Tuesday, March 12, 2013

Lab 219 - Reflexive ACL

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

Solution

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

BB1 Config:
!
ip route 10.0.0.0 255.255.0.0 203.0.113.3
ip route 172.16.0.0 255.255.0.0 203.0.113.3

!
! For testing purpose let's enable HTTP server on BB1.
ip http server
!

R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
 redistribute static
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!

interface FastEthernet0/0
 ip address 203.0.113.3 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 speed 100
 full-duplex

!


Verification:

Pic. 2 - BB1 Connectivity towards 172.16.x.0/24 and 10.0.x.0/24.


Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

R1 Config:
!
ip access-list extended OUTBOUND
 permit ip 172.16.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
 permit ip 10.0.0.0 0.0.255.255 any reflect ALLOW_THIS_IN

!
ip access-list extended INBOUND
 evaluate ALLOW_THIS_IN

 permit udp any 172.16.0.0 0.0.255.255 gt 33433
 permit udp any 10.0.0.0 0.0.255.255 gt 33433
!



Verification:

Pic. 3 - Traffic from the INSIDE towards BB1.
 
Pic. 4 - Stateful Entry Created on R3.

Pic. 5 - Traffic Originated from BB1 towards our INSIDE subnets.
NOTE!
Traceroute in Cisco IOS sends UDP datagrams starting at port 33434 with the ttl max 30 hops.

Monday, March 11, 2013

Lab 218 - Dynamic ACL (Lock-and-Key)

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On R2 configure ACL which allows the user Jimmy with the password CISCO123, to access web server on R1 (or any other web server behind R2) if the authentication is initiated from VLAN 27. R2 should use telnet access as the authenticating method. All other traffic should be allowed.

Solution

Task 1
On R2 configure ACL which allows the user Jimmy with the password CISCO123, to access web server on R1 (or any other web server behind R2) if the authentication is initiated from VLAN 27. R2 should use telnet access as the authenticating method. All other traffic should be allowed.
R1 Config:
!
ip http server
!

R2 Config:
!
username Jimmy password CISCO123
!
access-list 100 permit tcp 172.16.27.0 0.0.0.255 host 172.16.27.2 eq 23
access-list 100 dynamic DYN_ACL permit tcp any any eq 80
access-list 100 deny tcp any any eq 80
access-list 100 permit ip any any
!
int f0/0
 ip access-group 100 in
!
line vty 0 4
 login local
 autocommand  access-enable
!

Verification:

Pic. 2 - Accessing Web Server on R1 without Authentication (ACL applied).

Pic. 3 - Accessing Web Server on R1 with Authentication (ACL applied)

Pic. 4 - Dynamic ACL Entry Created Above Deny DPORT 80.
  
Remove the configuration created in this lab.

Monday, March 4, 2013

Lab 217 - ACL Complex Matching

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5' Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Solution

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

SW1 Config:
!
int Lo1
ip address 182.17.77.7 255.255.255.0
!
int Lo2
ip address 182.81.77.7 255.255.255.0
!
int Lo3
ip address 190.17.73.7 255.255.255.0
!
int Lo4
ip address 190.81.73.7 255.255.255.0
!
int Lo5
ip address 190.81.77.7 255.255.255.0
!
int Lo6
ip address 182.17.73.7 255.255.255.0
!
int Lo7
ip address 182.81.73.7 255.255.255.0
!
int Lo8
ip address 190.17.77.7 255.255.255.0
!

router eigrp 1
 network 10.0.7.7 0.0.0.0
 network 172.16.27.7 0.0.0.0
 network 182.0.0.0 0.255.255.255
 network 190.0.0.0 0.255.255.255
 no auto-summary
!


Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5's Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Pic. 2 - Routing Table of R1 (loopbacks advertised).
R1 Config:
!
access-list 100 deny ip 10.0.5.0 0.0.0.255 182.17.73.0 8.64.4.255
access-list 100 permit ip any any

!
interface FastEthernet0/1
 ip address 172.16.215.1 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!



Explanation:

Group bytes 1-3 and find the bits that do change in order to find the wildcard mask.

Pic. 3 - Wildcard Mask.

Lab 216 - ACL Matching Even Network Numbers

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On R5 configure loopback interfaces with the following addresses:
  • Lo1: 150.1.20.5/24
  • Lo2: 150.1.21.5/24
  • Lo3: 150.1.22.5/24
  • Lo4: 150.1.23.5/24
Advertise the subnets into EIGRP AS 1.

Task 2
For security reasons configure EIGRP update filtering on R2 so that it accepts the odd subnets configured on R5 in Task 1. Use standard ACL to match the interesting subnets. Use the fewest lines possible.

Solution


Task 1
On R5 configure loopback interfaces with the following addresses:
  • Lo1: 150.1.20.5/24
  • Lo2: 150.1.21.5/24
  • Lo3: 150.1.22.5/24
  • Lo4: 150.1.23.5/24
Advertise the subnets into EIGRP AS 1.

R5 Config:
!
interface Loopback1
 ip address 150.1.20.5 255.255.255.0
!
interface Loopback2
 ip address 150.1.21.5 255.255.255.0
!
interface Loopback3
 ip address 150.1.22.5 255.255.255.0
!
interface Loopback4
 ip address 150.1.23.5 255.255.255.0
!
router eigrp 1
 network 10.0.5.5 0.0.0.0
 network 150.1.0.0
 network 172.16.215.5 0.0.0.0
 no auto-summary
!


Task 2

Task 2
For security reasons configure EIGRP update filtering on R2 so that it accepts the odd subnets configured on R5 in Task 1. Use standard ACL to match the interesting subnets. Use the fewest lines possible.


Pic. 2 - Routing Table on R2 Before Filtering.

R2 Config:
!
access-list 5 deny   150.1.20.0 0.0.2.0
access-list 5 permit any
!

router eigrp 1
 network 10.0.2.2 0.0.0.0
 network 172.16.27.2 0.0.0.0
 network 172.16.123.2 0.0.0.0
 distribute-list 5 in Serial0/0
 no auto-summary
!


Verification:
Pic. 3 - Routing Table on R2 After Filtering.


Explanation:
20 - 000101000   
22 - 000101010


The highlighted bit is the only one that changes. It should be masked using 1 (ignore: value=2). All the remaining bits do not change, so they should be masked with 0 (check).

After verification, remove ACL configured in Task 2.