Answers: Protecting CLI Access 2

certskills
By certskills August 31, 2016 09:10

This lab was pretty direct: configure an ACL and use to to protect CLI access rather than filter packets being routed by the router. You know the drill – read lab, do lab, check here.

Answers

 

Figure 1: Topology and Addresses for this Lab

 

Example 1: R1 Config

 

Example 2: R2 Config

 

Commentary

For this lab we are focused on controlling access to the virtual lines of a device. Whether a specific device has telnet or SSH enabled by default using the virtual lines is dependent on the type of device and the version of code. In the past it was common for all input protocols to be permitted by default, but on newer versions of code it has become common for all methods to be disabled by default. For this lab telnet access has been enabled as part of the initial configuration and your task was to alter which device were able to connect to each respective device.

For this lab you were tasked with configuring R1 to not allow telnet access to itself from R2’s LAN and configuring R2 to not allow telnet access to itself from R1’s LAN. To achieve this there are two methods: using ACLs to filter traffic entering and exiting layer 3 interfaces, or applying an access list directly on the virtual lines. This lab specifically asked to limit terminal access, so the configuration enables the ACLs with the access-class 1 in command in VTY configuration mode on each router.

Per the requirements, R1 needs to prevent incoming Telnet/SSH attempts from hosts in R2’s LAN subnet, which is 20.20.20.0/24. R1 can use a standard ACL (as is shown in Example 1), with a deny command matching all hosts in that subnet (access-list 1 deny 20.20.20.0 0.0.0.255. Then to permit all other traffic, which completes the requirements, the ACL ends with access-list 1 permit any.

R2’s ACL follows a similar line of thought. It first denies all packets with a source address from within subnet 10.10.10.0/24 (access-list 1 deny 10.10.10.0 0.0.0.255). It then permits all other packets.

Local Span 1
Answers: Local SPAN 1
certskills
By certskills August 31, 2016 09:10
Write a comment

7 Comments

  1. Yeah Mate February 27, 00:37

    I love these blogs, Wendell!

    Reply to this comment
  2. Malik March 1, 01:42

    Thank you Wendell I love jour blog

    Reply to this comment
  3. dell August 22, 00:32

    i just want to say thank you Mr Odom for the resources like this. I love this Blog and all of your books. Those resources really helped me a lot in my CCNA studies.

    Reply to this comment
  4. mansoor February 21, 12:28

    Hi Mr Wendell,

    These are really great labs. Just had one question. If we enabled on the L3 interface, would it not be better instead of going through the router processing as in your e.g. Also from exam perspective does my point gives more score. Just a thought. Appreciated your work. Cheers.

    Reply to this comment
    • CCENTSkills March 7, 09:56

      Hi Mansoor,
      First question: I can see arguments for both options working well. I personally think that the advantages of filtering at the VTY outweigh the advantages of filtering on the L3 interfaces. It’s much easier to do correctly using the VTY. More likely to pass a security audit.
      As for the exam and exam points, I don’t think you get an advantage. It’s not a design test where you’re weighing design alternatives and then configuring them. It’s a bit more straightforward than that.
      Hope that helps! Snd glad you like the labs.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories