Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

Transcription

1 Lab 6: Access Lists Network Topology:- Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1 Fa 0/ Se 0/0/ Fa 0/ R2 Fa 0/ Se 0/0/ Se 0/0/ Fa 0/ R3 Fa 0/ Se 0/0/ PC1 NIC PC2 NIC PC3 NIC PC4 NIC PC5 NIC PC6 NIC PC7 NIC PC8 NIC PC9 NIC PC10 NIC PC11 NIC PC12 NIC HTTP SERVER NIC

2 Objective: In this experiment routers will be configured with standard and extended access-lists, so that some devices/networks won't have access to other devices/networks. Upon Completion You will learn: 1. Preparing access-lists. 2. Setting up router's ACLs. 3. Blocking the traffic movement in the network. Theory: ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface of a router. When activating an ACL on an interface, you must specify in which direction the traffic should be filtered:- Inbound (as the traffic comes into an interface( Outbound (before the traffic exits an interface) 1) Inbound ACLs:- Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing. 2) Outbound ACLs:- Incoming packets are routed to the outbound interface and then processed through the outbound ACL. Universal fact about Access control list:- 1) ACLs come in two varieties: Numbered and Named. Each of these references to ACLs supports two types of filtering: standard and extended. 2) Standard IP ACLs can filter only on the source IP address inside a packet. 3) Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet. 4) There are two actions an ACL can take: permit or deny. 5) Statements are processed top-down. 6) Once a match is found, no further statements are processed therefore, order is important. 7) If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. 8) An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL. No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction. For example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but you cannot have two inbound IP ACLs on the same interface. Numbered vs. Named ACLs One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs. 2

3 Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list. Numbered Access List Ranges Standard ACLs Type Range IP Standard 1 99 IP Extended IP Standard Expanded Range IP Extended Expanded Range A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host, but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only source traffic. Extended ACLs: An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control. Configuration Guidelines 1) Order of statements is important: put the most restrictive statements at the top of the list and the least restrictive at the bottom. 2) ACL statements are processed top-down until a match is found, and then no more statements in the list are processed. 3) If no match is found in the ACL, the packet is dropped (implicit deny.) 4) Each ACL needs either a unique number or a unique name. 5) The router cannot filter traffic that it, itself, originates. 6) You can have only one IP ACL applied to an interface in each direction (inbound and outbound) you can't have two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL for each protocol, like IP and IPX, applied to an interface in each direction). 7) Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit deny statement, you need at least one actual permit or deny statement. 8) Remember the numbers you can use for IP ACLs. Standard ACLs can use numbers ranging 1 99 and , and extended ACLs can use and Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32 bits when doing the conversion; subtract each byte in the subnet mask from 255 (Wildcard mask = subnet). There are two special types of wildcard masks: and A wildcard mask is called a host mask, and If you enter the router will cover the address and mask to the keyword any. Placement of ACLs In general, Standard ACLs should be placed as close to the destination devices as possible, and Extended ACLs should be placed as close to the source devices as possible. 3

4 Practice1 (Class Work):- Scenario A: You are the administrator of some company's network. The company has instructed you to control the access to different parts on the network according to some "administrational" rules, so you will use Standard ACLs to do that. The topology shown in the figure need routers and PCs to be configured as per the IP addresses listed in table above. The passwords are cisco for user EXEC mode and class for privileged EXEC mode. Use show and ping commands to discover problems and troubleshoot the networks. Also OSPF should be enabled on the routers with one area (area 0). Now you are ready to use Packet Tracer to build your network and apply your lab network ACL schemes. Task 1: Configure PCs and Routers Use the table above to configure the PCs and routers with IP addresses, and activate OSPF routing on the routers Make sure that routing is fully operational using ping command. Task 2: Preventing a Host (PC1) From Accessing a Specific Network ( ) In general, Three basic steps are required to configure Standard Access List:- i. Use the access-list command to create an entry in a standard ACL:- access-list { } {permit deny} [host] source-address [WildcardMask] ii. Use the interface configuration command to select an interface to which to apply the ACL. iii. Use the ip access-group command to activate the existing ACL on an interface:- ip access-group {ACL_number} {in out} Step 1. Since ( ) is connected to R2, we should add an ACL to prevent PC1 there. R2(config)#access-list 1 deny host R2(config)#access-list 1 permit any R2(config)#interface fa0/0 R2(config-if)#ip access-group 1 out R2(config-if)# Step 2. Try pinging PC9 or PC10 from PC1 and from PC2:- PC1 PC9? PC2 PC9? PC9 PC1? Task 3: Preventing a Network ( ) from Accessing Another Network ( ) Step 1. Since ( ) is connected to R1, then the ACL should be added there. R1(config)#access-list 1 deny R1(config)#access-list 1 permit any R1(config)#interface fa0/0 R1(config-if)#ip access-group 1 out Step 2. Try pinging PC1 or PC2 from PC5 and from PC6:- PC5 PC1? PC6 PC2? PC1 PC6? PC1 PC5? 4

5 Task 4: Preventing IP Range ( ) From Accessing a Network ( ) Step 1. First we need to find the wildcard mask, which can be easily found (follow lecturer instructions). Now the new ACL should be applied on R3. R3(config)#access-list 1 deny R3(config)#access-list 1 permit any R3(config)#interface fa0/0 R3(config-if)#ip access-group 1 out Step 2. Try pinging PC1 or PC2 from PC5 and from PC6:- PC7 PC5? PC10 PC6? PC5 PC10? PC6 PC7? Scenario B: Now, the company asked you for more filtering in the network, so you have to use Extended ACLs to do that. In general, The same three steps from standard ACL are applicable for Extended ACL, but with different access-list command syntax (also, the ACL range is between or ):- access-list access-list-number {permit deny} protocol [host] source source-wildcard [[host] destination destination-wildcard] [established] [log] [eq port number] Task 5: Preventing a Host (PC3) From Accessing Another Host (PC2) Step 1. This time, the ACL should be at R1. R1(config)#access-list 101 deny ip host host R1(config)#access-list 101 permit ip any any R1(config)#interface fa0/1 R1(config-if)#ip access-group 101 in R1(config)# Step 2. Try pinging PC2 from PC3 and vice versa:- PC2 PC3? PC3 PC2? PC3 PC1? Task 6: Allowing a Network ( ) Only to Access a Host (HTTP Server) Using HTTP Step 1. Here, the ACL should be at R2, and we'll use the eq part of the syntax (HTTP port is TCP80) R2(config)#access-list 101 permit tcp host eq 80 R2(config)#access-list 101 deny ip any any R2(config)#interface fa0/1 R2(config-if)#ip access-group 101 out 5

6 Step 2. Try opening ( ) in a web browser from PC5, PC6 and PC3:- PC5 ( )? PC6 ( )? PC3 ( )? Task 5: Documentation On each switch and the router, save the running configuration using (copy running-config startup-config) command, then save your Packet Tracer's file. 6

7 Practice2 (Homework):- Network Topology:- R1 R2 R3 R4 Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 1/ Fa 1/ Se 0/ Se 0/ Se 0/ Fa 0/ Fa 0/ Se 0/0/ Se 0/0/ Fa 1/ Fa 1/ Se 0/ Se 0/ Se 0/ Fa 0/ Fa 0/ Se 0/0/ Se 0/0/

8 Device Interface IP Address Subnet Mask Gateway/Clock Rate PC1 NIC PC2 NIC PC3 NIC PC4 NIC PC5 NIC PC6 NIC PC7 NIC FTP SERVER NIC PC8 NIC PC9 NIC PC10 NIC PC11 NIC PC12 NIC PC13 NIC PC14 NIC PC15 NIC Scenario: You have built a network for a company, which had the configurations shown above. Also to mentioned that all routers have (cisco) as a console password and (class) for the privilege mode. Task 1: Configure OSPF Routing You have to activate OSPF routing in all routers (Area 0 only). Task 2: Prevent IP range ( ) From Accessing The Network ( /26) You should use Standard ACL Don't forget the rules! Task 3: Allow IP range ( ) and The Host ( ) Only to Access The Network ( /26) Again, you should use Standard ACL Don't forget the rules! Task 4: Prevent PC3 ( ) From Accessing PC13 ( ) It is time for Extended ACL! Again don't forget the rules! Task 5: Allow IP range ( ) Only to Access FTP Server ( ) through FTP Here you have to use Extended ACL and wisely choose the right router to put it on. Also you should use the eq part of access-list command (there are two ports used by FTP: TCP20 and TCP21, so you have to add two permit sentences) Task 6: Use ping command to confirm that all ACLs are working properly. Task 5: Documentation Save the running configuration on each router, then save your Packet Tracer's file. Please make sure that the completion percentage is 100% at this stage, else you have to go back and verify your network settings. Also, don't forget to save the file and rename it to be LAB6PracticalWork-XXXX, where XXXX represents your student number. 8