Extended Access Lists
In this blog, I’ll walk through configuring routers with IP addresses, enabling Routing Information Protocol version 2 (RIPv2), and setting up standard Access Control Lists (ACLs) to filter traffic. ACLs are crucial in network security because they control which packets are allowed or denied as they traverse network interfaces.
The configuration steps I’ll discuss include setting hostnames, assigning IP addresses, enabling interfaces, configuring RIPv2 for routing, and creating standard ACLs to block specific traffic.
EVE-NG LAB SETUP
IP ADDRESSES
| Device | Interface | IP Address | Subnet Mask |
|---|---|---|---|
|
Router1 |
Fa0/0 |
24.17.2.1 |
255.255.255.240 |
|
Router1 |
S0/0 |
24.17.2.17 |
255.255.255.240 |
|
Router2 |
Fa0/0 |
24.17.2.2 |
255.255.255.240 |
|
Router4 |
S0/0 |
24.17.2.18 |
255.255.255.240 |
VIRTUALIZED HARDWARE
| Device | Image |
|---|---|
|
Routers |
Cisco C7200_ADVENTERPRISEK9-M |
|
Switches |
Cisco I86BI_LINUXL2-IPBASEK9-M |
Command Breakdown
access-list access-list-number {deny | permit}protocol: Defines an Extended ACL, allowing control over traffic based on protocol, source, and destination.
source source-wildcard [operator [port]] destination destination
-wildcard [operator [port]] [log]- Example:
access-list 101 permit tcp 24.17.2.16 0.0.0.15 any eq telnet logpermits only Telnet traffic from a specific subnet.
- Example:
clock rate clock-rate: Sets the clock rate on the Data Communications Equipment (DCE) interface, needed for Router1 in this scenario.configure terminal: Enters global configuration mode from privileged EXEC mode.enable: Enters privileged EXEC mode to execute higher-level commands.interface type number: Enters interface configuration mode to configure settings specific to that interface.ip address ip-address subnet-mask: Assigns an IP address and subnet mask to an interface.ip access-group {access-list-number | access-list-name} {in | out}: Applies an ACL to an interface to filter incoming or outgoing traffic.line vty 0 4: Enters configuration mode for virtual terminal (Telnet) lines.login: Enables login authentication for users connecting via Telnet.password password: Configures a password for Telnet login.ping ip-address: Sends ICMP echo requests to verify connectivity to a specific IP address.router rip: Enables Routing Information Protocol (RIP) for dynamic routing.show access-lists: Displays currently configured ACLs on the router.show ip interface: Displays IP information and configurations for interfaces on the router.show running-config: Displays the active configuration on the router.
I start by configuring Router1 with the necessary IP addresses, enabling the interfaces, and configuring the clock rate on the Serial 0/0 interface, which is the DCE end of the link to Router4.
Router>enable
Router#configure terminal
Router(config)#hostname Router1
Router1(config)#interface Fa0/0
Router1(config-if)#ip address 24.17.2.1 255.255.255.240
Router1(config-if)#no shutdown
Router1(config-if)#interface S0/0
Router1(config-if)#ip address 24.17.2.17 255.255.255.240
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
Next, I configure Router2 and Router4 with the appropriate hostnames and IP addresses, and I enable the interfaces.
Router>enable
Router#configure terminal
Router(config)#hostname Router2
Router2(config)#interface Fa0/0
Router2(config-if)#ip address 24.17.2.2 255.255.255.240
Router2(config-if)#no shutdown
Router>enable
Router#configure terminal
Router(config)#hostname Router4
Router4(config)#interface S0/0
Router4(config-if)#ip address 24.17.2.18 255.255.255.240
Router4(config-if)#no shutdown
I verify the configuration by pinging Router2 and Router4 from Router1. Both pings should succeed, confirming that the routers are configured correctly.
Router1#ping 24.17.2.2
Router1#ping 24.17.2.18
Now, I configure RIP version 2 on Router1, Router2, and Router4 to enable dynamic routing.
Router1(config)#router rip
Router1(config-router)#version 2
Router1(config-router)#network 24.0.0.0
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 24.0.0.0
Router4(config)#router rip
Router4(config-router)#version 2
Router4(config-router)#network 24.0.0.0
After allowing time for the network to converge, I verify that Router4 can ping Router2. The ping should succeed, confirming that RIP is working.
Router4#ping 24.17.2.2
I now configure an Extended ACL (101) on Router1. This ACL will only permit Telnet traffic from the network connected to Router1’s Serial 0/0 interface.
Router1(config)#access-list 101 permit tcp 24.17.2.16 0.0.0.15 any eq telnet log
Next, I create another Extended ACL (102) to permit all traffic from Router1’s FastEthernet 0/0 subnet, allowing it to travel anywhere.
Router2(config)#access-list 102 permit ip 24.17.2.0 0.0.0.15 any log
I apply ACL 101 inbound on Router1’s Serial 0/0 interface and ACL 102 inbound on Router1’s FastEthernet 0/0 interface.
Router1(config)#interface serial 0/0
Router1(config-if)#ip access-group 101 in
Router1(config)#interface fastethernet 0/0
Router1(config)#ip access-group 102 in
Now, I verify the functionality of the ACLs. First, I try to ping Router1’s Serial 0/0 interface from Router4. Since only Telnet traffic is allowed, this ping should fail.
Router4#ping 24.17.2.17
To test Telnet access, I configure Router1 to allow Telnet logins with the password p4ssw0rd.
Router1(config)#line vty 0 4
Router1(config-line)#login
Router1(config-line)#password p4ssw0rd
I then Telnet into Router1 from Router4. The connection should be successful, and the password p4ssw0rd will allow access to Router1.
Router4#telnet 24.17.2.17
After testing Telnet access, I return to Router4’s prompt by pressing Ctrl+Shift+6 followed by X, and then I disconnect the session.
Router4#disconnect 1
I now test the ACL filtering behavior from Router2. First, I ping Router1’s FastEthernet 0/0 interface, which should succeed because ACL 102 allows all traffic.
Router2#ping 24.17.2.1
The ping succeeds because there is no ACL filtering ICMP traffic on that interface. Next, I ping Router4’s Serial 0/0 interface, which should fail because Router1’s Serial 0/0 ACL blocks non-TCP traffic.
Router2#ping 24.17.2.18
This ping fails because the return ICMP traffic from Router4 is blocked by ACL 101, which only permits TCP Telnet traffic. The reply from Router4 is blocked due to Router1’s ACL on the Serial 0/0 interface.
I verify the configuration by issuing the following commands to display the ACLs applied to the interfaces and their usage statistics.
Router1#show running-config
Router1#show ip interface
Router1#show access-lists
These commands display the current configuration and indicate how many packets have been permitted or denied based on the ACLs.