Protecting CLI Access 2
This latest lab is relatively straightforward while being very useful. Many enterprises make a habit of adding an ACL to filter inbound Telnet and SSH attempts into a router or switch. Today’s lab gives you a chance to work through the process with a simple example.
Requirements
Configure logging on the devices shown in the figure. The specific rules for this lab are:
- Configure and apply an ACL (1) on R1 to block terminal line access coming from the 20.20.20.0/24 network
- Configure and apply an ACL (1) on R2 to block terminal line access coming from the 10.10.10.0/24 network
- Assumptions:
- All router interfaces shown in the lab are up, working and correctly configured with IP addresses
- IPv4 routing is configured correctly
- Telnet access has been configured and is functional before you begin the lab
Figure 1: Topology and Addresses for this Lab
Initial Configuration
Examples 1 and 2 show the beginning configuration state of R1 and R2.
Example 1: R1 Config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
hostname R1 ! enable secret cs ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/2 ip address 10.10.10.1 255.255.255.0 no shutdown ! router eigrp 10 network 0.0.0.0 ! line vty 0 4 password cs login transport input telnet |
Example 2: R2 Config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
hostname R2 ! enable secret cs ! interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 no shutdown ! ! interface GigabitEthernet0/2 ip address 20.20.20.1 255.255.255.0 no shutdown ! router eigrp 10 network 0.0.0.0 ! line vty 0 4 password cs login transport input telnet |
Answer on Paper, or Maybe Test in Lab
Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.
To test your solution if you happen to try it with CML/VIRL or real gear, you can verify by attempting to telnet from the 10.10.10.0/24 or 20.20.20.0/24 networks to their appropriately blocked device. Of course, you can put a device or VM into those subnets to test. However, you can also test from the opposite router by making the IOS telnet command use a different source interface for its packets. You can do this directly from the IOS interface using the telnet host /source-interface interface command. For instance, on router R2, the command telnet 192.168.1.1 /source-interface g0/2 would Telnet to router R1 from R2’s G0/2 interface IP address of 20.20.20.1, which would test R1’s ACL logic.
Do this Lab with Cisco’s CML (Formerly VIRL)
You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.
Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.
All interfaces in topology match the lab figure.
Host device info:
This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.
| Device | IP Address | User/password |
| PC1 | 10.10.10.2 | cisco/cisco |
| PC2 | 20.20.20.2 | cisco/cisco |
Handy Host Commands:
To see PC IP address: ifconfig eth1
Ping example: ping -c 4 10.1.1.1
Trace example: tracepath 10.1.1.1
To connect to another node within the topology: telnet 10.1.1.1
Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.
Write a comment