Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Task 1 � Setup console connection between Configurator PC and Router by d428S2

VIEWS: 2 PAGES: 10

									Lab Exercise – Configuring Access Lists (ACLs) via Cisco Command
Line Interface (CLI)
Objectives
In this lab exercise you will complete the following task:

      Use Cisco Command Line Interface (CLI) to configure access lists for the network
       consisting of three PCs.

Visual Objective




Introduction
Access lists (ACLs) permit or deny network traffic over an interface based on source IP address,
destination IP address, or/and protocol/service. Access lists are configured as standard or extended.
A standard access list either permits or denies passage of packets from a designated source. An
extended access list allows designation of both the destination and the source, and it allows
designation of individual protocols to be permitted or denied passage. An access group is a series of
commands with a common tag to bind them together. The tag is either a number or a name. In other
words, access group consists of one to many access lists grouped under one number or name.




                                                                                                    1
ACL is always applied towards chosen Ethernet interface; this allows filtering information, which
passes through the interface. As packet passes through the interface, router checks packet’s IP
address and/or protocol, port number against access lists assigned to this interface. The check is an
act of comparison that is being done in top down fashion, meaning that if there is access list
matching it, comparative operation is stopped and packet is allowed through. Importantly, at the end
of every group there should be deny all or permit all statement, so if there is no match packet will be
dropped or allowed through depending on the idea behind access-group.

Important Note on host placement in the lab:

While visual objective shows you three hosts, in reality there are 2 physical hosts and 1 virtual. The
picture below shows you how things are configured.




                                                                                                         2
The Lab Project

Task 1 – Understanding the Objective

Before we start configuring ACL, let us review our goals for this task. According to visual objective,
initially, we have no restrictions in our network - all three PCs can ping each other, and both,
X5zero and Metra can telnet to Joker that has been configured as telnet server. Now, our goal is to
add some access restrictions to our network in such way that would allow following to be true:

X5zero should be able to ping Joker but not telnet to it.

Metra should be able to telnet to Joker but not ping it.

Joker should be able ping X5zero but not Metra.

Here we need to add some information about the way access lists are configured. Initially, certain
number of access lists is being created. Next, some of this access lists are being put into access
group. Finally, access group is being applied to the specified interface. Importantly, as access group
is being applied “in”, or “out”, option must be chosen. The “in” (inbound) option means that the
particular access group would be applied against every packet that arrives to that interface (from the
network the particular interface connected to), while “out” (outbound) option checks packets that are
leaving interface (to the network the particular interface connected to). In other words, if router has
two interfaces, the packets that are inbound for one interface are outbound for other.




In the our particular network it would not matter which interface we choose to configure ACLs, so
we would use for our lab FE1. Now we need to decide which packets in our scheme would be
inbound and outbound regarding FE1 interface, so we can create “in” and “out” access groups.

Now let’s assign “out” or “in” options to our goals

Question 1

Use visual objective and explanation above to choose between inbound and outbound for the goals
listed below:

X5zero can ping Joker – inbound or outbound
Metra can telnet to Joker - inbound or outbound
Joker can ping X5zero - inbound or outbound
X5zero cannot telnet to Joker - inbound or outbound
Metra cannot ping Joker - inbound or outbound
Joker cannot ping Metra - inbound or outbound


                                                                                                     3
Question 2

Fill the two following tables using answer on question 1 and visual objective.

Inbound Access Group for FE1 Interface

Hostname of                                    Hostname
Initiator of                    Connection     of Receiver                 Access
Ping or                         type (ping     of Ping or                  restriction
Telnet           IP Address     or telnet      Telnet        IP Address    (permit or
Session          of Initiator   session)       Session       of Receiver   deny)




Outbound Access Group for FE1 Interface

Hostname of                                    Hostname
Initiator of                    Connection     of Receiver                 Access
Ping or                         type (ping     of Ping or                  restriction
Telnet           IP Address     or telnet      Telnet        IP Address    (permit or
Session          of Initiator   session)       Session       of Receiver   deny)




Important note
Please note that your future access list would not necessary need to have all of the goals shown
above. You would need to choose in which way you like to go, by either permitting all packets you
want through and then dropping everything else, or by denying all packets you don’t want and then
permitting everything else.


So now we know possible members for each of two access groups, and it is time to create ACLs,
group them and apply to the FE1 interface.




                                                                                                    4
Task 2 – Setup console connection between Configurator PC and Router

Yet prior you begin configuring access lists for the router, you need connect console cable and set
up HyperTerminal to communicate with router properly.

Connect console cable to the console port of the router (RJ – 45 side, the one that looks like Ethernet
cable connector) and then connect other side to the COM 1 (there is only one com (green) there, so
nothing much to choose from) on the back of the Configurator PC. To run HyperTerminal on
Configurator PC, go to Start  Run, type hypertrm and press enter. Connection Description window
would appear – type any name you would like and press enter.
Choose COM 1.




The selected COM port properties window would appear; make sure its setup matches configuration
displayed below.




                                                                                                      5
You should get to your final destination of this task – terminal session window.



Task 3 – Configuring ACLs

You would start in user mode (denoted by >) that is used by viewing the configuration file and
some basic diagnostic output – we won’t need it for this lab.

Thus, type enable and we would get to the privileged mode (denoted by #) that is used for
administration of a file system (ex. saving router configuration), password configuration, and
displaying states in which interfaces, routing protocols, access lists, etc. are being in. – you will need
to use it later.

Continue, by typing configure terminal and we would finally get to global configuration mode
(denoted by (config)#) that is used to perform all configurations regarding interfaces, protocols,
access lists, etc.

Please note that if you need to get back to less privileged modes you should use exit command (you
may need it later)

As it was described in introduction there are two types of access lists: standard (permits or denies
only by source IP address) and extended (permits or denies by both, source and destination IP). In
our lab we would use extended version.

There are number of ways to fill in access lists; in our lab we would follow this syntax:

access-list number (100 – 199) deny | permit protocol host source_addr host dest_addr eq
port_type

number – identification number assigned to the list; different access lists with the same
identification number can be used as a access group. We would assign 101 for inbound access group
and 155 for outbound access group.

deny | permit – defines whether packet will be denied or permitted if the access entry would match
it. (use one of them, not both!) Depending on whether you use deny or permit packets throughout
your access-group, at the end of your access-group you would need add the statement to permit or
deny all other packets. If you permitting packets throughout your access group you would need to
add a denial for all statement in the last access-list for that particular group, and vice versa, If you
denying packets throughout your access group you would need to add a permission for all statement
in the last access-list for that particular group The final list permitting all packets: access-list permit
ip any any. The final list denying all packets: access-list deny ip any any


protocol – name of protocol being by which packet is being governed. (input in small letters)

In case where telnet application is involved, the protocol would be TCP, while for ping ICMP would
be used.
                                                                                                          6
source_addr – source IP address, dest_addr – destination IP address

Tables you filled out in question 2 should help you to figure source and destination IP addresses this
part.

eq means equal, and finally for port_type name of protocol used by the port can be entered or
number of port itself. For telnet you can put eq telnet or eq 23, while for ping you should not type eq
and port_type at all!

Example of acess-list command:
access-list 140 permit tcp host 10.10.10.2 host 10.10.2.3 eq 80
The meaning of this access-list: permit TCP packet coming from host with IP address 10.10.10.2 to
the host with IP address of 10.10.2.3 with destination port number 80.

Very Important Note for Question 3 and 4:
Make sure that you have a final statement at the end that would deny or permit all other
packets for both groups!

Question 3

Write down commands you would use to create access lists for inbound group, by using information
you have gathered in question 1, 2, and access-list command explanation written above (Hint: likely,
you will need create two access-lists for this group (not counting deny | permit all end statement)):




Question 4

Write down commands you would use to create access lists for inbound group, by using information
you have gathered in question 1, 2, and access-list command explanation written above (Hint: likely,
you will need create one access-list for this group (not counting deny | permit all end statement)):




Before proceeding with the lab, ask TA to see whether your answers on Q3 and Q4 are correct.

Now, make sure that you are in global configuration mode (denoted by router(config)) (you should
be in it right now); if somehow you are not being in this mode, refer to beginning of task 3 to get
there.

                                                                                                      7
Enter access-lists you have listed in Questions 3 and 4 pressing ENTER after each entry.


Now as you have created access lists for inbound (101) and outbound (155) groups, it is time to
apply them to FE1 interface.

To do so, type interface fastethernet 1 and press ENTER
Prompt should change to Router(config-if).
Type ip access-group 101 in and press ENTER
Type ip access-group 155 out and press ENTER
Type end and press ENTER

OK we are done with ACL configuration, and now it is time to see whether we have achieved our
goals.




Task 4 – Testing ACLs configuration

You need take screenshots of every test listed below.

For telnet part:
username: telnet
password: metrab

Ping Joker from X5zero (should work)
Ping Joker from Metra (should not work)
Telnet Joker from X5zero (should not work)
Telnet Joker from Metra (should work)
Ping X5zero from Joker (should work)
Ping Metra from Joker (should not work)

So, if test is successful, go to configurator PC, make sure that you in privileged access mode
(denoted by #); if you are not, refer to beginning of task 3 for explanations of how to get there.

While being in privileged access mode, type show access-lists and press ENTER

Take the screen shot of output and attach it to your report


-------------------------------------------------------------------------------------
May one of these tests fail, you would need to looks at your access lists to see if made any mistakes
while putting them in.

To do so, go to the CLI and type exit and press ENTER to get back to privileged mode
Now, type show access-lists and press ENTER – you should see all access lists you have entered at
that moment; check the command syntax and if you are still failing to see your mistake, TA should
help you at that point.
                                                                                                        8
Now, if you found a mistake in one of the lists, you need to remove the particular list and add it
anew. Here is how to do it:
For example let’s imagine that you need to remove following access-list: access-list 111 permit tcp
host 1.2.3.4 host 5.6.7.8 eq 80
1. invoke configure terminal command to get back to global configuration mode.
Type no access-list 111 permit tcp host 1.2.3.4 host 5.6.7.8 eq 80 and press ENTER
Add new version of the list test your configuration again.




Task 5 – perform ACL exercise




List access lists with each of the group and make sure that you using command access-list syntax
described earlier. Also, make sure that you include in your answer interface name you are applying
the access-list/s and direction (in or out)




                                                                                                  9
Task 6 – questions

    a. Explain difference between standard and extended access lists
    b. Explain difference between inbound and outbound packets with regard to the network
       interface they are passing through
    c. Which mode in CLI allows you to configure access lists?
    d. What CLI command allows you to view configured access-lists? In what mode should this
       command be invoked?




Grading Rubric
Task 1 – 20 %
   Question 1 – 10 %
   Question 2 – 10 %

Task 3 – 20 %
    Question 3 – 10 %
    Question 4 - 10 %

Task 4 – 20 %
    Screenshots of test – 10 %
    Screenshot of output for show access-list CLI command – 10 %
Task 5 – 30 %
Task 6 - 10 %

Total = 100 %

Report Writing Requirements

   The report must include a cover page. Among other things, the name of each group member
    must be put on the cover page.
   The contribution of each group member must be summarized in the report. That is, the report
    should report “who did what” in a clear way.




                                                                                            10

								
To top