/
Sign up to Ping Labz!
Already have an account? Sign in
Labs

Lab ts-sec-01 - Troubleshooting Security Tickets

J
5 min read

Security features are the only thing on a network designed to make traffic fail. That makes the tickets sneaky: the network is doing exactly what it was told, and what it was told is wrong. An ACL silently drops the traffic it was meant to permit, a secured port shuts itself, a management ACL locks out the very engineer trying to fix it. This lab gives you three security tickets on the five-node base topology. It is part of the PingLabz CCNA Troubleshooting Labs, fits Cisco Modeling Labs Free, and every output was captured on Cisco IOS XE.

The topology and healthy state

R1 and R2 share the LAN 10.20.0.0/24 through SW1; R2 is the border to R3. HOST1 hangs off SW1's Et0/2. Healthy, the LAN reaches the internet host and you can manage the routers remotely. These three tickets each break that with a security control that was applied carelessly.

Lab setup: this topology boots with all three faults already in place, one per ticket. These three are independent (a router ACL, a switch port, and the VTY lines), so you can work them in any order. The downloadable topology and the full ticket walkthroughs are part of PingLabz Pro.

What you will learn

  • How to tell an ACL drop from a routing drop by reading the single character in a ping.
  • Why an ACL applied in the wrong direction (or with source and destination reversed) blocks exactly the traffic it was meant to allow.
  • How to recognize and recover an err-disabled port from a port-security violation.
  • How a VTY access-class locks out a management subnet, and how to read it before you reload anything.

Ticket 1: "Nobody on the LAN can reach anything"

Reported symptom: "After a security change last night, the whole LAN lost reachability. Routing wasn't touched."
Success criterion: an inside host can reach 10.255.0.3 again.

R1# ping 10.255.0.3 source 10.20.0.1
U.U.U
Success rate is 0 percent (0/5)

Read the U. That is an active rejection: a router in the path is administratively refusing the packet, not silently dropping it. Routing drops time out with dots; an ACL deny answers with an unreachable. Find the ACL on R2:

R2# show ip access-lists LAN-FILTER
Extended IP access list LAN-FILTER
    10 permit ip 10.30.30.0 0.0.0.3 10.20.0.0 0.0.0.255     <-- source/dest reversed

R2# show ip interface Ethernet0/0 | include access list
  Inbound  access list is LAN-FILTER
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.