchronous
login
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 13061E010803
login local
transport input ssh
line vty 5 15
password 7 045802150C2E
login
end
6. On S1, run the following command in priviledged EXEC mode:
show run | exclude !

Highlight your entire running config in the S1 window. From the drop-down menu for S1, select
Copy Selected Text.

S1#show run | exclude !


Building configuration...

Current configuration : 5039 bytes


version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname S1
boot-start-marker
boot-end-marker

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2


username SSHadmin secret 4 XI/OChbPqk6MJfqUgiy9zTg.WRipgUmnGDbJaBncGW6
no aaa new-model
system mtu routing 1500
no ip domain-lookup
ip domain-name ccna-lab.com
crypto pki trustpoint TP-self-signed-3092469760
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3092469760
revocation-check none
rsakeypair TP-self-signed-3092469760
crypto pki certificate chain TP-self-signed-3092469760
certificate self-signed 02
3082022B 30820194 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303932 34363937 3630301E 170D3933 30333031 30303137
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30393234
36393736 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D777 96C020F2 D92DDFC3 6D6282F1 7EFA9791 144EE051 5CA5B204 85120931
340C9894 522C009D 98A1C9F8 B1ED9DBB 770C57EF E7440027 D8AB2C55 18EC2A51
C17C9BD8 7834F289 5240C0CB 48A65091 C22043C9 FC75A69E 5828EBF5 A6C226C3
9C714B40 6F037F1E F8B41005 7D3D6845 B50065F0 64CE5552 003980DF C6195454
B8DF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142C8C65 4185FD95 6DEF1B47 57F1DED7 867D0595 71301D06
03551D0E 04160414 2C8C6541 85FD956D EF1B4757 F1DED786 7D059571 300D0609
2A864886 F70D0101 05050003 8181007A E9413DDE C37FA4FF 240CE3D0 96D46D6C
85C4F4A1 B2C4FBF4 E9E2F2F0 8C84A8F0 94E89D11 1A2C7044 67486AF7 7CF7C0DA
7EC60F59 99B4EC28 A57FD9FE 14936429 02460675 2A9B3807 90A87BA2 8F1E24D7
D999AEF9 1CD4F209 D4F6ED6D 703C2C0A EB84DE50 0135BD37 CD06CB66 2FDEA523
2EC9ED20 3E96A48C FD709B1B D4F7B7
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport trunk native vlan 1000
switchport trunk allowed vlan 20,30,40,1000
switchport mode trunk

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

interface FastEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/3
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/4
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/5
switchport trunk native vlan 1000
switchport trunk allowed vlan 20,30,40,1000
switchport mode trunk
interface FastEthernet0/6
switchport access vlan 30
switchport mode access
interface FastEthernet0/7
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/8
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/9
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/10
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/11
switchport access vlan 999
switchport mode access
shutdown

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

interface FastEthernet0/12
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/13
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/14
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/18
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/19
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/20
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/21
switchport access vlan 999
switchport mode access

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

shutdown
interface FastEthernet0/22
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/23
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/24
switchport access vlan 999
switchport mode access
shutdown
interface GigabitEthernet0/1
switchport access vlan 999
switchport mode access
shutdown
interface GigabitEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
interface Vlan1
no ip address
interface Vlan20
ip address 10.20.0.2 255.255.255.0
ip default-gateway 10.20.0.1
ip http server
ip http authentication local
ip http secure-server
line con 0
password 7 05080F1C2243
logging synchronous
login
line vty 0 4
password 7 14141B180F0B
login local
transport input ssh
line vty 5 15
password 7 121A0C041104

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

login
end

7. On S2, run the following command in priviledged EXEC mode:


show run | exclude !

Highlight your entire running config in the S2 window. From the drop-down menu for S2, select
Copy Selected Text.

S2#show run | exclude !


Building configuration...

Current configuration : 4961 bytes


version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname S2
boot-start-marker
boot-end-marker
enable secret 5 $1$8ilW$8kzYcCb3NqpEIKuuzPc6U1
username SSHadmin secret 5 $1$Lpor$pdnkLbFEJQVJ0OI1y.niL1
no aaa new-model
system mtu routing 1500
no ip domain-lookup
ip domain-name ccna-lab.com
crypto pki trustpoint TP-self-signed-2912295424
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2912295424
revocation-check none
rsakeypair TP-self-signed-2912295424
crypto pki certificate chain TP-self-signed-2912295424
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393132 32393534 3234301E 170D3933 30333031 30303136

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 18 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649


4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39313232
39353432 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CE9C F62969A6 1DAE2F24 3C621541 B9DBABC8 0E5613B1 9D0F5A4F D73FF9C6
5314C0BA 92CA6EFA C74905AB 2A061A90 25C720E0 0D5D1645 BEF64DC0 7657F19F
820CCF78 DD3AB7EE ACF7D71D 1A21A3EC 230B8D52 8EB4A652 3093CAB2 7C05F141
522C5C27 23AEE0DC 88292567 42AEF355 885280D4 B7C3F939 973B5D41 349CECA7
AA6F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1497D4D8 8DC37F96 E30D4462 93CC66EA 16C23465 62301D06
03551D0E 04160414 97D4D88D C37F96E3 0D446293 CC66EA16 C2346562 300D0609
2A864886 F70D0101 05050003 81810036 F4F89EF3 F42C1911 973DBD35 0691A6B5
65FFAB92 FF3B5E18 8205B671 49645D29 C47DC71A C32F459F 5D598285 645FC5E9
1B267E54 45A10833 378FFC5E 00B7EDDC F81567E8 E4A0E6EE 7484B840 D5E89C50
F018937B BE904298 B535DF72 CDC4BAA2 99A67247 1A9AABF8 4B3442AC E0D5657A
B7065D47 F7EF7B26 FF13EAE0 93C049
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport trunk native vlan 1000
switchport trunk allowed vlan 20,30,40,1000
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/3
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/4
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
interface FastEthernet0/6

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 19 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

switchport access vlan 999


switchport mode access
shutdown
interface FastEthernet0/7
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/8
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/9
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/10
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/11
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/12
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/13
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/14
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 999
switchport mode access
shutdown

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 20 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

interface FastEthernet0/16
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/18
switchport access vlan 40
switchport mode access
interface FastEthernet0/19
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/20
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/21
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/22
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/23
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/24
switchport access vlan 999
switchport mode access
shutdown
interface GigabitEthernet0/1
switchport access vlan 999
switchport mode access
shutdown

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 21 of 22 www.netacad.com
Lab - Configure and Verify Extended IPv4 ACLs

interface GigabitEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
interface Vlan1
no ip address
interface Vlan20
ip address 10.20.0.3 255.255.255.0
ip default-gateway 10.20.0.1
ip http server
ip http authentication local
ip http secure-server
line con 0
password 7 110A1016141D
logging synchronous
login
line vty 0 4
password 7 045802150C2E
login local
transport input ssh
line vty 5 15
password 7 0822455D0A16
login
end

End of document

 2017 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 22 of 22 www.netacad.com

You might also like