CCIE Practical Studies, Volume I

Lab 30: Configuring Dynamic Access Lists and Traffic Filters by Using Named Access Lists ”Part II

Lab Walkthrough

After completing the physical installation, you should establish IP connectivity among all the routers. Configure OSPF Area 0 on the Ethernet interface of the graceland and wavester routers. Put the serial interface of the wavester into OSPF Area 100. Use the area 100 stub command to make jo_college a stub router. When you have full IP connectivity from the 132.31.5.18 subnet to the 150.10.1.1 subnet, begin to test file transfers.

Configure a workstation as an FTP and TFTP server on the Ethernet segment of the wavester router. Test file transfers with the FTP client software or the router. Ensure that you can transfer files back and forth before proceeding to configure filters. You can download network utilities from http://download.cnet.com/.

The first access list to configure goes on the jo_college router. This access list must allow Telnet, FTP, OSPF, TFTP, and ICMP through it. Place the access list close to the source of traffic that you want to filter, which is the FTP/TFTP client. The named access list should look like Example 14-17.

Example 14-17 IP Named Access List

ip access-list extended allow_filetrans permit tcp any any established permit tcp 132.31.5.16 0.0.0.15 any eq telnet permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023 permit ospf any any permit udp any any eq tftp permit icmp any any echo permit icmp any any echo-reply

The first line of the access list allows established connections or connections with the ACK or RST bits set in the TCP header to pass. The second line allows Telnet access from the subnet of 132.31.5.16 to anywhere . The wildcard mask in the second line is derived from laying out the .16 subnet in binary and looking at the significant bits. If you want to allow the hosts only on the .16 subnet, you need to match on the first 4 bits in the fourth octet.

0001 0000 = subnet 16

0000 1111 = wildcard mask = 15

Therefore, the wildcard mask of 0.0.0.15 will allow hosts on subnet 132.31.5.16/27 to pass.

The next three lines are used for FTP access:

permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023 permit tcp host 150.10.1.10 132.31.5.16 0.0.0.15 gt 1023

FTP initiates a session from the client to the server on TCP port 21, but it sends data on random ports above 1023. It is a common misconception that FTP uses TCP port 20 to send data. When configuring an access list for FTP, you must allow TCP ports greater than 1023.

The next line in the access list allows OSPF packets, while the following line allows UDP equal to port 69, TFTP. Another common pitfall when writing access lists is to filter the routing protocol. Of course, when this happens, all the routes in the routing table disappear, thereby making it an easy error to spot.

Finally, the last two lines allow ICMP echo and echo-reply. These lines enable you to still ping the remote routers. Apply the filter to the Ethernet interface with the following command:

ip access-group allow_filetrans in

After the access list is applied, try to transfer files to and from the FTP/TFTP server. A live test of the application is the only way to properly test any type of traffic filters.

The next step in the lab is to configure a dynamic access list on the wavester router. This access list must allow Telnet to this router while denying Telnet access to the graceland router. When the user theking authenticates, Telnet access is granted to graceland for 10 minutes. The access list to accomplish this looks like Example 14-18.

Example 14-18 Dynamic Access List on wavester

ip access-list extended allowtelnet dynamic allowking timeout 10 permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.1 eq telnet permit tcp 132.31.5.16 0.0.0.15 host 150.101.100.2 eq telnet deny tcp any host 150.10.1.1 eq telnet permit ip any any

The first line of the access list is a dynamic command that permits Telnet from the 132.31.5.16/27 subnet to the specific host address of 150.10.1.1. When a user authenticates, this access list stays open for 10 minutes. The next line allows Telnet access to the serial interface of the wavester router, which is needed for authentication to take place. The next line is the line that denies Telnet access from anywhere to the graceland router's Ethernet port. Finally, the last line of the access list will permit any IP traffic. The access list is applied to the serial interface with the ip access-group allowtelnet in command.

The second part of configuring a dynamic access list is to configure a username, password, and autocommand. The autocommand timeout value must match what is used in the dynamic line of the access list, if you are using both timeouts. Example 14-19 shows the username combinations on the wavester router.

Example 14-19 Username Passwords for Dynamic Access Lists

username theking password elvis username theking autocommand access-enable timeout 10

Before testing the configuration for Telnet access, be sure to configure the routers' vty sessions to support Telnet. To test the dynamic access list, first try to Telnet to the graceland router from the jo_college router. The session should be denied . Next, Telnet to the serial interface of the wavester router and log in as theking with the password elvis. The session should immediately close and jump you back to the jo_college router. Now, Telnet to the graceland router, and your login will be accepted.

Example 14-20 shows the complete configurations for the wavester and jo_college routers.

Example 14-20 jo_college and wavester Router Configurations

hostname jo_college ! enable password cisco ! username cisco password 0 cisco ip subnet-zero ! <<<text omitted>>> ! interface Ethernet0 ip address 132.31.5.17 255.255.255.240 ip access-group allow_filetrans in no ip directed-broadcast ! interface Serial0 ip address 150.100.100.1 255.255.255.252 no ip directed-broadcast ! <<<text omitted>>> ! router ospf 69 network 132.31.5.17 0.0.0.0 area 100 network 150.100.100.1 0.0.0.0 area 100 area 100 stub ! ip classless ! ip access-list extended allow_filetrans permit tcp any any established permit tcp 132.31.5.16 0.0.0.15 any eq telnet permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023 permit tcp host 150.10.1.10 132.31.5.16 0.0.0.15 gt 1023 permit ospf any any permit udp any any eq tftp permit icmp any any echo-reply permit icmp any any echo ! line con 0 transport input none line aux 0 line vty 0 4 end _______________________________________________________________________ hostname wavester ! username theking password 0 elvis username theking autocommand access-enable timeout 10 clock timezone PAC -8 ! interface Ethernet0 ip address 150.10.1.4 255.255.255.0 ! interface Serial0 ip address 150.100.100.2 255.255.255.252 ip access-group allowtelnet in no fair-queue clockrate 2000000 ! <<<text omitted>>> ! router ospf 69 network 150.10.1.4 0.0.0.0 area 0 network 150.100.100.2 0.0.0.0 area 100 area 100 stub ! ip classless ! ip access-list extended allowtelnet dynamic allowking timeout 10 permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.1 eq telnet permit tcp 132.31.5.16 0.0.0.15 host 150.101.100.2 eq telnet deny tcp any host 150.10.1.1 eq telnet permit ip any any ! line con 0 line aux 0 line vty 0 4 login local ! end