Lab 30: Configuring Dynamic Access Lists and Traffic Filters by Using Named Access Lists ”Part I Practical Scenario As more networks grow together, either by the Internet or internally, you will be required to control access to them. The best way to control access is not to advertise the private subnet with a routing protocol. However, IP access might be required at times, so you will have to advertise your networks with a routing protocol. To control access on a packet level, you will have to use an access list. Lab Exercise The upstart company of Wavester.com provides secure FTP and TFTP access to its huge MP3 archive. Many universities were experiencing high and expensive Internet usage. To the delight of the students, Wavester now offers direct T1 access to its archives. In this lab, you will configure a T1 to the Wavester site. The only protocols that can travel across the link are FTP, TFTP, ping, and routing protocols. Place this filter in the most effective location using the following criteria: -
OSPF is the routing protocol. All new sites are to be configured as stub areas. -
Control traffic so that only FTP, TFTP, and ping go across the serial link. Allow FTP access only to the server 150.10.1.10 from the 132.31.5.16/27 subnet. -
Use named access lists. -
Configure an access list that denies Telnet access to graceland until a user authenticates with the wavester router. Then allow access only from the 132.31.5.16/27 subnet. Lab Objectives -
Configure the network as depicted in Figure 14-7. Use OSPF as the routing protocol. Configure the router jo_college to be in a stub area. Figure 14-7. Wavester.com Network -
Allow only Telnet, FTP, TFTP, ping, and routing protocols to cross the serial link. Allow FTP access only to the server 150.10.1.10. -
Configure another access list on wavester that prevents Telnet to the graceland router from the 132.31.5.16 subnet. When the user theking with password elvis authenticates with wavester, Telnet access from the 132.31.5.16/27 subnet will be allowed into graceland. The authentication should expire 10 minutes from login. Equipment Needed -
Three Cisco routers. Two of the routers should be connected through V.35 back-to-back cables or in a similar manner. -
Two LAN segments, provided through hubs or switches. -
Two workstations for testing FTP, and TFTP file transfers. Use software found at http://download.cnet.com/ for the FTP and TFTP clients and servers. FTP uses different ports to send data than it does for its initial connection. Applying your filter to a live FTP client and server environment will manifest errors that you will not see without a live connection. Remember that the router will source its packets from the closest interface to its destination, so workstations are required for proper testing of access lists. Physical Layout and Prestaging -
Connect the hubs and serial cables to the routers, as shown in Figure 14-7. -
Simulate the LAN segments, as shown in Figure 14-7. -
Attach a workstation to the Ethernet segment of the wavester router. This workstation will serve as the FTP and TFTP server. Attach another workstation to the Ethernet segment of the jo_college router to serve as the FTP and TFTP client. You can download network utilities from http://download.cnet.com/. -
The router can also be used to test TFTP, but be aware of where it sources its packets from because this will affect where you place your filters. -
Use OSPF as the routing protocol. Place the graceland router and the wavester router into Area 0, and put the jo_college router into stub Area 100. Ensure full IP connectivity before applying any filters. |