Note that you will not be testing the access lists because no host resides on any of the segments. Instead, you will configure, apply, and verify that the access lists are configured correctly with the appropriate show commands.
Here are the objectives:
For standard access lists, create a standard outgoing access list and apply it on R2's S0 interface so that users on network 192.168.12.0 are denied access to the Frame Relay network. (Assume that this network exists off R1.)
For extended access lists, create an extended incoming access list and apply it on R3's S0 interface to fulfill the following requirements:
- Deny http (www) traffic from reaching R5's Token Ring network.
- Deny SMTP traffic from reaching R3's E0 network.
- Permit anything else.
The key terms to recognize in the lab objectives are outgoing and incoming. Remember, these keywords will affect how you build your access lists. Let's configure the standard access list first.
To better understand what you must accomplish with the access lists, refer to the environment in Figure 15-1.
From the lab objectives, you want to do the following:
Create a standard outgoing access list and apply it on R2's S0 interface so that users on network 192.168.12.0 are denied access to the Frame Relay network. (Assume that this network exists off R1.)
From the figure, you can see that a virtual network (192.168.12.0 /24) exists off R1; you want to keep hosts on that network segment from reaching the Frame Relay network (192.168.100.0 /24). An important issue to point out is that, because this is a standard access list, there is no way to filter on the destination address. So, when you configure the access list to filter on the source IP address of 192.168.12.0 /24, you will stop that traffic from going to the Frame Relay network, as well as all other networks behind R2's S0, the interface on which you are going to apply the access list.
Because it is an outgoing access list, you will create the access list with the source address of the network 192.168.12.0 to be denied, but you will allow all other traffic to pass. Remember, there is an implicit deny after all access lists. Create the access list on R2, as demonstrated in Example 15-1.
Termserver# 2 [Resuming connection 2 to r2 ... ] R2# config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# access-list 1 deny 192.168.12.0 0. 0.0.255 R2(config)# access-list 1 permit any R2(config)#
The most important aspect of the access-list command is the wildcard mask portion. This tells the router where to match and where not to. The first three zeros in the wildcard mask (0.0.0) signify that the first three numbers of the source IP address of a packet must match the first three numbers of the IP address previously configured (192.168.12). The final .255 portion of the mask signifies that any number in the source IP address field will not be looked at for a match. In other words, any packet that has a source IP address with 192.168.12 will be matched against the access list and, therefore, will be denied, regardless of the fourth number in the source IP address field of the IP packet (0 to 255). The second line of the access list simply permits all other traffic. Without that statement, all IP traffic would be blocked because of the implicit deny at the end of all access lists.
The second step to configuring the access list is to apply it to the appropriate interface. From the lab objectives, you want to apply this access list on the S0 interface of R2 and make it check outgoing packets. To apply the access list, you need to be in interface mode for S0 and apply the ip access- group command. Example 15-2 illustrates how to apply the access lists to the interface.
R2(config)# int s0 R2(config-if)# ip access-group 1 out R2(config-if)#
This configuration applies access-list 1 to all outgoing packets on R2's S0 interface. Because you do not have any hosts off 192.168.12.0, you cannot verify that it is working properly. However, you can use some show commands to make sure that the access list has been applied correctly on the interface.
The first show command is this one:
Router# show ip access-lists { number }
The only option here is to specify the specific access list number that you want to see. If no number is specified, all access lists are shown. Example 15-3 shows sample output from this command.
R2(config-if)# end R2# show ip access-lists Standard IP access list 1 deny 192.168.12.0, wildcard bits 0.0.0.255 permit any R2#
This show command reveals all the important information:
Whether it is a standard or an extended IP access list
The access list number
All the configured statements for that access list
You configured only one access list, so the output shows information for just access-list 1 that you configured in Example 15-1.
Another useful show command is this one:
Router# show ip interface [ interface-type ] [ interface-number ]
The option that you can use here is to specify the interface type and number.
Because you have only one access list configured on S0, use that as an example. Example 15-4 demonstrates this command.
R2# show ip interface s0 Serial0 is up, line protocol is up Internet address is 192.168.100.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.10 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is disabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Feature Fast switching turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled Web Cache Redirect is disabled BGP Policy Mapping is disabled R2#
The command output has very useful information, but the focus here is on what IP access lists are configured for this interface. The highlighted line tells you quickly which access list(s) have been configured and whether they are incoming access lists or outgoing access lists.
Before moving on to configure the extended access list, take a look at the running configuration of R2 to see where the access list configuration commands are placed in the file. Example 15-5 displays the output of the running configuration file.
Termserver# r2 Trying r2 (192.168.10.10, 2002)... Open R2# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R2 ! enable password falcons ! username all ip subnet-zero no ip domain-lookup ip host R1 192.169.1.1 ip host R2 192.169.2.2 ip host R3 192.169.3.3 ip host R4 192.169.4.4 ip host R5 192.169.5.5 ip host R6 192.169.6.6 ipx routing 0000.0000.2222 ! ! ! interface Loopback0 ip address 192.169.2.2 255.255.255.0 no ip directed-broadcast ! interface Ethernet0 ip address 192.168.1.2 255.255.255.0 no ip directed-broadcast ipx network 2100 ! interface Ethernet1 description This interface does not connect with another IP device ip address 192.168.2.2 255.255.255.0 no ip directed-broadcast ipx network 2000 ! interface Serial0 description This interface connects to R3's S0 (201) ip address 192.168.100.2 255.255.255.0 ip access-group 1 out no ip directed-broadcast encapsulation frame-relay no ip mroute-cache ipx network 1000 frame-relay map ip 192.168.100.3 201 broadcast frame-relay map ip 192.168.100.4 201 broadcast frame-relay map ipx 1000.0000.0000.4444 201 broadcast frame-relay map ipx 1000.0000.0000.3333 201 broadcast frame-relay lmi-type ansi ! router eigrp 100 redistribute rip metric 2000 200 255 1 1500 network 192.168.100.0 ! router rip redistribute eigrp 100 metric 1 network 192.168.1.0 network 192.168.2.0 network 192.169.2.0 ! ip classless ! access-list 1 deny 192.168.12.0 0.0.0.255 access-list 1 permit any ! ! ! banner motd ^CCCC This is Router 2 ^C ! line con 0 exec-timeout 0 0 password falcons logging synchronous transport input none line vty 0 4 password falcons login ! end R2#
From the highlighted text, you see that the ip access-group command is located under the configuration of S0 and that the definition command lines are toward the end of the configuration file.
The process of configuring extended access lists is much the same as that for standard access lists, except for the additional options to provide with the command. Figure 15-2 illustrates the environment that the access list should create.
From the lab objectives, you want to create an extended incoming access list and apply it on R3's S0 interface to fulfill the following requirements:
Deny http (www) traffic from reaching R5's Token Ring network.
Deny SMTP traffic from reaching R3's E0 network.
Permit anything else.
This extended access list is a little different from the standard access list. You will be filtering on the destination network address instead of the source address, and you want to filter only certain services (HTTP and FTP), not all traffic destined to these networks. Look at each requirement for the access list individually.
The first criterion is to deny TCP HTTP traffic (port 80) from reaching the Token Ring network on R5. The network address for the network is 192.168.50.0, and the wildcard mask is 0.0.0.255 because you want to match the entire network on R5's To0. Use 101 as the access list number for the extended access list. Example 15-6 demonstrates the configuration of the first line of the access list on R3.
Termserver# 3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)# access-list 101 deny tcp any 192.168.50.0 0.0.0.255 eq 80 R3(config)#
Because you are not concerned about the source IP address, you can use the any option, meaning that any source will be filtered if the destination IP address falls within the destination IP address and wildcard mask. It is interesting to note that the port on the access list may be either the port number (80) or the name for that port (www). With that objective criteria complete, look at the second portion of the access list requirement.
TIP
The well-known industry name for TCP port 80 is http, but Cisco has used www in the Cisco IOS Software code. As a practical tip, use the port numbers instead of well-known port names when configuring access lists, in case Cisco changes the well-known names in the IOS Software code.
The second criterion is to deny TCP SMTP traffic (port 25) from reaching R3's E0 network. The network address is 192.168.3.0, and the wildcard mask is 0.0.0.255 because you want to match against the entire network on R3's E0. To add to the access list, you only need to use the same access list number as previously used, 101. Remember to permit all other traffic! Example 15-7 shows the commands on R3.
R3(config)# access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 25 R3(config)# access-list 101 permit ip any any R3(config)#
The final command line is to permit all IP traffic, coming from anyone and going to anyone . That is why you use any for both the source and the destination addresses.
Now that the access list is configured with the correct filtering criteria, apply it to R3's S0 interface as an incoming access list. Example 15-8 demonstrates how to do this.
R3(config)# int s0 R3(config-if)# ip access-group 101 in R3(config-if)#
Remember to match the ip access-group command with the correct access list number (101) that you want to apply to the interface. The in option tells the router to apply this access list to any incoming packets.
Now take a look at the interface to make sure that the configuration is correctly applied. Example 15-9 shows the output from the show ip interface s0 command.
R3(config-if)# end R3# show ip interface s0 Serial0 is up, line protocol is up Internet address is 192.168.100.3/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.10 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is disabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP multicast fast switching is enabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled R3#
The highlighted text confirms that the correct access list, 101, has been applied as an incoming access list. Because you do not have any Web hosts or FTP hosts on these segments, you will not be able to test the access lists. However, the configurations are correct and you have completed the lab objectives for this chapter.
Top |