Cisco CLI fun!

Hardware Hub Networking
1

Hello everyone,

I am currently in my Network Security and Firewalls class at my local college and am working in a Cisco environment (More specifically Packet Tracer 8.0). I believe I have successfully cleared the Packet Tracer activity I was given but PT doesn’t seem to acknowledge this for some reason. When I check the activity it tells me that I have not met 4 objective items and fail 3 connectivity checks.

Screenshot from 2021-07-03 19-53-56
Screenshot from 2021-07-03 19-53-56386×761 41.9 KB

Screenshot from 2021-07-03 19-55-08

However, when I perform pings between these devices to verify the connections manually they are correct. (example: I can’t ping anything on the 172 network with Laptop1 even though PT tells me that it is successfully pinging) If anyone has any suggestions or wants to double check my work here are my running configs on the routers.

Packet Tracer (Just delete the .txt at the end) Access List Activity 3.pka.txt (561.9 KB)

Router #1

Current configuration : 992 bytes

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router

no ip cef

no ipv6 cef

license udi pid CISCO1941/K9 sn FTX1524VC0B-

spanning-tree mode pvst

interface GigabitEthernet0/0

ip address 10.68.42.1 255.0.0.0

ip access-group PC0Rule in

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 200.0.1.1 255.255.255.0

duplex auto

speed auto

interface Serial0/0/0

ip address 200.58.4.241 255.255.255.252

clock rate 2000000

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 172.20.56.0 255.255.255.0 200.58.4.242

ip route 192.168.15.0 255.255.255.0 200.58.4.242

ip flow-export version 9

ip access-list standard PC0Rule

deny host 10.68.42.2

permit any

no cdp run

line con 0

line aux 0

line vty 0 4

login

end

Router #2

Current configuration : 1079 bytes

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router

no ip cef

no ipv6 cef

license udi pid CISCO1941/K9 sn FTX1524AHM3-

spanning-tree mode pvst

interface GigabitEthernet0/0

ip address 192.168.15.1 255.255.255.0

ip access-group ManagementACL out

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 172.20.56.1 255.255.0.0

ip access-group ServerACL out

duplex auto

speed auto

interface Serial0/0/0

ip address 200.58.4.242 255.255.255.252

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 200.0.1.0 255.255.255.0 200.58.4.240

ip flow-export version 9

ip access-list standard ServerACL

permit host 200.0.1.131

permit host 192.168.15.194

ip access-list standard ManagementACL

permit host 200.0.1.130

permit 172.20.0.0 0.0.255.255

no cdp run

line con 0

line aux 0

line vty 0 4

login

end

Thanks for the help and if you want to check my config in Packet Tracer here is a config script to set up the routers the same way I did so that way you can follow my process.

iOS Script.txt (1.0 KB)

##Access List 3 Router Configurations

##R1 Config Script
enable
conf t
interface g0/0
ip address 10.68.42.1 255.0.0.0
no shut
interface g0/1
ip address 200.0.1.1 255.255.255.0
no shut
interface s0/0/0
ip address 200.58.4.241 255.255.255.252
no shut
exit
ip route 172.20.56.0 255.255.255.0 200.58.4.242
ip route 192.168.15.0 255.255.255.0 200.58.4.242
ip access-list standard PC0Rule
deny 10.68.42.2 0.0.0.0
permit any
exit
interface g0/0
ip access-group PC0Rule in

##R2 Config Script
enable
conf t
interface g0/0
ip address 192.168.15.1 255.255.255.0
no shut
interface g0/1
ip address 172.20.56.1 255.255.0.0
no shut
interface s0/0/0
ip address 200.58.4.242 255.255.255.252
no shut
exit
ip route 200.0.1.0 255.255.255.0 200.58.4.241
ip access-list standard ManagementACL
Permit 200.0.1.130 0.0.0.0
Permit 172.20.0.0 0.0.255.255
exit
ip access-list standard ServerACL
Permit 200.0.1.131 0.0.0.0
Permit 192.168.15.194 0.0.0.0
exit
interface g0/0
ip access-group ManagementACL out
interface g0/1
ip access-group ServerACL out

2
  1. Packet tracer sometimes has bugs
  2. You can set up monitoring in pocket tracer to simulate/monitor traffic flow to test with. It’s been a while since I used PT due to point 1 though
1 Like
3

It’s a little confusing what interface is what, but I can see perhaps two problems:

If your PC is 10.68.42.2, it isn’t going anywhere:
ip access-list standard PC0Rule
deny 10.68.42.2 0.0.0.0
permit any

If 10.0.0.0/8 (R1 G0/0) is where the “laptop” is from, it will not be able to get to 192.168.15.0/24 or 172.20.0.0/16 for two reasons.

  1. ACLS
    ip access-list standard ManagementACL
    Permit 200.0.1.130
    Permit 172.20.0.0 0.0.255.255
    ip access-list standard ServerACL
    Permit 200.0.1.131
    Permit 192.168.15.194

Both these ACLS have implicit denies at the bottom that will block all other traffic.

  1. Routes
    There is no route to 10.0.0.0/8 (perhaps this is supposed to a /24) via S0/0/0 on R2. There should be this route:
    IP route 10.0.0.0 255.0.0.0 200.58.4.241
    or this if the net is supposed to be a 24
    IP route 10.68.42.0 255.255.255.0 200.58.4.241
1 Like
4

Thank you @thro and @xradeon for looking through my post. I appreciate the feedback. I didn’t post the objecteves so here they are:

On the network shown below, the following is needed:

  • Systems on the Development network should be able to access Production. They should not be able access the Management or Server networks
  • Systems on the Production network should be able to access Development. They should not be able to access the Management or Server networks

Additionally:

  • PC0 on the Development network should NOT be able to access anything except the Development network
  • PC2 on the Production network should be able to access the Management network
  • PC3 on the Production network should be able to access the Server network
  • Laptop0 on the Management network should be able to access the Server network

Screenshot from 2021-07-05 14-44-30
Screenshot from 2021-07-05 14-44-301105×778 58.7 KB

5

If you’re unsure as to what is going on, there’s a mode in packet tracer where it will display packets moving about the network.

I forget what its called as its been about 7 years since I used PT in any sort of serious capacity other than getting others started with basic TCP/IP (I use GNS3 instead these days) but it may help you diagnose whether or not the ping responses you are getting are actually from the correct machine(s).

If the simulator/display thing shows the packets going where they are supposed to be going, I’d write it off as a PT bug. PT is a useful learning tool but its seriously full of bugs, especially if you start doing anything more than basic functionality (at least in my experience).

Bugs in the simulation, bugs in the lesson objectives being met, etc.

I’m assuming you have a Cisco tutor for this (as part of the Cisco academy program to get your hands on PT “legally”)? If you think you’ve solved it, send him/her the saved project and see if he/she can confirm you have it working properly or not.

In the real Cisco exams, you won’t be using PT, you’ll be using some variant of Cisco VIRL via the web.

If you’re doing this totally yourself to self-teach (someone gave you a copy of PT and you’re on your own), I’d suggest looking into GNS3 and maybe a Cisco VIRL subscription for a year as GNS3 is way better but you need the Cisco VIRL images to be legit for modern Cisco platforms.

PT is good for basic stuff, but it will lead you astray when more advanced things don’t work properly or at all. GNS3 isn’t perfect either but the known bugs/support if you run into something odd are better - and at least it is attempting to run real IOS images rather than some cut down simulator version.

1 Like
6

I am in a class at my local college but the professor is taking his sweet time getting back to me. I think I have everything configured correctly (or at least correctly enough afaik I am meeting all the requirements). I just wanted someone to look over what I had going on here and point out any glaring errors I might have overlooked.

I don’t really care that much tbh as I don’t plan on pursuing a CCNA and even if I started working with Cisco stuff as I understand it most configurations are handled with scripting using programming languages now. Most data centers won’t let you manually configure stuff anymore.

7

Kind-of ; sort-of.

Most datacenter have scripts that SSH into boxes, and upload and apply new configs using whatever knobs vendor intended to expose on a particular devices. Hyperscalers usually just make their own network gear, or heavily modify the OS running on vendor gear/hardware when it comes to high capacity cluster switching/routing/fabrics.
When it comes to edge and plain old bgp where you need to peer with the outside world, it’s usually still mostly about SSH-ing into Junipers and Ciscos and if you’re lucky you might be able to build your own binary to replace SSH and SNMP, or at least not use them beyond localhost. (as a hyperscaler you’ll have your own RPC protocols with your own ACLs and Authn/Authz practices, ssh and snmp will feel alien).

1 Like