Routing ¢3 Switelhing Version F.0 Infrastructure Security www.noasolutions.com loor Opposite to banjara function hall,Banjarahills road no 7036826345 Page 1About the Author Sikandar Shaik, a dual CCIE (RS/SP# 35012). is a highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 10 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addition, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and iplementing changes to various aspects of multi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence to believe in myself and pursue my dreams. | could never have done this without the faith | have in you, Secondly | would like to thank the NOA Solutions team for their continued support, dedication and hard work which helped me in delivering a better product. | would like to thank my family for understanding my long nights at the computer. | have spent a lot of time on preparing workbooks and this workbook would not have been possible without their support and encouragement. | would also like to recognize the cooperation of my students who took my trainings and workbooks. | believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 2 (RS/SP) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions at info@noasolutions.com NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 2INDEX Access-Controllist Standard ACL... 5 LAB: STANDARD ACCESS-LIST u Extended ACL... 15 LAB: EXTENDED ACCESS-LIST .. 19 Named ACL 22 LAB : Restricting Telnet Access ... 28 Routing protocol and ACL... 32 LAB : Routing protocol and ACL : ....-seseseeee ceosesesseesesseesee cesses 34 LAB: Deny OSPF / EIGRP Traffic: 38 TIME BASED ACL . LAB-2 : Time Based ACL IPv6 ACL. Device Access Security Basic Login passwords .. 59 65 70 Login password Enhancements .o.s.sssosssssscstesesseseesnstensese LAB : Cisco Login Enhancements . Cisco IOS Resilient Configuration... AAA Authenitcation using external servers ..ssssesseseeeeteetea LAB: AAA Authentication: ....ccsesssssssssssseeeesesesusstssssssssessessessesesesessesisessnssssseee OT User Accounts & Privilege levels 99 LAB : User accounts and privilege Levels 102 Role based Access control 107 LAB : Role Based Access Control ( Views) .. Layer2 Seaur Understanding switch security issues 4 Port security 6 LAB: PORT-SECURITY .. 122 DHCP snooping 128 LAB : DHCP Snooping : 131 LAB : IP Source Guard 14 Dynamic ARP inspection 144 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 3LAB : Dynamic ARP inspection 151 StOFM COMO! sevseeneeee Sere ee 156 Private VLAN 158 LAB : PRIVATE VLAN 165 Vian ACL. W7 IPv6 First Hop security .. 179 IPv6 RA Guard 183 DHCPv6 Guard . 186 NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘on Page 4NA. ACCESS CONTROL LIST (ACL) ACCESS CONTROL LIST (ACL) NGA, » ACLisa set of rules which will alow or deny the specific traffic moving through the router > Itisa Layer 3 security which controls the flow of traffic from one router to another. so called as Packet Filtering Firewall, NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 5Types of Access-list MOA. NA. ‘STANDARD ACCESS LIST EXTENDED ACCESS LIST V. The access-list number range is1 99 1. The access-list number range is 100 199 Can block a Network, Host and Subnet 2. We can allow or deny @ Network, All services are blocked. Host, Subnet and Service Implemented closest to the destination. 3, Selected services can be blocked. Filtering is done based on only source IP | 4. Implemented closest to the source. address 5. Filtering is done based on source IP . destination IP , protocol, port no Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 6Lab : standard access-list NEA hd. “TASK: Configure the Appropriate router as per the rules given peel ney eee an artes Berea cere eters ps Poem ore pene eae See NOTE: the Above ACL rules should not affect the other communication NA. Router(config)# accesslist Creation of Standard Access List Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 7MOA. To write ACL Statement (On which Router to implement ACL. 2. Identify Source & Destination 2 Infout Ensure that the router you are implementing ACL must be the transit router . ‘Think your router as destination ( incoming as source. Wild card mask Tells the router which portion of the bits to match or ignore. must match 1 ignore 255.255.255.255 ~255.255.255.0 Global Subnet Mask = Customized Subnet Mask Wild Card Mask > Wild Card Mask for Network will be Inverse mask » Wild Card Mask for a Host will be always 0.0.0.0 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 om Page & Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutionen MOA. Router(configh#accesslst R-2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(confighFaccessiist 15 deny host 192.168.1.2 R2(confighfaceesslst 15 deny 192.168.3.0 0.0.0.255 R-2(config)#accessist 15 permit any Understanding IN / OUT NA. » Into the router » Out of the router p22 atone wewazoat a Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 9A. R2(configh# accesslit 15 deny 192,168.11 0.0.0.0 R2(confgifaccessiist 15 deny host 192.168.1.2 R2(configiaccessiist 15 deny 192.168.3.0 0.0.0.255 R2(config)taccessiit 15 permit any Implementation: -2(config) interface fetEthernet 0/0 Re2(configseip acces-group 15 out Rash access Standar IP aces it 15 deny bos 192168.11 deny hos 192168.12 deny 192.168.3.0 0.00255 permit any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 10LAB: STANDARD ACCESS-LIST f 192.168.2.1 192.165.22 192.168.3.1 192.168.3.2 168.1.0/24 192.168.2.0/24 eee Pre-requirement for LAB (check previous labs) 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram. 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol or static routing 5) Verify Routing table and reachability between the LAN’s (using PING and TRACE commands) ‘TASK: Configure the Appropriate router as per the rules given Deny the host 192.168.1.1 communicating with 192.168.2.0 Deny the host 192.168.1.2 communicating with 192,168.2.0 Deny the network 192.168.3.0 communicating with 192.168.2.0 Permit all the remaining traffic NOTE: the Above ACL rules should not affect the other communication NOTE: Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command PC>ipconfig IP Address Subnet Mas Default Gateway. 255.255.255.0 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipconfig NOA solutions,N.K Arcade, 2nd & 3rd Floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 11192.168.1.2 255,255.255.0 Default Gateway. 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres: Subnet Mask. Default Gateway. 192.168.3.1 255,255.255.0 192.168.3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim ROUTER -2 Creating the ACL rules according to requirement: R-2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(config)faccesslist 15 deny host 192.168.1.2 t 15 deny 192.168.3.0 0.0.0.255 any R-2(config)#access: R-2(config)#access Implementation: R-2(config)#interface fastEthernet 0/0 R-2(config-if}#ip access-group 15 out Verificatio R-2#sh access-lists Standard IP access list 15 deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any Pc>ipconfig IP Addres: Subnet Mask. 2 255.255.255.0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 12Default Gateway... : 192.168.1.100 Pc>ping 92.16821 Pinging 192.16: Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. with 32 bytes of data: PC>ping 192.168.3.1 Pinging 192.168.3.1 with 32 bytes of data: Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipconfig IP Addressisnunnsannnies 19216812 Subnet Mas! 255.255.255.0 192.168.1.100 Default Gateway. PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ipeonfig IP Addres: Subnet Mask. Default Gateway. Pc>ping 192168.21 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tims 255.255.255.0 192.168.1100 Reply from 192.168.2.1: bytes=32 time=24ms TTL=126 PC>ipconfig IP Address{iiNNNNTS268/321 subnet Mas! 255.255.255.0 192.168.3.100 Default Gateway. PC>ping 192.168.2.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 13Pinging 192.168.2.1 with 32 bytes of data: Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168. Reply from 192.168. Reply from 192.168. Reply from 192.168. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 14Access-list Rules NA. > Works in Sequential order. » All deny statements have to be given First (preferable most cases ) » There should be at least one Permit statement (mandatory) » An implicit deny blocks all traffic by default when there is no match (an invisible statement). » Can have one access-list per interface per direction. ({e.) Two accesstlists per interface, ‘one in inbound direction and one in outbound direction, » Any time a new entry is added to the access lis, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested. » You cannot remove one line from an access list. Extended Access-list S@A., The accesslist number range is 100 - 199 ‘We can allow or deny a Network, Host, Subnet and Service Selected services can be blocked. Implemented closest to the source. Filtering is done based on source IP , destination IP , protocol, port no sa55 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 15na, cotentermancunoetecmanin OA, ‘Deny the uerson LAN. 192.168:2.0 shoud no access 192:168..3 HTTP serie 2 Deny the wserson AN 192188..0 should not acess 192,168..4 FTP service > Deny the waeson LAN. 192.69.2.1 should not acest 192.1681.9 HTTP sevice 4 Deny the wert on LAN 192.1632.0 should not get DNS verve from ONS server 192.168..4 Deny the ser frm the os between 192168.3.2 and 192168..2 should ao be ale to send ICMP (ing race meager Remaining hos and serves shouldbe permlted NOTE: the Above ACL rules should not affect the other communication Operators: eq (equal to) neq (not equal to) It (less than) gt (greater than) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 16Extended ACL Syntax MOA. Router(contigh accesslist ‘ < destination wildeard mask> Router(config)finterface Router(contigiffip access-group MOA. Rifconfig)tacceniit 145 deny tep 192.169.2.0 0.0.0255 host 192.168.13 eq www Rifconfig)Haccesiist 145 deny tep192.168.3.0 0.0.0.255 host 192,168.14 eq fip ifconfig) tacces ist 145 deny tep host 192.168.3.1 host 192.168.1.3 eq wor Rifconfig)laccesiit 145 deny udp 192.168.2.0 0.00255 host 192.168.14 eq domain i(config)taccess 145 deny lemp hor 192.168.3.2 host 192.168.1.2 echo ifconfig)daccessst 145 deny lemp hos 192.168.3.2 host 192.1681.2 echo-reply Rlfconfighaccesslist 145. permit Ip any any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 17Implementatic OA, Rl(contigh# interface fastEthemet 0/0 R(contigit# ip accessgroup 145 out OR Ra(configt Interface serial 0/0 Ral(contigitit Ip accessgroup 145 in Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 18LAB: _ EXTENDED ACCESS-LIST 192.1682 192.168.22 toatesa.1 192.1082 192.168.2.0/24 192.168.3.0/24 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol. or static routing, 5) Verify Routing table and reachability between the LAN’s ( using PING and TRACE commands) TASK: Configure the Appropriate router as per the rules given below 1. Deny the users on LAN 192.168.2.0 should not access 192.168.1.3 HTTP service 2. Deny the users on LAN. 192.168.3.0 should not access 192.168.1.4 FTP. service 3. Deny the users on LAN 192.168.3.1 should not access 192.168.1.3 HTTP service 4, Deny the users on LAN 192.168.2.0 should not get DNS service from DNS server 192.168.1.4 5. Deny the users from the host between 192.168.3.2. and 192.168.1.2 should not be able to send ICMP ( ping /trace ) messages 6. Remaining hosts and services should be permitted NOTE: the Above ACL rules should not affect the other communication Router —1 RA(config)#access-list 145 deny tep 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www Rel(configh#access-list 145 deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp Rel(configh#access-list 145 deny tcp host 192.168.3.1 host 192.168.1.3 eq www. Rel(config) #access-list 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq ? <0-65535> Port number bootpe —_ Bootstrap Protocol (BOOTP) client (68) bootps om Protocol (BOOTP) server (67) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 19isakmp Internet Security Association and Key Management Protocol (500) non500-isakmp Internet Security Association and Key Management Protocol (4500) snmp Simple Network Management Protocol (161) tftp Trivial File Transfer Protocol (69) Rel(config)#accesslist 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domain Rel(config)#access-list 145 deny icmp host 192.168.3.1 host 192.168.1.1 ? <0-256> type-num host-unreachable —_host-unreachable net-unreachable _net-unreachable port-unreachable _port-unreachable protocol-unreachable protocol-unreachable ttexceeded ttl-exceeded unreachable unreachable Rel(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo Rel(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo-reply Rel(config)#access-list 145 permit i Implementatic R-l(config)# interface fastEthernet 0/0 Rel(configsif}# ip access-group 145 out OR Rel(config)# interface serial 0/0 R-l(config-if}# ip access-group 145. in Verificati PC>ipconfig IP Address. Subnet Mask.. 255.255.2550 192.168.3.100 Default Gateway.. Pc>ping 192.168.1.2 pe ns 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 20Reply from 192.168.1.1: bytes=32 time=20ms TTL=125 Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 21Named ACL NEA, > Access lists are identified using Names rather than Numbers. » Names are Case-Sensitive + No limitation of Numbers here. » One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. » 10S version 11.2 oF later allows Named ACL Creation of Standard Named Access list Router(contig|# ip access-list standard Router(contig-stc-nacl) # Implementation of Standard Named Access List Router(config) #interface Router(configxt}#ip access-group NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 22LAB:_ STANDARD NAMED ACL ta 192,168.21 192.108.2.2 192.168,3.1 192.168.3.2 192.168.3.0/24 192.168.2.0/24 TASK: ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-1 Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command. PC>ipconfig IP Address. Subnet Mask. Default Gateway. 255.255.255.0 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 7ms TTL=126 Reply from 192.168.2.1: bytes=32 time=20ms TTL=126 Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres 192.168.1.2 Subnet Mask..eisssseueniset 255,255.255.0 Default Gateway. : 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 time=I6ms TTL=126 Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: com Page 23PC>ipconfig IP Addres: Subnet Mask. Default Gateway 192.168.3.1 255.255.255.0 + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1; bytes=32 time=23ms TTL=126 Creating an Access-list as per the given rules R-2(config)#ip access-list standard CCNA R-2(config-std-nacl)#deny 192.168.1.1 0.0.0.0 R-2(config-std-nacl)#deny host 192.168.1.2 R-2(config-std-nacl)#deny 192.168.3.0 0.0.0.255 R-2(config-std-nacl)#permit any R-2(config-ste-nacl}#exit Implementat R-2(config)# interface fastEthernet 0/0 R-2(config-if# ip access-group CCNA out R.2esh access-ists Standard IP access list CENA deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any PC>ipconfig IP Addres Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ping 192.168.3.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 24Pinging 192.168.3.1 with 32 bytes of data: 32 time Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipeontig IP Adidressisssnssnnneet 19216812 Subnet Mask. 255.255.255.0 Default Gateway. 192.168.1100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply . Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. SERVER> ipconfig IP Addres Subnet Mas 255.255.255.0 Default Gateway. 192.168.1.100 SERVER>ping 192:168.201 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 time=17ms TT! Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipeonfig IP Adidressueemneenies 192 168.3.1 Subnet Mas 255.255.255.0 Default Gateway... + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply Reply from 11. Reply from 11. Reply from 11. 0.1: Destination host unreachable. 0.1: Destination host unreachable. 0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 25Creation of Extended Named Access List Router(contig)# ip access-list extended Router(config-ext-nacl)# < destination wildcard mask> Router{config) #interface Router{config.i tip access-group LAB: NAMED EXTENDED ACL 03 san yates mre szsosas toaton22 fezvenay t92s65.2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-2 Rel(configh#ip access-list extended CCNP R(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 26R-l(config-ext-nacl)# deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp R-(config-ext-nacl}# deny tep host 192.168.3.1 host 192.168.1.3 eq www R-(config-ext-nacl}#deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domi echo Rel(config-ext-nacl)# deny icmp host 192.168.3.1 host 192.168. R-l(config-ext-nacl}#deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply R-(config-ext-nacl}# permit ip any any Implementation: R-(configl# interface fastEthernet 0/0 R-l(config-if}# ip access-group CCNP out OR R-(config)# interface serial 0/0 Re(configeif)# ip access-group CCNP in Relish access lists Extended IP access liS3GENP deny tep 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp deny tep host 192.168.3.1 host 192.168.1.3 eq www deny udp 192,168.2.0 0.0.0.255 host 192.168.1.4 eq domain deny icmp host 192.168.3.1 host 192.168.1.1 echo deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply permit ip any any Verification: PC>ipconfig IP Addres Subnet Mask. Default Gateway. 255,255.255.0 192.168.3.100 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data. Reply from 192.168.1.1; bytes=32 time=20ms TTL=125 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 27Restricting Telnet Access To The Router NEA to Specified Networks Or Hosts ae > restrict the users who can telnet and who should not > access-class command on the VTY lines » Compare only the telnet Traffic on VTY line. en en ‘oni meanness Soo Restricting Telnet Access To The Router NGA, to Specified Networks Or Hosts a ‘TASK: Allow only the hosts 192.168.1.1 and 192.168.1.2 0 telnet RI. any other host should be ‘denied of they try to telnet RI RA(contigacces st 20 permit host 192.168.1.1 R.A(contigtacces st 20 permit host 192.168.1.2 Implementation Rilconfigiéine vty 04 Raconfigstine)fpassword csco Ralconfigiine)élogin Rel(configtine)# access-lass 20 in Rifconfigsine)fend Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 28LAB : Restricting Telnet Access to the Router to Specified Networks or Hosts Should You Secure Your Telnet Lines on a Router? TASK: You're monitoring your network and notice that someone has telnetted into your core router by using the show users command. You use the disconnect command and they are disconnected from the router, but you notice they are back into the router a few minutes later. You are thinking about putting an access list on the router interfaces, but you don’t want to add a lot of latency on each interface since your router is already pushing a lot of packets. The access-class command illustrated in this lab is the best way to do restrict the users who can telnet and who should not Because it doesn’t use an access list that just sits on an interface looking at every packet that is coming and going. This can cause overhead on the packets trying to be routed. ‘When you put the access-class command on the VTY lines, only packets trying to telnet into the router will be looked at and compared. This provides nice, easy-to-configure security for your router. 052.1 192:168.22 roatos1 192.1082 '192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Allow only the hosts 192.168.1.1 and 192.168.1.2 to telnet RI. any other host should be denied of they try to telnet RI Creating ACL which permits only hosts 192.168.1.1 and 192.168.1.2 (means by default deny all the other hosts) R-l(config)#access-list 20 permit host 192.168.1.1 R-l(config)#access-list 20 permit host 192.168.1.2 Implementation Rel(config}#line vty 04 Rel(configline)#password cisco Rel(configcline)#login RA(configdine)# access-class 20 in R-l(configcline)#end NOA solutions,N.K Arcade, 2nd & 3rd floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 29Verification: PC>ipconfig Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification PC>ipconfig 1 Acie Subnet Mask.. 255.255.2550 Default Gateway.. 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification From both the host (192.168.1.1 and 192.168.1.2) telnet to RI is successful (from above outputs) Telnet from any other users should be denied automatically as per our requirement ( verify below outputs) ‘Try Telnet from 192.168.1.3 to RI PC>ipconfig IP Addressisnannnies 19216813 Subnet Mask.. 255.255,255.0 Default Gateway. + 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100... ‘Try Telnet from 192.168.1.4 to RI Pc>ipconfig IP Addres Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 30Trying 192.168.1.100 ... % Connection refused by remote host ‘Try Telnet from R2 to R1 R-2>enable R-2#telnet 10.0.0.1 Reldsh access-lsts Standard IP access list 12 permit host 192.168.1.1 (2 match(es)) permit host 192.168.1.2 (2 match(es)) deny any (13 match(es)) Relish users line User Host(s) Idle Location * Ocond idle 00:00: idle 00: idle 00:00:39 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 31Routing Protocol & ACL wore ie Tita Ss 2(config) access-list 12 permit 10.0.0.0 0.255.255.255 2(config)¥int s1/0 R2(config-i) ip aceest-group 12 in R2(config-if#end 2(config)ip acceselist extended CCIE 2(config-ext-nacl) permit tep any any eq fp R2(configext-nacl) permit tep any any eq telnet R2(configrext-nad)Wexit R2(config)ine 31/0 2(configf)#lp access group CCIE In Routing Protocol & ACL R2(config) ip access-list extended EIGRP R2(config-ext-nacl)#deny eigrp any any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#int s1/0 R2(config-iffip access-group EIGRP in NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 32Routing Protocol & ACL MOA. R2(config)#ip access-list extended OSPF pa R2(config-ext-nacl)#permit ip any any ate . 1.2 eA : R2{config-ext-nad)Aint s1/0 R2{config-if}tip access-group OSPF in OR R2{config)#accesstlist 151 deny ip any host 224.0.0.5 R2{config)#aceess-list 151 deny ip any host 224.0.0.6 R2{config)#accessist 151 permit ip any any R2{config)#int s1/0 R2{config-ifip access-group 151 in NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 33LAB : Routing protocol and AC! 7 7 FO/O 4 FO/O TASK: * Configure EIGRP and OSPF Routing on RI/R2 and advertise the interfaces given in the diagram. Ri(config)#router ospf 1 Ri(config-router)# network 1.0.0.0 0.255.255.255 area O Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#exit Ri(config)#router eigrp 100 Ri(config-router)# network 1.0.0.0 Ri(config-router)# network 10.0.0.0 Ri(config-router) exit Ra(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)# network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#exit R2(config)#router eigrp 100 R2(config-router)# network 1 R2(config-router)# network 20.0.0.0 R2(config-router) #exit R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FULYY- 00:00:34 11.1.1 Serialt/0 R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq (ec) (ms) Cnt Num O 144 seo 11 00:04:27 1126 5000 0 12 R2#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 34El - OSPF external type 1, E2 - OSPF external type 2 1-15-15, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set D_— 10.0.0.0/8 [90/2172416] via 1.1. TASK: * Configure standard ACL on R2 s1/0 inbound to permit only traffic sourced from 10.0.0.0 (RI-LAN) * Ensure that the ACL should not drop OSPF or EIGRP traffic.. 1, 00:04:28, Seriall/O R2(config)#access-list 12 permit 10.0.0.0 0.255.255.255 R2(config)#int s1/0 R2(config-if#ip access-group 12 in Ra(config-iffend After some time you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. the reason is ACL on R2 s1/0 interface which allows traffic from source 10.0.0.0 only. as per the default drop all the remaining traffic ( here OSpf and Elgrp packets) R2#sh ip ospf neighbor R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) To permit OSPF and EIGRP traffic we need to permit traffic sourced from RI (host 1.1.1.1) on R2. R2(config)#access-list 12 permit host 1.1.1.1 R2(config)#end R2Ash ip ospf neighbor Neighbor ID Pri_ State Dead Time Address Interface 1.03.1 © FULY- — 00:00:36 LLL.1 _Seriall/0 Raifsh ip elgrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num ol sevo 12 00:00:15 224 1344 0 17 R2fsh access-ists Standard IP access list 12 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 3520 permit 1.1.1.1 (20 matches) 10 permit 10.0.0.0, wildcard bits 0.255.255.255 TAS! © Remove the standard ACL on R2 * Configure extended ACL to allow only telnet/FTP traffic between RI and R2 LAN * Configure ACL on RI s1/0 interface. * Ensure that the ACL should not drop OSPF or EIGRP traffic.. R2(config)#int s1/0 R2(config-if#no ip access-group 12 in Ra(config-iNifexit Ra(config)#no access-list 12 R2(config)¥end Ra(config)#ip access-list extended CCIE Ra(config-ext-nacl}#permit tep any any eq ftp R2(config-ext-nacl)#permit tep any any eq telnet Ra(config-ext-nadl} exit, Ra(config)#int s1/O R2(config-i#ip access-group CCIE in Ra(config-i#end + After some © the reason is ACL on R2 51/0 interface which allows traffic for FTP or TELNET. + as per the default drop all the remaining traffic ( here OSpf and Elgrp packets). R2#sh ip ospf neighbor Raffsh ip elgrp neighbors e you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. © To ensure that the ACL should not drop OSPF or EIGRP traffic we need to add permit statament which matches OSPF and EIGRP packets. R2(config)#ip access-list extended CCIE R2(config-ext-nacl)#permit ospf any any R2(config-ext-nacl)#permit eigrp any any Ra(config-ext-nacl)#exit R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 36(se) (ms) Cnt Num 0 Wad sevo 11.00:00:12 217 1302 0 21 R2#sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 1.0.3.1 0 FULIY- — 00:00:36 1.1.1.1 Seriall/0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 37LAB: Deny OSPF / EIGRP Traffic: * Sometimes when we are doing some troubleshooting in the lab exam , the possible issue can also be some ‘ACL which was configured effecting the neighborship in any protocol. + In this lab, we will verify how the ACL can be possibly configured to Deny Routing protocol traffic using, EIGRP and OSPF as our routing protocols. R1 81/0 1.1.1.1 had s1/0 we, ka ro “— 20.1.1.1 TASK: Configure OSPF on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router ospf 1 RI(config-router)#network 10,0.0.0 0.255.255.255 area 0 RI(config-router)#network 1.0.0.0 0,255.255.255 area 0 Ri(config-router)#exit R2(config)#router ospf 1 R2(config-router) network 20.0.0.0 0.255.255.255 area 0 R2(config-router) #network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#end R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FUL - 00:00:36 1.1.1.1 Seriall/0 TASK: Configure EIGRP on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router eigrp 100 RI(config-router)#network 10.0.0.0 Ri(config-router)#network 1.0.0.0 Ri(config-router)#exit R2(config)#router eigrp 100 R2(config-router)#¢network 20.0.0.0 R2(config-router)#network 1.0.0.0 R2(config-router)#end R2¥#sh ip route NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 38Codes: L.- local, C - connected, 5 - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 EI - OSPF external type 1, E2 - OSPF external type 2 i IS-IS, su - ISIS summary, LI - IS-IS level-t, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L_ 1.1.1.2/32 is directly connected, Seriall/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks, C _ 12,0.0.0/24 is directly connected, Loopback L 12,0.0.1/32 is directly connected. Loopback0 C 12,0.1.0/24 is directly connected, Loopbackl L_ 12.0.1.1/32 is directly connected, Loopback! C 12,0.2.0/24 is directly connected, Loopback2 L_ 12.0.2.1/32 is directly connected, Loopback2 C 12.0.3.0/24 is directly connected, Loopback3 L 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C — 20.0.0.0/8 is directly connected. FastEthernet0/0 L 20.1.1.1/32 is directly connected, FastEthernet0/O By default in the routing table router installs the routes learned through EIGRP (AD =90 ) instead of OSPF (AD = M10) , decided based on Adminsitrative Distance TASK: Configure ACL to deny EIGRP packets on R2. Ensure that all the remaining traffic is permitted. R2(config)#ip access-list extended EIGRP R2(config-ext-nacl)#deny Bigep any any R2(config-ext-nacl) permit ip any any R2(config-ext-nacl)dint s1/O R2(config-if}#ip access-group EIGRP in R2#clear ip eigrp neighbors R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 39R2#debug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on *Mar 19 13:39:40,947: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 19 13:39:40.947: AS 100, Flags OxO:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:43,615: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:43,619: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:45.327: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:45.331: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:48,035: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:48,035: AS 100, Flags Ox0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:49.683: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:49.683: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Rae igtp is sending hello messages on s1/0 but its not receiving on s1/O because of ACL dropping EIGRP packets R2#sh access-list Extended IP access list EIGRP 20 permit ip any any (10 matches) R2#undebug all All possible debugging has been turned off R2ésh ip route Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L_1.1.1.2/32 is directly connected, Seriall/0 © 10.0.0.0/8 [110/65] via 1.1.1.1, 00:02:07, Serialt/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks 12.0.0.0/24 is directly connected, LoopbackO 12.0.0.1/32 is directly connected, LoopbackO 12.0.1.0/24 is directly connected, Loopback! 12.0.1.1/32 is directly connected, Loopbackl 12.0,2.0/24 is directly connected, Loopback2 arara NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 4012.0.2.1/32 is directly connected, Loopback2 C 12,0.3.0/24 is directly connected, Loopback3 L_ 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/8 is directly connected, FastEthernet0/0 L_ 20.1.1.1/32 is directly connected, FastEthernet0/O + Now R2 install the routes learned from OSPF as EIGRP neighborship is not established on R2 with RI + Sometimes when we are doing some troublshooting in the lab exam , the possible issue can also be some ACL which was configured effecting the neighborship in any protocol. TASK : Remove the EIGRP acl under interface and configure acl to deny OSPF R2(config)#NO ip access-list extended EIGRP R2 (config)#int s/0 R2 (config-if)#NO ip access-group EIGRP in R2(config)#ip access-list extended OSPF R2(config-ext-nacl) dehy Osprany any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)fint s1/0 R2(config-if}#fip access-group OSPF in OR R2(config)#access-list 151 deny ip any ROst 224101015 R2(config)#access-list 151 deny ip any host 224.0,0.6 R2(config)#access-list 151 permit ip any any R2(config)#int s1/0 R2(config-if#ip access-group 151 in R2(config-ii#end R2fclear ip ospf process RI#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 12.031 0 RMT = 00:00:32 141.12 Seriall/o NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 41Time Based ACL » Allows you to restrictor allow resources based on time periods or day. time range relies on the router system clock Steps to configure : 1. Define a time range when ACL action must take place: 2. Define an ACL and apply time range to its statements: 3. Apply Access List to the interface you need. (a NPA ®A., ‘on weekdays ( IM-F) between 9 AM to 5 PM Permit Telnet Traffic mi 81/0 101 al ane. acon time-range DENY_FTP 2{eonfigtimerange}® periodic weckdays 09:00 to 17:00 Ra{configsimerange)# ett 2{configtime-range TELNET Ra{conigtime-range} absolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2{configtimerange}éend 1R2(config)#aceess.tst 5 deny tep any any eq fiptime-range DENY. FTP R2(config)# access 15 permit tep any any eq telnet time-ange TELNET R2(confg)#access.st 1S permit ospf any any R2(config)int sO R2(confg-if}ip acese-group 115 in NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 42+ Allow telnet from Jan 1 to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm + RI hasto telnet to R3 on the above time successfully R2{config)ttime-ronge WEEKDAYS R2(confighfperlodkc weekdays 09:00 to 17:00, = a R3(configtimesrange)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 R2{conig)faccesslst 102 permit tep any any eq 23 time-range WEEKDAYS R2(coniigh# acces-list 102 permit ospfany any R2(config:int SIA R2(config:ip acces group 102 out Fo/0 30.1.1-1/8 TASK: Configure OSPF as Routing protocol to provide Reachability Ri(config)#router ospf 1 Ri(config-router) #network 10.0.0.0 0.255.255.255 area 0 Ri(config-router) #network 1.0.0.0 0.255.255.255 area 0 Ri(config-router) fexit R2(config)#router ospf 1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 43R2(config-router) #network 20.0.0.0 0.255.255.255 area 0 R2(config-router) network 1.0.0.0 0.255.255.255 area 0 R2(config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3(config)#router ospf 1 3 (config-router) #network 30.0.0.0 0.255.255.255 area O 3 (config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3¢sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 12.0.3.1 © FUL - 00:00:36 2.2.2.1 Seriall/0 R3#sh ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1, E2 - OSPF external type 2 i ISAS, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route ©- ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set © 1.0.0.0/8 [10/128] via 2.2.2.1, 00:03:12, Serial1/0 © 10.0.0.0/8 [110/129] via 2.2.2.1, 00:00:05. Seriall/0 © 20.0.0.0/8 [110/65] via 2.2.2.1, 00:03:12, Seriall/0 TASK: Configure TIME BASED ACL on R2 which ‘+ Allow telnet from Jan I to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm ‘+ RI has to telnet to R3 on the above time successfully. ‘+ Ensure that OSPF traffic is permitted on WAN interfaces R2(config)#time-range WEEKDAYS R2(config)#periodic weekdays 09:00 to 17:00 R3(configtime-range)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 Configure ACL and implement it on the interface on R2: R2(config)#access-list 102 permit tep any any eq 23 time-range WEEKDAYS R2(config)# access-list 102 permit ospf any any int sI/1 if}#ip access-group 102 out Ra(confi Ra(confi NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 44Verification: R2Ashow time-range time-range entry: WEEKDAYS (inactive) absolute start 09:00 01 January 2012 end 17:00 28 February 2012 periodic weekdays 9:00 to 17:00 used in: IP ACL entry R2#show clock *00:32:01.687 UTC Fri Mar 12002 R2#dlock set 10:00:00 2 Jan 2012 Ridtelnet 2.2.2.2 Trying 2.2.2.2 ... Open RB> R2#dock set 10:00:00 1 march 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable: gateway or host down R2#dlock set 19:00:00 20 Feb 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable; gateway or host down, R2#dlock set 12:00:00 14 Feb 2012 Ri#telnet 2.2.2.2 Trying 2.2.2.2 ... Open NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 45LAB-2 : Time Based ACL we 0/9 ria Foo a 20.1.1.1 TASK: ‘© Connect RI-R2 as per the Diagram. Ri(config)#router ospf 1 R1(config-router)# network 1.0.0.0 0.255.255.255 area 0 Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#end R2(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#end R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 O FUL - 00:00:39 1.1.11 Serialt/O R2#sh ip route ospf Codes: L - local, C - connected. S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1. E2 - OSPF external type 2 i IS-IS, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + = replicated route, % - next hop override Gateway of last resort is not set TASK : Configure Time based ACL as per the given conditions. + Deny FTP Traffic on weekdays ( M-F) between 9 AM to 5 PM © Permit Telnet Traffic January 1 - January 319 AM to 5 PM * Ensure that the OSPF traffic should be get dropped. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: on’ Page 46R2#tsh clock R2(config)# time-range DENY_FTP R2(config+time-range)# periodic weekdays 09:00 to 17:00 R2(config+time-range)# exit R2(config)#time-range TELNET R2(configtime-range)Fabsolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2(config+time-range)#end R2#sh time-range time-range entry: DENY_FTP (active) periodic weekdays 9:00 to 17:00 time-range entry: TELNET (inactive) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 R2(config)#access-list 115 deny tep any any eq fip time-range DENY_FTP Ra(config)# accessclist 115 permit tcp any any eq telnet time-range TELNET R2(config)#access-list 115 permit ospf any any R2(config)#int s/0 R2(config-if}#ip access-group 115 in Ra(config-ifend R2M#sh clock R2#R2#sh access-lists Extended IP access list 115, 10 deny tcp any any eq ftp time-range DENY_FTP (active) 20 permit tep any any eq telnet time-range TELNET (inactive) 30 permit ospf any any (11 matches) R2(config)#line vty 0.4 Ra(config-line)#password cisco R2(config-line)#login R2(config-line)#exit Riftelnet 1.1.1.2 Rlfsh clock NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 47in the month of january march 19 2015. * Change the time and date on R2 to match the ACL time range * Ensure that you should be allowed to telnet on R2. R2#sh clock R2fclock set 10:10:10 jan 10 2015 R2#sh clock R2#sh time-range time-range entry: DENY_FTP (inactive) periodic weekdays 9:00 to 17:00 used in: IP ACL entry time-range entry: TELNET (active) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 used in: IP ACL entry Riftelnet 1.1.1.2 Trying 1.1.1.2 ... Open User Access Verification Password: R2>exit R2#tsh access-lists Extended IP access list 115 10 deny tep any any eq fip time-range DENY_FTP (inactive) 20 permit tep any any eq telnet time-range TELNET (active) (48 matches) 30 permit ospf any any (56 matches) if we try to telnet on R2, we are not able to telnet here as the time range for telnet allowed is only allowed NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 48