The Bryant Advantage Ultimate CCNA Lab Workbook

Chris Bryant, CCIE #12933 - www.thebryantadvantage.com Back To Index

ACLs, Telnet, and Host Tables

Before beginning this lab, a routing protocol must be configured. The protocol should be RIPv2, OSPF, or EIGRP. Each router must be able to ping the loopbacks on each of the other two routers and the Serial interface connected to the Frame Relay cloud. R2 and R3s Ethernet interfaces should be able to be pinged by every router. With the access-list command, configure R1 so that only packets from the 172.12.123.0 /24 network can enter the Serial interface. Test the configuration by sending a ping on R2 from both 172.12.123.2 and 2.2.2.2.
R1#conf t R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255 < Wildcard masks are used with access lists. There is an implicit deny at the end of every access list; any traffic that is not expressly permitted is implicitly denied. >

R1(config)#interface serial0/0 R1(config-if)#ip access-group 1 in < Access lists are applied to interfaces with the ip access-group command. The direction the access-list is applied in follows that command. >

A ping will be sent from R2 from two different addresses. A ping such as the ones sent in labs up to this point are seen by the remote router as having originated from the interface it left the other router in. For example, running ping 172.12.123.1 from R2 will result in a ping with a source address of 172.12.123.2. Since this address falls in the permit statement of the access-list configured above, the traffic will be let through at R1s serial interface, and the ping succeeds.
R2#ping 172.12.123.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds: !!!!!

On R1, run show ip access-list to see matches against every statement in the access-list.
R1#show ip access-list Standard IP access list 1 permit 172.12.123.0, wildcard bits 0.0.0.255 (5 matches)

The number of matches you see will vary. Remember that routing protocol

updates are being permitted as well, not just pings. To send a ping from an IP address other than the exit interfaces IP address, use an extended ping.
R2#ping Protocol [ip]: Target IP address: 172.12.123.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 U.U.U Success rate is 0 percent (0/5)

The key is in the extended commands. The default for this is N, but by answering Y, the source interface of the ping can be changed as shown. The ping sent from the loopback address 2.2.2.2 does not go through. That traffic is blocked by the access-list on R1. To be able to see how many packets are denied by a standard ACL, the implicit deny statement must be explicitly configured. Show ip access-list will then show the denied packets as well as the permitted ones.
R1#conf t R1(config)#no access-list 1 R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255 R1(config)#access-list 1 deny any < The implicit deny any is expressly configured so packets denied by it will show in show ip access-list, as seen below. > R1#show ip access-list Standard IP access list 1 permit 172.12.123.0, wildcard bits 0.0.0.255 (4 matches) deny any (8 matches)

On R3, write a standard ACL that denies traffic from IP address 1.1.1.1, but permits all other IP traffic with the access-list and ip access-group commands.
R3#conf t R3(config)#access-list 1 deny 1.1.1.1 R3(config)#access-list 1 perm any R3(config)#interface serial 0.31 R3(config-if)#ip access-group 1 in

The first line of the ACL denies traffic from 1.1.1.1, and the second permits all other traffic. The order of the lines in an ACL is vital. If these lines were reversed and access-list 1 permit any was the first line, all traffic would be permitted, including traffic from 1.1.1.1. The deny statement would never be reached.

R3#conf t R3(config)#access-list 1 deny 1.1.1.1 R3(config)#access-list 1 perm any R3(config)#interface serial 0.31 R3(config-if)#ip access-group 1 in

The first line of the ACL denies traffic from 1.1.1.1, and the second permits all other traffic. The order of the lines in an ACL is vital. If these lines were reversed and access-list 1 permit any was the first line, all traffic would be permitted, including traffic from 1.1.1.1. The deny statement would never be reached. From R1, ping 172.12.123.3, first with a regular ping, then with an extended ping from source 1.1.1.1.
R1#ping 172.12.123.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms R1#ping Protocol [ip]: Target IP address: 172.12.123.3 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 1.1.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 U.U.U Success rate is 0 percent (0/5) As expected, the ping from 172.12.123.1 is good, but the ping from 1.1.1.1 was stopped by the ACL on R3.

On R3, run show ip access-list to view the number of packets that have been permitted and denied.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (5 matches) permit any (20 matches)

The pings sourcing from 1.1.1.1 were stopped at the serial interface. All other traffic is being permitted. Using an extended ACL on R3, prevent traffic from coming into the routers Ethernet interface if the source is 172.23.23.2 and the destination is 3.3.3.3. To define a source and destination in an ACL, an extended ACL must be used. The numeric ranges for extended ACLs are 100-199 and 2000 2699.

R3#conf t R3(config)#access-list 125 deny ip host 172.23.23.2 host 3.3.3.3 R3(config)#access-list 125 perm ip any any

The first line of the ACL uses the host option. This takes the place of a wildcard mask of 0.0.0.0; that is, the host option means that the IP address that follows it is the only IP address to be affected. Its used twice in this ACL, since a specific source address and a specific destination address are being denied. The second line uses the any option. This takes the place of a wildcard mask of 255.255.255.255. Since any is used twice, once for the source and once for the destination, all traffic is affected by this line. The ACL is then applied to the Ethernet interface. There is now one ACL on the Ethernet interface and one on the serial interface. The rule is that two ACLs can be applied to a single interface, one affecting outgoing traffic and another affecting incoming traffic.
R3(config)#interface ethernet0 R3(config-if)#ip access-group 125 in

From R2, ping 172.23.23.3 and 3.3.3.3 with regular pings. After doing so, run show ip access-list on R3.
R2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R2#ping 172.23.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: !!!!!

The pings to 3.3.3.3 fail, but the pings to 172.23.23.3 succeed. Since the standard ping command was used, the source IP address of the ping is the exiting interface, 172.23.23.2.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (8 matches) permit any (70 matches) Extended IP access list 125 deny ip host 172.23.23.2 host 3.3.3.3 (8 matches) permit ip any any (386 matches)

Both ACLs configured on R3 are shown. List 125 is denying the specific packets with a source of 172.23.23.2 and a destination of 3.3.3.3. All other packets are going through. When a source and destination are specified, both have to match for that line of the ACL to take effect. On R2, use the ip access-list command to prevent any traffic from interface 3.3.3.3. Apply this named ACL to the Ethernet interface.
R2#conf t

R2(config)#ip access-list standard BLOCKNETWORK3 R2(config-std-nacl)#deny host 3.3.3.3 R2(config-std-nacl)#perm any R2(config-std-nacl)#interface ethernet0 R2(config-if)#ip access-group BLOCKNETWORK3 in

To configure a named access list, use the ip access-list command, followed by standard or extended, and then the name of the ACL. Make the name intuitive. Apply a named ACL with the ip access-group command, just as if the list were a numbered ACL. From R3, send an extended ping that sources from 3.3.3.3 to 172.23.23.2. When the ping fails, run show ip access-list on R2 to ensure the ACL is blocking the packets.
R3#ping Protocol [ip]: Target IP address: 172.23.23.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 3.3.3.3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: Packet sent with a source address of 3.3.3.3 .. Success rate is 0 percent (0/5) R2#show ip access-list Standard IP access list BLOCKNETWORK3 deny 3.3.3.3 (5 matches) permit any (18 matches)

The pings with a source address of 3.3.3.3 are blocked by the ACL. On R3, write a standard ACL that permits only host 172.12.123.1. Allow the explicit deny to prevent all other addresses. Apply the access-list to the VTY lines to allow only this address to telnet into R3 with the accessclass command. Set a password of CCNA for telnet access.
R3#conf t R3(config)#access-list 5 permit 172.12.123.1 R3(config)#line vty 0 4 < Configures the VTY lines, used for Telnet access. > R3(config-line)#login < Allows login with a password that must be configured under the VTY lines. > R3(config-line)#password CCNA < Password to be used for Telnet access. > R3(config-line)#access-class 5 in < The access-list is applied to VTY lines with the access-class command. Only the user specified in the ACL will be able to Telnet to this router. >

From R1 and R2, telnet to 172.12.123.3.

R1#telnet 172.12.123.3 Trying 172.12.123.3 ... Open

User Access Verification Password: R3>logout R2#telnet 172.12.123.3 Trying 172.12.123.3 ... % Connection refused by remote host

From R1, the telnet succeeds. While performing this lab, notice that the password never appears when telnetting to the router, nor does the cursor move. From R2, the telnet attempt fails. The console message is simply that the remote host refused it. It was refused because only R1s serial address is permitted by the ACL applied to the VTY lines; the implicit deny stops all other telnet attempts. The user attempting to connect to R3 is not given any details as to why the telnet attempt was refused. On R3, run show ip access-list.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (8 matches) permit any (430 matches) Standard IP access list 5 permit 172.12.123.1 (6 matches) Extended IP access list 125 deny ip host 172.23.23.2 host 3.3.3.3 (18 matches) permit ip any any (1248 matches)

Note the permit any statements on the first two ACLs continue to accrue as the lab progresses, as routing update packets are being sent around the network. The number and frequency depends on the routing protocol. On R1, use the ip host command to configure the router to telnet to 172.12.123.3 when R3 is typed. (No quotation marks.)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip host R3 172.12.123.3 R1#R3 Trying R3 (172.12.123.3)... Open User Access Verification Password: R3>en Password: R3#

After configuring the ip host command, simply entering R3 on R1 will telnet to 172.12.123.3.
Back To Index

Copyright 2011 The Bryant Advantage. All Rights Reserved.