Scribd Logo
Upload

Welcome to Scribd!

  • CCNA2RS - ACLs

    Uploaded by

    drumasuvasile
    0 views10 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    0 views10 pages

    CCNA2RS - ACLs

    Uploaded by

    drumasuvasile

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    Instructor

    Mihai​ ​Dumitrascu

    CCNA2RS​ ​-​ ​Access​ ​Control​ ​Lists

    IPv4​ ​Configuration

    On​ ​R1:

    Basic​ ​Addressing

    >enable
    #configure​ ​terminal
    (config)#interface​ ​s0/1/0
    (config-if)#ip​ ​address​ ​192.168.12.1​ ​255.255.255.252
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​address​ ​192.168.1.1​ ​255.255.255.0
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#

    1
    Instructor
    Mihai​ ​Dumitrascu

    Routing

    (config)#router​ ​rip
    (config-router)#network​ ​192.168.12.0
    (config-router)#network​ ​192.168.1.0
    (config-router)#passive-interface​ ​fa0/0
    (config-router)#version​ ​2
    (config-router)#no​ ​auto-summary
    (config-router)#end

    Testing

    #show​ ​ip​ ​interface​ ​brief


    #show​ ​ip​ ​protocols
    #show​ ​ip​ ​route
    #ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful
    #telnet​ ​192.168.2.1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

    On​ ​R2:

    Basic​ ​Addressing

    >enable
    #configure​ ​terminal
    (config)#interface​ ​s0/1/0
    (config-if)#ip​ ​address​ ​192.168.12.2​ ​255.255.255.252
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​address​ ​192.168.2.1​ ​255.255.255.0
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#

    Routing

    (config)#router​ ​rip
    (config-router)#network​ ​192.168.12.0
    (config-router)#network​ ​192.168.2.0
    (config-router)#passive-interface​ ​fa0/0
    (config-router)#version​ ​2
    (config-router)#no​ ​auto-summary
    (config-router)#end

    2
    Instructor
    Mihai​ ​Dumitrascu

    Testing

    #show​ ​ip​ ​interface​ ​brief


    #show​ ​ip​ ​protocols
    #show​ ​ip​ ​route
    #ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful
    #telnet​ ​192.168.1.1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

    Access​ ​Control​ ​Lists

    Standard​ ​ACL​ ​for​ ​restricting​ ​remote​ ​access​ ​to​ ​networking​ ​device​ ​on​ ​the​ ​VTY​ ​lines

    On​ ​R1:

    #configure​ ​terminal
    (config)#access-list​ ​1​ ​permit​ ​192.168.1.0​ ​0.0.0.255
    (config)line​ ​vty​ ​ ​0​ ​4
    (config-line)#access-class​ ​1​ ​in
    (config-line)#end

    On​ ​R2:

    #configure​ ​terminal
    (config)#access-list​ ​1​ ​permit​ ​192.168.2.0​ ​0.0.0.255
    (config)line​ ​vty​ ​ ​0​ ​4
    (config-line)#access-class​ ​1​ ​in
    (config-line)#end

    Testing

    From​ ​PC1:
    PUTTY​ ​->​ ​telnet​ ​192.168.1.1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
    PUTTY​ ​->​ ​telnet​ ​192.168.2.1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

    From​ ​PC2:
    PUTTY​ ​->​ ​telnet​ ​192.168.2.1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
    PUTTY​ ​->​ ​telnet​ ​192.168.1.1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

    3
    Instructor
    Mihai​ ​Dumitrascu

    Extended​ ​ACL​ ​for​ ​traffic​ ​filtering

    Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R1​ ​in​ ​the​ ​following​ ​manner:
    - Web​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
    - FTP​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
    - ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2

    Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R2​ ​in​ ​the​ ​following​ ​manner:
    - Web​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
    - FTP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
    - ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1

    First,​ ​enable​ ​the​ ​IIS​ ​and​ ​FTP​ ​service​ ​on​ ​PC1​ ​and​ ​PC2

    Start​ ​->​ ​Control​ ​Panel​ ​->​ ​Programs​ ​->​ ​Turn​ ​Windows​ ​Features​ ​On​ ​or​ ​Off
    Scroll​ ​down​ ​to​ ​IIS​ ​service,​ ​check​ ​the​ ​box​ ​and​ ​click​ ​OK
    Start​ ​FileZilla​ ​Server,​ ​click​ ​connect.​ ​Create​ ​a​ ​user​ ​named​ ​test​ ​with​ ​the​ ​password​ ​test.​ ​Use​ ​this
    user​ ​for​ ​when​ ​connecting​ ​to​ ​the​ ​ftp​ ​server

    Testing:

    From​ ​PC1:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://192.168.2.20​​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​192.168.2.20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful​ ​(U:​ ​test,​ ​P:test)
    ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful

    From​ ​PC2:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://192.168.1.10​​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​192.168.1.10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful​ ​(U:​ ​test,​ ​P:test)
    ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful

    Configure​ ​the​ ​extended​ ​ACL

    On​ ​R1:

    #configure​ ​terminal
    (config)#ip​ ​access-list​ ​extended​ ​FILTER-IPV4
    (config-ext-nacl)#permit​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​80​ ​log
    (config-ext-nacl)#deny​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​20

    4
    Instructor
    Mihai​ ​Dumitrascu

    (config-ext-nacl)#deny​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​21


    (config-ext-nacl)#permit​ ​icmp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255
    (config-ext-nacl)#deny​ ​ip​ ​any​ ​any
    (config-ext-nacl)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​access-group​ ​FILTER-IPV4​ ​in
    Note:​ ​Apply​ ​the​ ​ACL​ ​first​ ​on​ ​R1,​ ​go​ ​to​ ​the​ ​testing​ ​section,​ ​do​ ​the​ ​tests​ ​and​ ​then​ ​remove​ ​the​ ​ACL
    from​ ​R1:
    (config-if)#no​ ​ip​ ​access-group​ ​FILTER-IPV4​ ​in
    (config-if)#end

    On​ ​R2:

    #configure​ ​terminal
    (config)#ip​ ​access-list​ ​extended​ ​FILTER-IPV4
    (config-ext-nacl)#deny​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​80​ ​log
    (config-ext-nacl)#permit​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​20
    (config-ext-nacl)#permit​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​21
    (config-ext-nacl)#permit​ ​icmp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255
    (config-ext-nacl)#deny​ ​ip​ ​any​ ​any
    (config-ext-nacl)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​access-group​ ​FILTER-IPV4​ ​in
    Note:​ ​Remove​ ​the​ ​ACL​ ​from​ ​R1,​ ​apply​ ​it​ ​on​ ​R2​ ​and​ ​do​ ​the​ ​tests​ ​in​ ​the​ ​testing​ ​section​ ​below
    (config-if)#end

    Testing:

    From​ ​PC1:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://192.168.2.20​​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​192.168.2.20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
    ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful

    From​ ​PC2:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://192.168.1.10​​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​192.168.1.10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
    ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful
    IPv6​ ​Configuration

    5
    Instructor
    Mihai​ ​Dumitrascu

    On​ ​R1:

    Basic​ ​Addressing

    >enable
    #configure​ ​terminal
    (config)#interface​ ​s0/1/0
    (config-if)#ipv6​ ​address​ ​2001:12:12:CAFE::1/64
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​address​ ​2001:1:1::CAFE::1/64
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#

    Routing

    (config)#ipv6​ ​unicast-routing
    (config)#ipv6​ ​router​ ​rip​ ​ccna
    (config-rtr)#exit
    (config)#interface​ ​s0/1/0
    (config-if)#ipv6​ ​rip​ ​ccna​ ​enable
    (config-if)#exit
    (config)interface​ ​fa0/0
    (config-if)#ipv6​ ​rip​ ​ccna​ ​enable
    (config-if)#end

    Testing

    #show​ ​ipv6​ ​interface​ ​brief


    #show​ ​ipv6​ ​protocols
    #show​ ​ipv6​ ​route
    #ping​ ​2001:2:2:CAFE::20​ ​-​ ​ping​ ​should​ ​be​ ​successful
    #telnet​ ​2001:2:2:CAFE::1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

    6
    Instructor
    Mihai​ ​Dumitrascu

    On​ ​R2:

    Basic​ ​Addressing

    >enable
    #configure​ ​terminal
    (config)#interface​ ​s0/1/0
    (config-if)#ipv6​ ​address​ ​2001:12:12:CAFE::2/64
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ip​ ​address​ ​2001:2:2:CAFE::1/64
    (config-if)#no​ ​shutdown
    (config-if)#exit
    (config)#

    Routing

    (config)#ipv6​ ​unicast-routing
    (config)#ipv6​ ​router​ ​rip​ ​ccna
    (config-rtr)#exit
    (config)#interface​ ​s0/1/0
    (config-if)#ipv6​ ​rip​ ​ccna​ ​enable
    (config-if)#exit
    (config)interface​ ​fa0/0
    (config-if)#ipv6​ ​rip​ ​ccna​ ​enable
    (config-if)#end

    Testing

    #show​ ​ipv6​ ​interface​ ​brief


    #show​ ​ipv6​ ​protocols
    #show​ ​ipv6​ ​route
    #ping​ ​2001:1:1:CAFE::10​ ​-​ ​ping​ ​should​ ​be​ ​successful
    #telnet​ ​2001:1:1:CAFE::1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

    7
    Instructor
    Mihai​ ​Dumitrascu

    Access​ ​Control​ ​Lists

    Standard​ ​ACL​ ​for​ ​restricting​ ​remote​ ​access​ ​to​ ​networking​ ​device​ ​on​ ​the​ ​VTY​ ​lines

    On​ ​R1:

    #configure​ ​terminal
    (config)#ipv6​ ​access-list​ ​RESTRICT-REMOTE
    (config-ipv6-acl)#permit​ ​2001:1:1:cafe::/64​ ​any
    (config-ipv6-acl)#exit
    (config)#line​ ​vty​ ​0​ ​4
    (config-line)#ipv6​ ​access-class​ ​RESTRICT-REMOTE​ ​in
    (config-line)#end
    #show​ ​ip​ ​access-lists
    On​ ​R2:

    #configure​ ​terminal
    (config)#ipv6​ ​access-list​ ​RESTRICT-REMOTE
    (config-ipv6-acl)#permit​ ​2002:2:2:cafe::/64​ ​any
    (config-ipv6-acl)#exit
    (config)#line​ ​vty​ ​0​ ​4
    (config-line)#ipv6​ ​access-class​ ​RESTRICT-REMOTE​ ​in
    (config-line)#end
    #show​ ​ip​ ​access-lists

    Testing

    From​ ​PC1:
    PUTTY​ ​->​ ​telnet​ ​2001:1:1:cafe::1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
    PUTTY​ ​->​ ​2001:1:1:cafe::2​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

    From​ ​PC2:
    PUTTY​ ​->​ ​2001:1:1:cafe::2​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
    PUTTY​ ​->​ ​2001:1:1:cafe::1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

    8
    Instructor
    Mihai​ ​Dumitrascu

    Extended​ ​ACL​ ​for​ ​traffic​ ​filtering

    Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R1​ ​in​ ​the​ ​following​ ​manner:
    - Web​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
    - FTP​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
    - ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2

    Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R2​ ​in​ ​the​ ​following​ ​manner:
    - Web​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
    - FTP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
    - ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1

    On​ ​R1:

    #configure​ ​terminal
    (config)#ipv6​ ​access-list​ ​FILTER-IPv6
    (config-ipv6-acl)#permit​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​80​ ​log
    (config-ipv6-acl)deny​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​20
    (config-ipv6-acl)#deny​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​21
    (config-ipv6-acl)#permit​ ​icmp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64
    (config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-na
    (config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-ns
    (config-ipv6-acl)#deny​ ​ipv6​ ​any​ ​any
    (config-ipv6-acl)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
    Note:​ ​Apply​ ​the​ ​ACL​ ​first​ ​on​ ​R1,​ ​go​ ​to​ ​the​ ​testing​ ​section,​ ​do​ ​the​ ​tests​ ​and​ ​then​ ​remove​ ​the​ ​ACL
    from​ ​R1:
    (config-if)#no​ ​ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
    (config-if)#end
    #show​ ​ipv6​ ​access-list

    On​ ​R2:

    #configure​ ​terminal
    (config)#ipv6​ ​access-list​ ​FILTER-IPv6
    (config-ipv6-acl)#deny​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​80​ ​log
    (config-ipv6-acl)permit​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​20
    (config-ipv6-acl)#permit​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​21
    (config-ipv6-acl)#permit​ ​icmp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64
    (config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-na
    (config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-ns

    9
    Instructor
    Mihai​ ​Dumitrascu

    (config-ipv6-acl)#deny​ ​ipv6​ ​any​ ​any


    (config-ipv6-acl)#exit
    (config)#interface​ ​fa0/0
    (config-if)#ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
    Note:​ ​Remove​ ​the​ ​ACL​ ​from​ ​R1,​ ​apply​ ​it​ ​on​ ​R2​ ​and​ ​do​ ​the​ ​tests​ ​in​ ​the​ ​testing​ ​section​ ​below
    (config-if)#end
    #show​ ​ipv6​ ​access-list

    Testing:

    From​ ​PC1:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://​[2001:2:2:cafe::20]:80​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​2001:2:2:cafe::20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
    ping​ ​2001:2:2:cafe::20​ ​-​ ​ping​ ​should​ ​be​ ​successful

    From​ ​PC2:
    Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
    http://​[2001:1:1:cafe::10]:80​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
    Open​ ​a​ ​command​ ​prompt​ ​window:
    ftp​ ​2001:1:1:cafe::10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
    ping​ ​2001:1:1:cafe::10​ ​-​ ​ping​ ​should​ ​be​ ​successful

    10

    You might also like