Scribd
Upload
11 views10 pages

CCNA2RS - ACLs

Uploaded by

drumasuvasile
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views10 pages

CCNA2RS - ACLs

Uploaded by

drumasuvasile
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Instructor

Mihai​ ​Dumitrascu

CCNA2RS​ ​-​ ​Access​ ​Control​ ​Lists

IPv4​ ​Configuration

On​ ​R1:

Basic​ ​Addressing

>enable
#configure​ ​terminal
(config)#interface​ ​s0/1/0
(config-if)#ip​ ​address​ ​192.168.12.1​ ​255.255.255.252
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​address​ ​192.168.1.1​ ​255.255.255.0
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#

1
Instructor
Mihai​ ​Dumitrascu

Routing

(config)#router​ ​rip
(config-router)#network​ ​192.168.12.0
(config-router)#network​ ​192.168.1.0
(config-router)#passive-interface​ ​fa0/0
(config-router)#version​ ​2
(config-router)#no​ ​auto-summary
(config-router)#end

Testing

#show​ ​ip​ ​interface​ ​brief


#show​ ​ip​ ​protocols
#show​ ​ip​ ​route
#ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful
#telnet​ ​192.168.2.1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

On​ ​R2:

Basic​ ​Addressing

>enable
#configure​ ​terminal
(config)#interface​ ​s0/1/0
(config-if)#ip​ ​address​ ​192.168.12.2​ ​255.255.255.252
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​address​ ​192.168.2.1​ ​255.255.255.0
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#

Routing

(config)#router​ ​rip
(config-router)#network​ ​192.168.12.0
(config-router)#network​ ​192.168.2.0
(config-router)#passive-interface​ ​fa0/0
(config-router)#version​ ​2
(config-router)#no​ ​auto-summary
(config-router)#end

2
Instructor
Mihai​ ​Dumitrascu

Testing

#show​ ​ip​ ​interface​ ​brief


#show​ ​ip​ ​protocols
#show​ ​ip​ ​route
#ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful
#telnet​ ​192.168.1.1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

Access​ ​Control​ ​Lists

Standard​ ​ACL​ ​for​ ​restricting​ ​remote​ ​access​ ​to​ ​networking​ ​device​ ​on​ ​the​ ​VTY​ ​lines

On​ ​R1:

#configure​ ​terminal
(config)#access-list​ ​1​ ​permit​ ​192.168.1.0​ ​0.0.0.255
(config)line​ ​vty​ ​ ​0​ ​4
(config-line)#access-class​ ​1​ ​in
(config-line)#end

On​ ​R2:

#configure​ ​terminal
(config)#access-list​ ​1​ ​permit​ ​192.168.2.0​ ​0.0.0.255
(config)line​ ​vty​ ​ ​0​ ​4
(config-line)#access-class​ ​1​ ​in
(config-line)#end

Testing

From​ ​PC1:
PUTTY​ ​->​ ​telnet​ ​192.168.1.1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
PUTTY​ ​->​ ​telnet​ ​192.168.2.1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

From​ ​PC2:
PUTTY​ ​->​ ​telnet​ ​192.168.2.1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
PUTTY​ ​->​ ​telnet​ ​192.168.1.1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

3
Instructor
Mihai​ ​Dumitrascu

Extended​ ​ACL​ ​for​ ​traffic​ ​filtering

Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R1​ ​in​ ​the​ ​following​ ​manner:
- Web​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
- FTP​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
- ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2

Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R2​ ​in​ ​the​ ​following​ ​manner:
- Web​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
- FTP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
- ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1

First,​ ​enable​ ​the​ ​IIS​ ​and​ ​FTP​ ​service​ ​on​ ​PC1​ ​and​ ​PC2

Start​ ​->​ ​Control​ ​Panel​ ​->​ ​Programs​ ​->​ ​Turn​ ​Windows​ ​Features​ ​On​ ​or​ ​Off
Scroll​ ​down​ ​to​ ​IIS​ ​service,​ ​check​ ​the​ ​box​ ​and​ ​click​ ​OK
Start​ ​FileZilla​ ​Server,​ ​click​ ​connect.​ ​Create​ ​a​ ​user​ ​named​ ​test​ ​with​ ​the​ ​password​ ​test.​ ​Use​ ​this
user​ ​for​ ​when​ ​connecting​ ​to​ ​the​ ​ftp​ ​server

Testing:

From​ ​PC1:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://192.168.2.20​​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​192.168.2.20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful​ ​(U:​ ​test,​ ​P:test)
ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful

From​ ​PC2:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://192.168.1.10​​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​192.168.1.10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful​ ​(U:​ ​test,​ ​P:test)
ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful

Configure​ ​the​ ​extended​ ​ACL

On​ ​R1:

#configure​ ​terminal
(config)#ip​ ​access-list​ ​extended​ ​FILTER-IPV4
(config-ext-nacl)#permit​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​80​ ​log
(config-ext-nacl)#deny​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​20

4
Instructor
Mihai​ ​Dumitrascu

(config-ext-nacl)#deny​ ​tcp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255​ ​eq​ ​21


(config-ext-nacl)#permit​ ​icmp​ ​192.168.1.0​ ​0.0.0.255​ ​192.168.2.0​ ​0.0.0.255
(config-ext-nacl)#deny​ ​ip​ ​any​ ​any
(config-ext-nacl)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​access-group​ ​FILTER-IPV4​ ​in
Note:​ ​Apply​ ​the​ ​ACL​ ​first​ ​on​ ​R1,​ ​go​ ​to​ ​the​ ​testing​ ​section,​ ​do​ ​the​ ​tests​ ​and​ ​then​ ​remove​ ​the​ ​ACL
from​ ​R1:
(config-if)#no​ ​ip​ ​access-group​ ​FILTER-IPV4​ ​in
(config-if)#end

On​ ​R2:

#configure​ ​terminal
(config)#ip​ ​access-list​ ​extended​ ​FILTER-IPV4
(config-ext-nacl)#deny​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​80​ ​log
(config-ext-nacl)#permit​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​20
(config-ext-nacl)#permit​ ​tcp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255​ ​eq​ ​21
(config-ext-nacl)#permit​ ​icmp​ ​192.168.2.0​ ​0.0.0.255​ ​192.168.1.0​ ​0.0.0.255
(config-ext-nacl)#deny​ ​ip​ ​any​ ​any
(config-ext-nacl)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​access-group​ ​FILTER-IPV4​ ​in
Note:​ ​Remove​ ​the​ ​ACL​ ​from​ ​R1,​ ​apply​ ​it​ ​on​ ​R2​ ​and​ ​do​ ​the​ ​tests​ ​in​ ​the​ ​testing​ ​section​ ​below
(config-if)#end

Testing:

From​ ​PC1:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://192.168.2.20​​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​192.168.2.20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
ping​ ​192.168.2.20​ ​-​ ​ping​ ​should​ ​be​ ​successful

From​ ​PC2:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://192.168.1.10​​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​192.168.1.10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
ping​ ​192.168.1.10​ ​-​ ​ping​ ​should​ ​be​ ​successful
IPv6​ ​Configuration

5
Instructor
Mihai​ ​Dumitrascu

On​ ​R1:

Basic​ ​Addressing

>enable
#configure​ ​terminal
(config)#interface​ ​s0/1/0
(config-if)#ipv6​ ​address​ ​2001:12:12:CAFE::1/64
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​address​ ​2001:1:1::CAFE::1/64
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#

Routing

(config)#ipv6​ ​unicast-routing
(config)#ipv6​ ​router​ ​rip​ ​ccna
(config-rtr)#exit
(config)#interface​ ​s0/1/0
(config-if)#ipv6​ ​rip​ ​ccna​ ​enable
(config-if)#exit
(config)interface​ ​fa0/0
(config-if)#ipv6​ ​rip​ ​ccna​ ​enable
(config-if)#end

Testing

#show​ ​ipv6​ ​interface​ ​brief


#show​ ​ipv6​ ​protocols
#show​ ​ipv6​ ​route
#ping​ ​2001:2:2:CAFE::20​ ​-​ ​ping​ ​should​ ​be​ ​successful
#telnet​ ​2001:2:2:CAFE::1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

6
Instructor
Mihai​ ​Dumitrascu

On​ ​R2:

Basic​ ​Addressing

>enable
#configure​ ​terminal
(config)#interface​ ​s0/1/0
(config-if)#ipv6​ ​address​ ​2001:12:12:CAFE::2/64
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#interface​ ​fa0/0
(config-if)#ip​ ​address​ ​2001:2:2:CAFE::1/64
(config-if)#no​ ​shutdown
(config-if)#exit
(config)#

Routing

(config)#ipv6​ ​unicast-routing
(config)#ipv6​ ​router​ ​rip​ ​ccna
(config-rtr)#exit
(config)#interface​ ​s0/1/0
(config-if)#ipv6​ ​rip​ ​ccna​ ​enable
(config-if)#exit
(config)interface​ ​fa0/0
(config-if)#ipv6​ ​rip​ ​ccna​ ​enable
(config-if)#end

Testing

#show​ ​ipv6​ ​interface​ ​brief


#show​ ​ipv6​ ​protocols
#show​ ​ipv6​ ​route
#ping​ ​2001:1:1:CAFE::10​ ​-​ ​ping​ ​should​ ​be​ ​successful
#telnet​ ​2001:1:1:CAFE::1​ ​-​ ​telnet​ ​should​ ​be​ ​successful

7
Instructor
Mihai​ ​Dumitrascu

Access​ ​Control​ ​Lists

Standard​ ​ACL​ ​for​ ​restricting​ ​remote​ ​access​ ​to​ ​networking​ ​device​ ​on​ ​the​ ​VTY​ ​lines

On​ ​R1:

#configure​ ​terminal
(config)#ipv6​ ​access-list​ ​RESTRICT-REMOTE
(config-ipv6-acl)#permit​ ​2001:1:1:cafe::/64​ ​any
(config-ipv6-acl)#exit
(config)#line​ ​vty​ ​0​ ​4
(config-line)#ipv6​ ​access-class​ ​RESTRICT-REMOTE​ ​in
(config-line)#end
#show​ ​ip​ ​access-lists
On​ ​R2:

#configure​ ​terminal
(config)#ipv6​ ​access-list​ ​RESTRICT-REMOTE
(config-ipv6-acl)#permit​ ​2002:2:2:cafe::/64​ ​any
(config-ipv6-acl)#exit
(config)#line​ ​vty​ ​0​ ​4
(config-line)#ipv6​ ​access-class​ ​RESTRICT-REMOTE​ ​in
(config-line)#end
#show​ ​ip​ ​access-lists

Testing

From​ ​PC1:
PUTTY​ ​->​ ​telnet​ ​2001:1:1:cafe::1​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
PUTTY​ ​->​ ​2001:1:1:cafe::2​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

From​ ​PC2:
PUTTY​ ​->​ ​2001:1:1:cafe::2​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​allowed
PUTTY​ ​->​ ​2001:1:1:cafe::1​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​allowed

8
Instructor
Mihai​ ​Dumitrascu

Extended​ ​ACL​ ​for​ ​traffic​ ​filtering

Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R1​ ​in​ ​the​ ​following​ ​manner:
- Web​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
- FTP​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2
- ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC1​ ​to​ ​PC2

Configure​ ​an​ ​extended​ ​ACL​ ​that​ ​filters​ ​traffic​ ​on​ ​R2​ ​in​ ​the​ ​following​ ​manner:
- Web​ ​traffic​ ​should​ ​not​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
- FTP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1
- ICMP​ ​traffic​ ​should​ ​be​ ​allowed​ ​to​ ​pass​ ​from​ ​PC2​ ​to​ ​PC1

On​ ​R1:

#configure​ ​terminal
(config)#ipv6​ ​access-list​ ​FILTER-IPv6
(config-ipv6-acl)#permit​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​80​ ​log
(config-ipv6-acl)deny​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​20
(config-ipv6-acl)#deny​ ​tcp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64​ ​eq​ ​21
(config-ipv6-acl)#permit​ ​icmp​ ​2001:1:1:cafe::/64​ ​2001:2:2:cafe::/64
(config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-na
(config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-ns
(config-ipv6-acl)#deny​ ​ipv6​ ​any​ ​any
(config-ipv6-acl)#exit
(config)#interface​ ​fa0/0
(config-if)#ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
Note:​ ​Apply​ ​the​ ​ACL​ ​first​ ​on​ ​R1,​ ​go​ ​to​ ​the​ ​testing​ ​section,​ ​do​ ​the​ ​tests​ ​and​ ​then​ ​remove​ ​the​ ​ACL
from​ ​R1:
(config-if)#no​ ​ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
(config-if)#end
#show​ ​ipv6​ ​access-list

On​ ​R2:

#configure​ ​terminal
(config)#ipv6​ ​access-list​ ​FILTER-IPv6
(config-ipv6-acl)#deny​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​80​ ​log
(config-ipv6-acl)permit​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​20
(config-ipv6-acl)#permit​ ​tcp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64​ ​eq​ ​21
(config-ipv6-acl)#permit​ ​icmp​ ​2001:2:2:cafe::/64​ ​2001:1:1:cafe::/64
(config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-na
(config-ipv6-acl)#permit​ ​icmp​ ​any​ ​any​ ​nd-ns

9
Instructor
Mihai​ ​Dumitrascu

(config-ipv6-acl)#deny​ ​ipv6​ ​any​ ​any


(config-ipv6-acl)#exit
(config)#interface​ ​fa0/0
(config-if)#ipv6​ ​traffic-filter​ ​FILTER-IPV6​ ​in
Note:​ ​Remove​ ​the​ ​ACL​ ​from​ ​R1,​ ​apply​ ​it​ ​on​ ​R2​ ​and​ ​do​ ​the​ ​tests​ ​in​ ​the​ ​testing​ ​section​ ​below
(config-if)#end
#show​ ​ipv6​ ​access-list

Testing:

From​ ​PC1:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://​[2001:2:2:cafe::20]:80​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​2001:2:2:cafe::20​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
ping​ ​2001:2:2:cafe::20​ ​-​ ​ping​ ​should​ ​be​ ​successful

From​ ​PC2:
Open​ ​a​ ​browser.​ ​Type​ ​in​ ​the​ ​following​ ​IP​ ​in​ ​the​ ​address​ ​bar:
http://​[2001:1:1:cafe::10]:80​ ​-​ ​this​ ​connection​ ​should​ ​not​ ​be​ ​successful
Open​ ​a​ ​command​ ​prompt​ ​window:
ftp​ ​2001:1:1:cafe::10​ ​-​ ​this​ ​connection​ ​should​ ​be​ ​successful
ping​ ​2001:1:1:cafe::10​ ​-​ ​ping​ ​should​ ​be​ ​successful

10

You might also like