Protecting CLI Access 2

certskills
By certskills August 29, 2016 09:05

This latest lab is relatively straightforward while being very useful. Many enterprises make a habit of adding an ACL to filter inbound Telnet and SSH attempts into a router or switch. Today’s lab gives you a chance to work through the process with a simple example.

Requirements

Configure logging on the devices shown in the figure. The specific rules for this lab are:

  • Configure and apply an ACL (1) on R1 to block terminal line access coming from the 20.20.20.0/24 network
  • Configure and apply an ACL (1) on R2 to block terminal line access coming from the 10.10.10.0/24 network
  • Assumptions:
    • All router interfaces shown in the lab are up, working and correctly configured with IP addresses
    • IPv4 routing is configured correctly
    • Telnet access has been configured and is functional before you begin the lab

 

Figure 1: Topology and Addresses for this Lab

 

Initial Configuration

Examples 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config

 

Example 2: R2 Config

 

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can verify by attempting to telnet from the 10.10.10.0/24 or 20.20.20.0/24 networks to their appropriately blocked device. Of course, you can put a device or VM into those subnets to test. However, you can also test from the opposite router by making the IOS telnet command use a different source interface for its packets. You can do this directly from the IOS interface using the telnet host /source-interface interface command. For instance, on router R2, the command telnet 192.168.1.1 /source-interface g0/2 would Telnet to router R1 from R2’s G0/2 interface IP address of 20.20.20.1, which would test R1’s ACL logic.

 

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

All interfaces in topology match the lab figure.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address User/password
PC1 10.10.10.2 cisco/cisco
PC2 20.20.20.2 cisco/cisco

 

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1

Answers: SNMPv3 1
Local Span 1
certskills
By certskills August 29, 2016 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories