Professional Documents
Culture Documents
CCNA2RS - ACLs
CCNA2RS - ACLs
Mihai Dumitrascu
IPv4 Configuration
On R1:
Basic Addressing
>enable
#configure terminal
(config)#interface s0/1/0
(config-if)#ip address 192.168.12.1 255.255.255.252
(config-if)#no shutdown
(config-if)#exit
(config)#interface fa0/0
(config-if)#ip address 192.168.1.1 255.255.255.0
(config-if)#no shutdown
(config-if)#exit
(config)#
1
Instructor
Mihai Dumitrascu
Routing
(config)#router rip
(config-router)#network 192.168.12.0
(config-router)#network 192.168.1.0
(config-router)#passive-interface fa0/0
(config-router)#version 2
(config-router)#no auto-summary
(config-router)#end
Testing
On R2:
Basic Addressing
>enable
#configure terminal
(config)#interface s0/1/0
(config-if)#ip address 192.168.12.2 255.255.255.252
(config-if)#no shutdown
(config-if)#exit
(config)#interface fa0/0
(config-if)#ip address 192.168.2.1 255.255.255.0
(config-if)#no shutdown
(config-if)#exit
(config)#
Routing
(config)#router rip
(config-router)#network 192.168.12.0
(config-router)#network 192.168.2.0
(config-router)#passive-interface fa0/0
(config-router)#version 2
(config-router)#no auto-summary
(config-router)#end
2
Instructor
Mihai Dumitrascu
Testing
Standard ACL for restricting remote access to networking device on the VTY lines
On R1:
#configure terminal
(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(config)line vty 0 4
(config-line)#access-class 1 in
(config-line)#end
On R2:
#configure terminal
(config)#access-list 1 permit 192.168.2.0 0.0.0.255
(config)line vty 0 4
(config-line)#access-class 1 in
(config-line)#end
Testing
From PC1:
PUTTY -> telnet 192.168.1.1 - this connection should be allowed
PUTTY -> telnet 192.168.2.1 - this connection should not be allowed
From PC2:
PUTTY -> telnet 192.168.2.1 - this connection should be allowed
PUTTY -> telnet 192.168.1.1 - this connection should not be allowed
3
Instructor
Mihai Dumitrascu
Configure an extended ACL that filters traffic on R1 in the following manner:
- Web traffic should be allowed to pass from PC1 to PC2
- FTP traffic should not be allowed to pass from PC1 to PC2
- ICMP traffic should be allowed to pass from PC1 to PC2
Configure an extended ACL that filters traffic on R2 in the following manner:
- Web traffic should not be allowed to pass from PC2 to PC1
- FTP traffic should be allowed to pass from PC2 to PC1
- ICMP traffic should be allowed to pass from PC2 to PC1
First, enable the IIS and FTP service on PC1 and PC2
Start -> Control Panel -> Programs -> Turn Windows Features On or Off
Scroll down to IIS service, check the box and click OK
Start FileZilla Server, click connect. Create a user named test with the password test. Use this
user for when connecting to the ftp server
Testing:
From PC1:
Open a browser. Type in the following IP in the address bar:
http://192.168.2.20 - this connection should be successful
Open a command prompt window:
ftp 192.168.2.20 - this connection should not be successful (U: test, P:test)
ping 192.168.2.20 - ping should be successful
From PC2:
Open a browser. Type in the following IP in the address bar:
http://192.168.1.10 - this connection should not be successful
Open a command prompt window:
ftp 192.168.1.10 - this connection should be successful (U: test, P:test)
ping 192.168.1.10 - ping should be successful
On R1:
#configure terminal
(config)#ip access-list extended FILTER-IPV4
(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 log
(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 20
4
Instructor
Mihai Dumitrascu
On R2:
#configure terminal
(config)#ip access-list extended FILTER-IPV4
(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 80 log
(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 20
(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 21
(config-ext-nacl)#permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
(config-ext-nacl)#deny ip any any
(config-ext-nacl)#exit
(config)#interface fa0/0
(config-if)#ip access-group FILTER-IPV4 in
Note: Remove the ACL from R1, apply it on R2 and do the tests in the testing section below
(config-if)#end
Testing:
From PC1:
Open a browser. Type in the following IP in the address bar:
http://192.168.2.20 - this connection should be successful
Open a command prompt window:
ftp 192.168.2.20 - this connection should not be successful
ping 192.168.2.20 - ping should be successful
From PC2:
Open a browser. Type in the following IP in the address bar:
http://192.168.1.10 - this connection should not be successful
Open a command prompt window:
ftp 192.168.1.10 - this connection should be successful
ping 192.168.1.10 - ping should be successful
IPv6 Configuration
5
Instructor
Mihai Dumitrascu
On R1:
Basic Addressing
>enable
#configure terminal
(config)#interface s0/1/0
(config-if)#ipv6 address 2001:12:12:CAFE::1/64
(config-if)#no shutdown
(config-if)#exit
(config)#interface fa0/0
(config-if)#ip address 2001:1:1::CAFE::1/64
(config-if)#no shutdown
(config-if)#exit
(config)#
Routing
(config)#ipv6 unicast-routing
(config)#ipv6 router rip ccna
(config-rtr)#exit
(config)#interface s0/1/0
(config-if)#ipv6 rip ccna enable
(config-if)#exit
(config)interface fa0/0
(config-if)#ipv6 rip ccna enable
(config-if)#end
Testing
6
Instructor
Mihai Dumitrascu
On R2:
Basic Addressing
>enable
#configure terminal
(config)#interface s0/1/0
(config-if)#ipv6 address 2001:12:12:CAFE::2/64
(config-if)#no shutdown
(config-if)#exit
(config)#interface fa0/0
(config-if)#ip address 2001:2:2:CAFE::1/64
(config-if)#no shutdown
(config-if)#exit
(config)#
Routing
(config)#ipv6 unicast-routing
(config)#ipv6 router rip ccna
(config-rtr)#exit
(config)#interface s0/1/0
(config-if)#ipv6 rip ccna enable
(config-if)#exit
(config)interface fa0/0
(config-if)#ipv6 rip ccna enable
(config-if)#end
Testing
7
Instructor
Mihai Dumitrascu
Standard ACL for restricting remote access to networking device on the VTY lines
On R1:
#configure terminal
(config)#ipv6 access-list RESTRICT-REMOTE
(config-ipv6-acl)#permit 2001:1:1:cafe::/64 any
(config-ipv6-acl)#exit
(config)#line vty 0 4
(config-line)#ipv6 access-class RESTRICT-REMOTE in
(config-line)#end
#show ip access-lists
On R2:
#configure terminal
(config)#ipv6 access-list RESTRICT-REMOTE
(config-ipv6-acl)#permit 2002:2:2:cafe::/64 any
(config-ipv6-acl)#exit
(config)#line vty 0 4
(config-line)#ipv6 access-class RESTRICT-REMOTE in
(config-line)#end
#show ip access-lists
Testing
From PC1:
PUTTY -> telnet 2001:1:1:cafe::1 - this connection should be allowed
PUTTY -> 2001:1:1:cafe::2 - this connection should not be allowed
From PC2:
PUTTY -> 2001:1:1:cafe::2 - this connection should be allowed
PUTTY -> 2001:1:1:cafe::1 - this connection should not be allowed
8
Instructor
Mihai Dumitrascu
Configure an extended ACL that filters traffic on R1 in the following manner:
- Web traffic should be allowed to pass from PC1 to PC2
- FTP traffic should not be allowed to pass from PC1 to PC2
- ICMP traffic should be allowed to pass from PC1 to PC2
Configure an extended ACL that filters traffic on R2 in the following manner:
- Web traffic should not be allowed to pass from PC2 to PC1
- FTP traffic should be allowed to pass from PC2 to PC1
- ICMP traffic should be allowed to pass from PC2 to PC1
On R1:
#configure terminal
(config)#ipv6 access-list FILTER-IPv6
(config-ipv6-acl)#permit tcp 2001:1:1:cafe::/64 2001:2:2:cafe::/64 eq 80 log
(config-ipv6-acl)deny tcp 2001:1:1:cafe::/64 2001:2:2:cafe::/64 eq 20
(config-ipv6-acl)#deny tcp 2001:1:1:cafe::/64 2001:2:2:cafe::/64 eq 21
(config-ipv6-acl)#permit icmp 2001:1:1:cafe::/64 2001:2:2:cafe::/64
(config-ipv6-acl)#permit icmp any any nd-na
(config-ipv6-acl)#permit icmp any any nd-ns
(config-ipv6-acl)#deny ipv6 any any
(config-ipv6-acl)#exit
(config)#interface fa0/0
(config-if)#ipv6 traffic-filter FILTER-IPV6 in
Note: Apply the ACL first on R1, go to the testing section, do the tests and then remove the ACL
from R1:
(config-if)#no ipv6 traffic-filter FILTER-IPV6 in
(config-if)#end
#show ipv6 access-list
On R2:
#configure terminal
(config)#ipv6 access-list FILTER-IPv6
(config-ipv6-acl)#deny tcp 2001:2:2:cafe::/64 2001:1:1:cafe::/64 eq 80 log
(config-ipv6-acl)permit tcp 2001:2:2:cafe::/64 2001:1:1:cafe::/64 eq 20
(config-ipv6-acl)#permit tcp 2001:2:2:cafe::/64 2001:1:1:cafe::/64 eq 21
(config-ipv6-acl)#permit icmp 2001:2:2:cafe::/64 2001:1:1:cafe::/64
(config-ipv6-acl)#permit icmp any any nd-na
(config-ipv6-acl)#permit icmp any any nd-ns
9
Instructor
Mihai Dumitrascu
Testing:
From PC1:
Open a browser. Type in the following IP in the address bar:
http://[2001:2:2:cafe::20]:80 - this connection should be successful
Open a command prompt window:
ftp 2001:2:2:cafe::20 - this connection should not be successful
ping 2001:2:2:cafe::20 - ping should be successful
From PC2:
Open a browser. Type in the following IP in the address bar:
http://[2001:1:1:cafe::10]:80 - this connection should not be successful
Open a command prompt window:
ftp 2001:1:1:cafe::10 - this connection should be successful
ping 2001:1:1:cafe::10 - ping should be successful
10