Task 1 – Setup console connection between Configurator PC ...



Lab Exercise – Configuring Access Lists (ACLs) via Cisco Command Line Interface (CLI)

Objectives

In this lab exercise you will complete the following task:

• Use Cisco Command Line Interface (CLI) to configure access lists for the network consisting of three PCs.

Visual Objective

[pic]

Introduction

Access lists (ACLs) permit or deny network traffic over an interface based on source IP address, destination IP address, or/and protocol/service. Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. An access group is a series of commands with a common tag to bind them together. The tag is either a number or a name. In other words, access group consists of one to many access lists grouped under one number or name.

ACL is always applied towards chosen Ethernet interface; this allows filtering information, which passes through the interface. As packet passes through the interface, router checks packet’s IP address and/or protocol, port number against access lists assigned to this interface. The check is an act of comparison that is being done in top down fashion, meaning that if there is access list matching it, comparative operation is stopped and packet is allowed through. Importantly, at the end of every group there should be deny all or permit all statement, so if there is no match packet will be dropped or allowed through depending on the idea behind access-group.

Important Note on host placement in the lab:

While visual objective shows you three hosts, in reality there are 2 physical hosts and 1 virtual. The picture below shows you how things are configured.

[pic]

The Lab Project

Task 1 – Understanding the Objective

Before we start configuring ACL, let us review our goals for this task. According to visual objective, initially, we have no restrictions in our network - all three PCs can ping each other, and both, X5zero and Metra can telnet to Joker that has been configured as telnet server. Now, our goal is to add some access restrictions to our network in such way that would allow following to be true:

X5zero should be able to ping Joker but not telnet to it.

Metra should be able to telnet to Joker but not ping it.

Joker should be able ping X5zero but not Metra.

Here we need to add some information about the way access lists are configured. Initially, certain number of access lists is being created. Next, some of this access lists are being put into access group. Finally, access group is being applied to the specified interface. Importantly, as access group is being applied “in”, or “out”, option must be chosen. The “in” (inbound) option means that the particular access group would be applied against every packet that arrives to that interface (from the network the particular interface connected to), while “out” (outbound) option checks packets that are leaving interface (to the network the particular interface connected to). In other words, if router has two interfaces, the packets that are inbound for one interface are outbound for other.

[pic]

In the our particular network it would not matter which interface we choose to configure ACLs, so we would use for our lab FE1. Now we need to decide which packets in our scheme would be inbound and outbound regarding FE1 interface, so we can create “in” and “out” access groups.

Now let’s assign “out” or “in” options to our goals

Question 1

Use visual objective and explanation above to choose between inbound and outbound for the goals listed below:

X5zero can ping Joker – inbound or outbound

Metra can telnet to Joker - inbound or outbound

Joker can ping X5zero - inbound or outbound

X5zero cannot telnet to Joker - inbound or outbound

Metra cannot ping Joker - inbound or outbound

Joker cannot ping Metra - inbound or outbound

Question 2

Fill the two following tables using answer on question 1 and visual objective.

Inbound Access Group for FE1 Interface

|Hostname of Initiator |IP Address of |Connection type |Hostname of |IP Address of |Access |

|of Ping or Telnet |Initiator |(ping or telnet |Receiver of Ping or|Receiver |restriction |

|Session | |session) |Telnet Session | |(permit or deny) |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

Outbound Access Group for FE1 Interface

|Hostname of Initiator |IP Address of |Connection type |Hostname of |IP Address of |Access |

|of Ping or Telnet |Initiator |(ping or telnet |Receiver of Ping or|Receiver |restriction |

|Session | |session) |Telnet Session | |(permit or deny) |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

|  |  |  |  |  |  |

Important note

Please note that your future access list would not necessary need to have all of the goals shown above. You would need to choose in which way you like to go, by either permitting all packets you want through and then dropping everything else, or by denying all packets you don’t want and then permitting everything else.

So now we know possible members for each of two access groups, and it is time to create ACLs, group them and apply to the FE1 interface.

Task 2 – Setup console connection between Configurator PC and Router

Yet prior you begin configuring access lists for the router, you need connect console cable and set up HyperTerminal to communicate with router properly.

Connect console cable to the console port of the router (RJ – 45 side, the one that looks like Ethernet cable connector) and then connect other side to the COM 1 (there is only one com (green) there, so nothing much to choose from) on the back of the Configurator PC. To run HyperTerminal on Configurator PC, go to Start ( Run, type hypertrm and press enter. Connection Description window would appear – type any name you would like and press enter.

Choose COM 1.

[pic]

The selected COM port properties window would appear; make sure its setup matches configuration displayed below.

[pic]

You should get to your final destination of this task – terminal session window.

Task 3 – Configuring ACLs

You would start in user mode (denoted by >) that is used by viewing the configuration file and some basic diagnostic output – we won’t need it for this lab.

Thus, type enable and we would get to the privileged mode (denoted by #) that is used for administration of a file system (ex. saving router configuration), password configuration, and displaying states in which interfaces, routing protocols, access lists, etc. are being in. – you will need to use it later.

Continue, by typing configure terminal and we would finally get to global configuration mode (denoted by (config)#) that is used to perform all configurations regarding interfaces, protocols, access lists, etc.

Please note that if you need to get back to less privileged modes you should use exit command (you may need it later)

As it was described in introduction there are two types of access lists: standard (permits or denies only by source IP address) and extended (permits or denies by both, source and destination IP). In our lab we would use extended version.

There are number of ways to fill in access lists; in our lab we would follow this syntax:

access-list number (100 – 199) deny | permit protocol host source_addr host dest_addr eq port_type

number – identification number assigned to the list; different access lists with the same identification number can be used as a access group. We would assign 101 for inbound access group and 155 for outbound access group.

deny | permit – defines whether packet will be denied or permitted if the access entry would match it. (use one of them, not both!) Depending on whether you use deny or permit packets throughout your access-group, at the end of your access-group you would need add the statement to permit or deny all other packets. If you permitting packets throughout your access group you would need to add a denial for all statement in the last access-list for that particular group, and vice versa, If you denying packets throughout your access group you would need to add a permission for all statement in the last access-list for that particular group The final list permitting all packets: access-list permit ip any any. The final list denying all packets: access-list deny ip any any

protocol – name of protocol being by which packet is being governed. (input in small letters)

In case where telnet application is involved, the protocol would be TCP, while for ping ICMP would be used.

source_addr – source IP address, dest_addr – destination IP address

Tables you filled out in question 2 should help you to figure source and destination IP addresses this part.

eq means equal, and finally for port_type name of protocol used by the port can be entered or number of port itself. For telnet you can put eq telnet or eq 23, while for ping you should not type eq and port_type at all!

Example of acess-list command:

access-list 140 permit tcp host 10.10.10.2 host 10.10.2.3 eq 80

The meaning of this access-list: permit TCP packet coming from host with IP address 10.10.10.2 to the host with IP address of 10.10.2.3 with destination port number 80.

Very Important Note for Question 3 and 4:

Make sure that you have a final statement at the end that would deny or permit all other packets for both groups!

Question 3

Write down commands you would use to create access lists for inbound group, by using information you have gathered in question 1, 2, and access-list command explanation written above (Hint: likely, you will need create two access-lists for this group (not counting deny | permit all end statement)):

Question 4

Write down commands you would use to create access lists for inbound group, by using information you have gathered in question 1, 2, and access-list command explanation written above (Hint: likely, you will need create one access-list for this group (not counting deny | permit all end statement)):

Before proceeding with the lab, ask TA to see whether your answers on Q3 and Q4 are correct.

Now, make sure that you are in global configuration mode (denoted by router(config)) (you should be in it right now); if somehow you are not being in this mode, refer to beginning of task 3 to get there.

Enter access-lists you have listed in Questions 3 and 4 pressing ENTER after each entry.

Now as you have created access lists for inbound (101) and outbound (155) groups, it is time to apply them to FE1 interface.

To do so, type interface fastethernet 1 and press ENTER

Prompt should change to Router(config-if).

Type ip access-group 101 in and press ENTER

Type ip access-group 155 out and press ENTER

Type end and press ENTER

OK we are done with ACL configuration, and now it is time to see whether we have achieved our goals.

Task 4 – Testing ACLs configuration

You need take screenshots of every test listed below.

For telnet part:

username: telnet

password: metrab

Ping Joker from X5zero (should work)

Ping Joker from Metra (should not work)

Telnet Joker from X5zero (should not work)

Telnet Joker from Metra (should work)

Ping X5zero from Joker (should work)

Ping Metra from Joker (should not work)

So, if test is successful, go to configurator PC, make sure that you in privileged access mode (denoted by #); if you are not, refer to beginning of task 3 for explanations of how to get there.

While being in privileged access mode, type show access-lists and press ENTER

Take the screen shot of output and attach it to your report

-------------------------------------------------------------------------------------

May one of these tests fail, you would need to looks at your access lists to see if made any mistakes while putting them in.

To do so, go to the CLI and type exit and press ENTER to get back to privileged mode

Now, type show access-lists and press ENTER – you should see all access lists you have entered at that moment; check the command syntax and if you are still failing to see your mistake, TA should help you at that point.

Now, if you found a mistake in one of the lists, you need to remove the particular list and add it anew. Here is how to do it:

For example let’s imagine that you need to remove following access-list: access-list 111 permit tcp host 1.2.3.4 host 5.6.7.8 eq 80

1. invoke configure terminal command to get back to global configuration mode.

Type no access-list 111 permit tcp host 1.2.3.4 host 5.6.7.8 eq 80 and press ENTER

Add new version of the list test your configuration again.

Task 5 – perform ACL exercise

[pic]

List access lists with each of the group and make sure that you using command access-list syntax described earlier. Also, make sure that you include in your answer interface name you are applying the access-list/s and direction (in or out)

Task 6 – questions

a. Explain difference between standard and extended access lists

b. Explain difference between inbound and outbound packets with regard to the network interface they are passing through

c. Which mode in CLI allows you to configure access lists?

d. What CLI command allows you to view configured access-lists? In what mode should this command be invoked?

Grading Rubric

Task 1 – 20 %

Question 1 – 10 %

Question 2 – 10 %

Task 3 – 20 %

Question 3 – 10 %

Question 4 - 10 %

Task 4 – 20 %

Screenshots of test – 10 %

Screenshot of output for show access-list CLI command – 10 %

Task 5 – 30 %

Task 6 - 10 %

Total = 100 %

Report Writing Requirements

• The report must include a cover page. Among other things, the name of each group member must be put on the cover page.

• The contribution of each group member must be summarized in the report. That is, the report should report “who did what” in a clear way.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download