5.5.2 Lab - Configure and Verify Extended IPv4 ACLs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

configure and verify extended ipv4 access control list topology addressing table r1 router with sub interfaces and loopback interface r2 router switches as well as to pca and pcb vlan table twenty thirty forty nine hundred ninety nine and one thousand required the resources on real lab two routers for the two twenty one to switch estonia i60 two pieces console cables internet cables i will do it on packet razor part one build the network and configure basic device settings cable the network as shown in the topology ready configure basic settings for each router okay for example go to r1 command line interface okay would you like to enter initial configuration no enter assign device name okay enable configure terminal on global configuration mode device name hostname r1 okay this router r1 and the disable dns lookup now ip the main lookup class as privilege exit encrypted password enable secret class cisco console password line console 0 and set the password cisco enable login login to enable the session enter cisco vty password and enable login line bty from 0 to 15 password cisco login encrypt plain text passwords exit and on global configuration mode service password dash encryption enter great banner an error message of the day notarized axis is prohibited enter side running configuration to a startup configuration exit privilege exit mode copy running config to startup config enter enter enter okay and each router so okay you can go to r1 and copy this these commands copy paste remove the prompt okay but for r2 the only difference hostname will be r2 okay hos9 ip the main enable secret line bty service password banner copyright store and go to r2 command line interface okay would you like no enter enter enable configure terminal and on global configuration mode hostname r2 and copy then paste enter okay review no issue has no errors copyright start very good configure basic settings for each switch okay the buy is nine the others look up enable secret console password with ui password encrypt plain text password banner and save the running configuration okay okay the the same commands but in this case is s1 command line interface enter enable configure terminal on global configuration mode hostname as one and copy this then paste enter okay very nice no issues no problems very good s2 command line interface enter enable configure terminal and change hostname as to copy this then paste enter enter create vlans on both switches curator name the required balance from each switch from the table above okay go here table configure all these belongs go to s1 configure terminal in global configuration mode vlan 20 name management bill and theory name of the ratios billion 40 name sales belong 999 exit okay that's true for your terminal billion 20 name management milan 3d name operations belong 40 name sales plan higher line name parking lot milan 1000 name native enter exit configure the management interface and default gateway on each switch using the ip address information in addressing table okay for example the russian table s1 on vlan 20 interface interface vlan 20 go to s1 global configuration mode interface interface vlan 20 ip address 10202 subnet mastery divided be divided by zero okay now shutdown exit ip default dash gateway and the gateway is 10201 10201 now configure s2 interface vlan 20 ap address 10203 submit mask now shutdown xc ip the file gateway 1020 10201 enter assign all widget ports on the switch to the parking lot below configure them for static axis mode and administratively deactivate them the interface range command is helpful for example go to s1 ports in use 5 6 and one and select the unused ports interface range for settlement one in use from two to four five being used for zero six in use from seven to twenty four and gigabit zero one and zero two okay two four seven twenty four gigabit two one zero two okay uh static access mode switch port mode access parking lot below parking lot belong is belong 999 parking lot below search for axes vlan 999 and shut down enter okay very good then exit go to s2 14 use 1 eighteen and five okay further than that one and use two two four five being used from six to seventeen eighteen and use uh faster than nineteen to twenty four and gigabit zero one and zero two okay when we use two to four five in use six to seventeen eighteen use i change to twenty four gigabit two one two two enter switchboard mode axis switch for axis 999 shutdown very nice okay that's it assign belongs to the correct switch interfaces assign user ports to the appropriate vlan specified in the bill and table above and configure them for a static access mode bill and table vlan 20 for s25 okay s2 4.5 is here 120. okay and further down five congress two interface first dependent 5 switchboard mode access switch port access b20 okay vlan 20 enter okay this is for s1 okay s25 18 to 140 okay faster not waiting on s2 18 okay this this interface 18 to 140 billion 40. okay interfere for the 2018 switchboard mode access switchboard access below 40. okay uh this is for s1 honest to the when you set ports okay to rely on 999 okay and go to s1 okay this is for us to as one faster than the six to bilateral d okay this interface for central six to will unfield the land theory interface faster than a6 switch portable access switchboard access below field okay this is for s2 as well the when you support already configure it and that's it show bill and brief and verify go to first on s2 and privilege excel mode show building brief for that foreign one this is okay okay and later i will configure this to trunk faster than five twenty further not 5 20 very good 18 to 140 waiting to vlog 40. go to s1 and show bilan brief uh on billion one facet of one and five one and five and i will configure later these two trunks and theory 2006 30 to 4006. very good of here trunking manual league of heroes trunk interface faster.one okay these interfaces between switches facility 1 computer trunking change the switchboard mode on interface for the that one to force trunk make sure to do this on both switches okay go to s1 configure terminal interface for the node one switch port motor okay to force trunk static truck enter okay as part of the trunk configuration set the nativilla to 1000 about switches okay switchboard trunk nothing below 1000 you may see error messages temporarily while the two interfaces are configured for different activities okay this is the message belong inconsistent local villain okay this message is telling you that on this side the nativilang on s1 is one thousand but on a suit and a tv lang is now belong one okay that it belongs on what size should be the same that it belong as another part of trunk configuration specified vlans 10 20 30 and 1000 are your way to cross the trunk okay maybe it's trying to say 20 30 40 and one thousand do not include 999 because it is parking lot for unused ports okay do not include this for security okay and include 20 30 40 and native 1000 okay and here it should be as another part of strong configuration specified belongs 20 30 40 and 1000 okay 20 30 40 and 1000 okay go to s1 enter switchboard trunk i'll go at vlan 2030 forty and one thousand enter very good okay positive one switchboard mode trunk nativilla 1000 and a year at milan 23 40 and 1000 okay the same configuration on facebook.1 on s2 enter configure configure terminal interface facility one switch port mode trunk switchboard trunk space 90 vlan 1000 okay one more trunk nativily 1000 and you will see this message port consistency restored very nice and don't forget switchboard trunk uh 20 30 40 and 1000. very good show interfaces strong commands to verify trunk ports go to s1 enter and show interfaces trunk enter you will see 1 mode on static encapsulation a02.1 queue trunking a tbilan 1000 we lands on yahoo at 23 41 000 very nice go to s2 and show interface strong triangle okay for the one mode on encapsulation tracking nativilla 1000 belongs i lowered 20 30 40 and 1000 very nice manually configure s1 strong interface faster than at five okay on this one this interface fastener f5 connected to router configure s1's interface 105 with the same trunk parameters as facility1 this is the link to the router okay go to s1 configure terminal interface for the node five switchboard mode trunk switch portrona db lan 1000 switch up switchboard trans header let's save running configuration okay [Music] and copy running obviously to set up config enter under enter show interface strong to verify show interfaces trunk and okay only facetious one is the trunk okay only for the doughnut one is strong because faster than that five is activated but the another side is not activated so the link is down so that's why faster than 5 is not a trunk for now you need to configure r1 configure routing configure interview and routing on r1 okay another one click here enter password cisco enable password class okay pretty nice activate interface you can be zero zero one under router i recommend to activate interface physical interface you go with zero zero one at the end okay now configure sub interfaces for each vlan as specified in the ip addressing table all sub interfaces use ao2.q encapsulation ensure the sub interface for the nativian does not have an ip address assigned include a description for each sub interface go to addressing table configure these sub interfaces okay this is the physical interface no ip address and this is the sub interface for native lang 1000 and no ip address okay start with sub interfaces configure terminal interface with zero zero one dot 20 okay set a description don't forget the description this is for okay will be assigned it to vlan 20. this sub interface is 20 and will be assigned it to vlan 20. the number of sub interface can be different than the belong but in this activity the number of sub interface is the same number of the belong okay description i will add the name for example management you can do you can configure any description okay but in this case bilan 20 is management description to any management and set the encapsulation in capsulation dot one queue uh assigned to vlan 20 assigned to vlan 20. okay enter and set the ip address 10 201 and subnet mask ipr 10201 subnet mask okay 3d theory description theory operations encapsulation dot yq theory ip address 10 0d 01 now sub interface 4d for the description for the for sales encapsulation with that one queue for the ip address the 10 one enter okay and don't forget sub interface for nativilla that 1000 description 1000 native encapsulation.1q1000 and use the native keyword to specify belong 1000 is the native land okay enter okay 1000 then a tbilan and now no ip address okay go to physical interface you can be zero zero one and enable no shutdown enter okay now configure interface loopback1 on r1 go back addressing table and do back one r1 interface loop back one enter ip others 172 16 1 1 285 385 285 0 okay not shut down comma not necessary because the interfacial background changes state well exit use show ap interface brief command to verify and show ap interface brief enter okay and you can see gigabit zero zero one no ip address very good gigabit zero zero one that's twenty ip address ip address and status up protocol up theory okay theory for the sub interface ap address about tblang sub interface that 1000 no ip address very good loop interface up configure r2 interface you could be 01 using the address of table and the full route with the nether10201 okay very nice go to r2 go to r2 and the password cisco enabled password class configure terminal interface gigabit zero zero one interface you go with zero zero one and like the address then to nh04 smart mask okay not shut down to enable the interface okay now you can see the indicator on green and exit from interface configuration mode to global configuration mode and don't forget this very very important default route with netshop10201 okay this is like configure the default gateway with online router i brought the default zero zero zero zero zero zero let's hope 10 20 0 under the default gateway 10 20 0 1 okay okay this route will permit this router to reach another networks configure remote access configure all network devices for basic ssh support create a local user with the username ssh admin and the encrypted password character cisco one two three character okay okay configure this on r1 go to r1 configure terminal use her name case sensitive ssh admin space encrypted password and this password encrypted password secret and his uh the password is character cisco one two three character enter enter crypto keys using 1024 bit modulus crypto key gen rate rsa general keys modules 1024 and very good okay very good and configure few five ddy lines on each device to support ssh connections only and to authenticate the local user database okay line bdy zero to four okay from zero to four you have five lines from zero to four okay enter support ssh authenticate to local user transport in ssh and login local to use the local user this username created okay login locker that's it okay and don't forget to configure this also on r2 go to r2 enter cisco enable class configure terminal username ssh admin secret character cisco one two three character okay ip the main dash dash dash name ccna dash lab.com enter crypto key generate rsa general keys modulus 1024 okay line bty 0 to 4 transport input ssh login log okay that's it okay enable secure authenticated web services on r1 go to r1 enable http as server ib http secure dash server ap http secure dash server enter target razer does not support this command is supported on real app or gns3 for example but this comma is trying to enable the http as server on router r1 okay ip configure r1 to authenticate users ip http authentication logo ap http authentication dash space logo enter okay packet eraser also does not support this command so it's not possible to configure the web server on r1 but don't worry about this i have an alternative configuration verify connectivity configure pc hosts okay pca on vlan theory go to pca desktop ip configuration then field is hero 10 okay subnet mask 285 dvd52850 for gateway 10301 very nice close this okay pcb go to pcb on billing 40 dark star by big configuration then for the 010 subnet material define zero default weight term for the zero one complete the following test all should be successful okay you may have to disable the pc firewalls for pings to be successful okay this is for real up for windows pcs disable firewall okay and all these pink https test ssh okay all pings will work all ssh connections will work but the problem is this with https uh r1 does not support https so the this test will not be possible okay but i will do a modification okay there is a loopback one on r1 okay this is the loopback interface loopback one this luba guan is 172.1711 okay this is the ip address or loopback one okay and i will modify this i will remove blue back one okay remove the back one and this ip will be the ip address of our web server this this server this will be the web server web server r1 okay web server r1 we have this ip address once i do 16 1 1 and will be connected to the first internet to the gigabit interface 0 0 0 on r1 okay so configure the interface00 okay go to r1 enter cisco enable class configure term okay remove blue back one okay no interface loop back one enter okay no interface loopback one interface loop one administratively down okay and configure gigabit zero zero on r1 0b000 on r1 interface with zero zeros here i cover one with ip others 172 16 1 254 and submit my 255 divided by zero now shut down okay and configure the server with the ip address 172 16 1 1 subnet mask 24 35 55 w25 is hero and the full gateway the ib address of gigabit zero zero zero because you go with zero zero zero is the default gateway of the server the forgotten 172 16 1 254 very nice and go to server again and go to services and http verify http song and https is all okay very nice and from pcb https to this destination will be possible okay and now from pcb https connection to destination 10 20 0 1 and 10201 is gigabit interface sub interface of r1 also r1 but it's placed on vlan 20 okay display set from vlan 20. and you can add another web server on vlan 20. okay this will be for example web server on billing 20 vlan 20 okay and connect to the switch for example on puzzle.4 okay and configure s2 to assign this web server to belong below 20. okay okay for portfolio not for okay enter cisco enable class configure terminal remember facetime 4 was assigned to parking lot below okay interface force interval 4 okay switch port mode axis switchboard access belong 20 billion 20. okay okay before uh was assigned to belong 999 to parking lot below now assigned to vlan 20 enter and this port is a red indicator because was disabled it's shut down so no shutdown enter okay now you can see the green indicator and the amber indicator and assign an ip address for this server okay for example service desktop ap configuration and i will not use this ip address 10201 because this is the ip address on the router r1 okay this is the ip address of the sub interface on router r1 so i will use uh ip address okay 20 10 201 for sub interface 10302 for ten twenty zero three four s two ten twenty zero four on r two you can use uh for this server 10 20 zero five subnet mask 255 divided by 25 zero and default gateway then 2001 okay so the only difference is on this task you will do to turn twenty zero five okay zero five okay the only change okay and now from pca pink 104010 okay go to pcb 104010 is the ipls on pcb so from pca ping pcb go to pca command prompt the term for this hero 10 success success from pca pink 10 20 0 1 okay from pca being the rounder 10 20 0 1 enter success from pcb pink 10 30 0 10 from pcb being pca pca ibr 10 field 010 from pcb being pca okay go to pcb command prompt and ping then fill this hero chain success from pcb ping 10201 okay pick the router okay 10 20 0 1 pick the router but on vlan 20 okay 10 20 0 success from pcb ping 172 16 1 1 from pcb pick the router r1 the loopback on r1 but the loopback on r1 does not exist anymore okay 172 1611 is now the web server okay the simulated web server on r1 so from pcb ping 172 16 1 1. i think 172 16 one success very nice from pcb https to 10205. okay from pcb https to this server okay from pcb close comment brown web browser https column slash 10205 go success okay from pcb https 172 1611 okay from pcb https 172 1611 https 172 one okay and go very do it very good okay from pcb ssh connection to 10201 okay from pcb ssh to r1 go to pcb close the web browser command prompt ssh option l the okay this is l not one is l use the user ssh admin okay case sensitive and the ip address is 10201 from pcb to router r1 10201 and okay password remember character cisco one two three and another character enter the banner okay and remember is this password username ssh admin this username ssh admin and the password character cisco one two three character okay it's possible now you are on r1 very good exit success and from pcb ssh 172 16 1 1. okay on packet eraser it's not possible to access ssh to 172.16.11 because 172.16.11 is a server and this server on servicestop does not have a ssh service okay so but anyway from pcb you can access ssh on r1 but on this network and only change this to 254 and remember 254 mazda2161 254 was configured r1 was configured on gigabit zero zero zero once i do 16 1 254 okay and change this for example from pcb okay ssh option l ssh admin and change the ips 172 16 1 254 enter password character c one two three character on authorized access is prohibited now you are on r1 very good exit and now configure and verify extended access control lists when basic connectivity is verified the company requires the following security policies to be implemented the policy one the sales network is not allowed to ssh to the management network with other ssh is a lower okay sales is vlan 40 and management is bigger than 20. okay okay and configure this on r1 go to r1 enter cisco enable class configure terminal okay [Music] if you will block ssh you will blog port 22 and for blog ports you need an extended access list okay use a standard access list is not enough use extended access list and you can configure an access dash list the first extended access list is one of one okay okay extended access list and why you will configure this access list on r1 because r1 is making the intervalon routing okay this another router is like a host on vlan 20. okay so configure on r1 extended accessories one of one okay natalya deny okay ssh uses layer 4 transport layer uses tcp then itcp and for the i want the network addresses okay for milan 23 and 40. okay so okay belong 20 is management okay we'll antennas management the network address is 1020 okay network address and submit mass 285 to 8550 okay vlan theory is operations operations network addresses tag theord00 subnet mask belong 40 this sales okay maybe that will rather stand for the serious hero subnet mask okay only in three belongs and go to r1 the size network is the source to the management network the destination sales is 40 sales is 40 and management 20. okay sales is source management destination okay access release 101 deny tcp source is 40 and this is the network stand for d00 same for the 0 0 and the subnet mask but use the wildcard so is the inverse 0 0 to 85 and the destination management [Music] 10200 subnet mask not submit mask use the wildcard 0 0 0 and the port is equal to 22 for ssh enter now service network is not allowed to access ip addresses in the management network using any web protocol http https okay sales network is the source is billion4d deny not the yawat management network is management remember is vlan 20. and the web protocol is http http is port 80 and https is port 443 okay and the same access list access list one of one the night okay http and https are you seeing tcp tcp not allowed okay the knight tcp and okay the source sales bill on 40 turn 40 000 wild cards destination management bill and 20 10200 wildcard and the port is http 80 okay equal to 80 enter okay and https okay use the same the same comma repeat the same command but use a port 443 access release 101 then i tcp because https uses tcp and source is v140 destination build on 20 with use https with port 443 enter now the sales network is also not allowed to access r1 interfaces using any web protocol okay the sale network is also not the lawyer okay sales is bill and 40 is the source and the destination r1 interfaces okay not allow it to all interfaces on r1 with sales can access the loopback one interface on r1 okay so these are the interfaces on r1 not allowed to sub interfaces on r1 but sales network can access to loopback one okay sales is not the lowest okay it says leads the same access list deny not a low the source sales sales is billing 40 okay okay web web protocol so web protocol uses tcp and vlan 40 source 1040 wildcards the destination r1 interfaces the r1 interfaces fields 10201 10201 and use uh for the host use these white cards okay you can use this or also you can do cost 10201 or you can use this wildcard okay is the same okay use any option will work very good and any web protocol any web protocol includes http and https okay equal 80 for http enter and also repeat the same the previous command repeat and only change the port 443 okay the solves belong 40 the interface on router but using https but the another interface 10301 okay repeat the previous comment the source is vlan 40 with then theory zero one is the another interface 1030101 use this wildcard mask but on port 80 okay and now repeat the previous command and can't hear this here one with import 443 okay enter and finally this interface 10401 repeat the previous command term for the zero one port 80 okay this holes below 40 destination interface on router 10401 port 80 for http and also for https repeat the previous command 443 souls belong 40 destination ip address on router interface 10401 https and the okay very good the sales network is not allowed to send icmp echo request to the operations or management networks okay sales sales is billing 40 another yowet okay deny operations bill and theory bill authority and management bill and 20. okay sales network go to our one access list 101 the same now that you're wet okay deny with now icmp so the protocol is icmp icmp echo okay it's echo the source sales and sales is bill 140 1040 wildcards destination operations operations milan zero zero okay is all that belong the network address then through this zero zero and use the wildcard okay the inverse mask the white card and is echo echo request okay echo okay enter and now from sales not allowed to management okay repeat the previous command and only only change the destination to management management it's bill and twenty okay access at least 101 deny icmp from souls below 40 destination bill 120 is management billion 20 elko andrew the operations network is not only a way to send icmp echo requests to the sales network okay the source is operations not the yawet and the destination is sales ok and for policy 4 use another access list use another extended access list do not configure an access list one of one because the previous policy the source is sales destination is operations and the policy number for the source is operation and the destination is sales so this should be on a different different access list okay and policy for on another access list okay policy one other ssh is yahweh policy too all other web traffic is lowered policy three icmp echo requests to other destinations are lowered okay so at the end as list 101 permit ib from any 20 okay permit ib from any to any and will permit ssh other ssh also will permit all other web traffic or other web traffic is lowered and also permit icm vehicle requests to other destinations are allowing all these will permit this entry this permit ib any any andrew and place this on the extended access list is better to configure the best practice is configure close to the source okay and the source is below 40. source is bill and 40. if source is below 40 close to billing ford okay so configure on interface of plan 40 sub sub interface on milan 40 interfacing with 0 0 1 on this sub interface of vlan 40. 001.40 ip access dash group 101 incoming traffic okay because is the source and the okay and configure for policy for another office list should be extended because you will block only icmp says this can be the next extended accident is 102. okay now the yahweh so deny is icmp protocol icmp okay the source operations operations bill and theory okay all the network network others then theory d0 and wildcard and the destination sales sales is bill and 40 network address term 4d00 and wirecart okay and remember echo request so use echo and icmp echo requests to other destinations alright with so access list 102 permit ib from any to any okay enter and configure these close to the source the source is 10 theory 0 0 vlan 30 and bill and theod the interface okay close to the source interface gigabit zero zero one that theory interface you're gonna be zero zero one dot theory okay configure an extended access list close to the source if the source is bilingually configured on interface of bill and theory apps dash group 102 is the number of the access list 102 incoming traffic and the okay exit and finally around the following test the expected results are shown in the table okay but modify this and this okay this is 5 and 254 this is 5. and 254 okay from pca pink 104010 or on pca pcb okay remember pcb is 104010 from pca okay destination host unreachable result fail very good okay from pca being 10201 should be success okay from pca 10201 is r1 r1 interface okay go to pca 10201 and the success okay success success very good from pcb okay go to pcb okay go to pcb command prompt from pcb peak then field 0 10 should fail okay 10 through the 0 10 is pca remember pca is that 0d010 okay from pcb being pca okay big time theory 0 10 destination host unreachable okay pink face very good from pcb pink 10201 should fail from pcb pick the interface on r1 ping 10201 destination host unreachable okay fail very good from pcb ping 172 16 1 1 should be success okay from pcb ping 172 16 1 1 go to pcb in 172 1611 success okay success very good from pcb https 10205 okay from pcb https 10205 close command prompt open web browser https column slash 10205 go go request timeout okay fail very good from pcb https 132 1611 should be success okay from pcb https to 172 1611 go to pcb https 172 1611 go success very nice very good success from pcb ssh 10204 okay previously was to 10 20 hero1 but don't worry about this don't worry about this change what are on vlan 20 okay and don't worry about this what are on vlan 20. close this command prompt okay from pcb ssh to 10204 10204 is r2 remember 10204 is r2 and 10201 is r1 don't worry if you tried [Music] ssh connection to r1 or try ssh connection to r2 okay both ip addresses are on vlan 20. okay don't worry you can make the test on any of these ip addresses okay and from pcb ssh 10204 okay go to pcb ssh optional ssh admin 204 okay connection timeout okay or repeat the comma and try to 10201 connection timeout should fail very good finally pcb ssh 172 16 1 254 okay from pcb ssh to r1 go to pcb ssh option f add me 172 16 1 254 remember the add me the username option l is not one is under password character c score one two three character enter now you are on r1 when authorized access is prohibited enable class show running config very good exit okay success very good thank you very much you

Info

Channel: Christian Augusto Romero Goyzueta

Views: 6,214

Rating: undefined out of 5

Keywords: ensa, enterprise networking, security, automation, ccna, version 7, ccna 7, ipv4, ACL, access list, access control list, extended

Id: ooA-Hkxnvd8

Channel Id: undefined

Length: 80min 1sec (4801 seconds)

Published: Thu Aug 27 2020