Protecting CLI Access 1

certskills
By certskills May 13, 2016 09:05

 

Routers support a method to filter incoming Telnet and SSH connections to that router. That method uses ACLs, but not to filter packets coming in each and every interface, but with a configuration method tied to the vty lines that support Telnet and SSH connections. Today’s lab lets you practice configuring and enabling this feature.

 

Requirements

Protect access to the CLI of all four routers in the topology, but without using the ip access-group command to enable an ACL on an interface. That is, protect access to the vty lines. The specific rules for this lab are:

  • Protect SSH and Telnet access into all routers with these criteria:
    • Use the same matching logic for all routers
    • Allow hosts from the management subnet (with the PC labelled “M”), and from that subnet only
    • Use standard numbered ACL 1
  • Assumptions:
    • All device interfaces shown in the lab are up and working
    • IP routing is configured and working correctly
    • With the initial configuration, users at all PCs in the figure could could successfully Telnet or SSH to each router, using username/password device/access

Figure 1: Management Access

Initial Configuration

Examples 1, 2, 3 and 4 show the beginning configuration state of R1, R2, R3 and R4.

Example 1: R1 Config

 

Example 2: R2 Config

 

Example 3: R3 Config

 

Example 4: R4 Config

 

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can attempt to access (via telnet) any of the routers from any device other then the Manager; they should all be refused. If you want to test with SSH on VIRL using the included file you will need to first run the crypto key generate rsa modulus 2048 command to generate the RSA key-pair on each router (this command is not saved as part of the configuration file). The SSH command to test from ubuntu is ssh -l device ip_address.

.

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device

IP Address

User/password

manager

172.16.1.2

cisco/cisco

PC2

172.16.2.2

cisco/cisco

PC3

172.16.3.2

cisco/cisco

PC4

172.16.4.2

cisco/cisco

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1

Answers: EIGRPv6 for IPv6 #2
Answers: Protecting CLI Access 1
certskills
By certskills May 13, 2016 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories