Differences
This shows you the differences between two versions of the page.
|
sred:laborator_1._acl [2021/10/22 17:21] horia.stoenescu [Setup] |
sred:laborator_1._acl [2022/10/14 23:55] (current) horia.stoenescu [Setup] |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| === Local host prerequisites === | === Local host prerequisites === | ||
| - | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]]. | + | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. |
| + | You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | ||
| For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]]. | For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]]. | ||
| Line 30: | Line 31: | ||
| - add routes to make sure the endpoints can ping each other | - add routes to make sure the endpoints can ping each other | ||
| + | |||
| + | <note tip> | ||
| + | In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]] | ||
| + | </note> | ||
| **Topology**: | **Topology**: | ||
| Line 291: | Line 296: | ||
| permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | ||
| </code> | </code> | ||
| - | |||
| - | |||
| - | **Exercise**: do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server). | ||
| <note> | <note> | ||
| Line 330: | Line 332: | ||
| 10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | ||
| | | ||
| - | # apply again ONLY_CLIENT1 to in and ICMP_OUT_CLIENT to out on e1/1 | + | # apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1 |
| </code> | </code> | ||
| Line 346: | Line 348: | ||
| </code> | </code> | ||
| - | **Exercise**: add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry. | + | <note> |
| - | Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | + | If the current time is out of range, then the acl entry is marked as **inactive**: |
| + | <code> | ||
| + | cisco_7200(config-if)#do sh ip access ONLY_CLIENT1 | ||
| + | Extended IP access list ONLY_CLIENT1 | ||
| + | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches) | ||
| + | |||
| + | # see the time | ||
| + | Router(config-if)#do sh clock | ||
| + | *00:00:24.148 UTC Tue Oct 5 2021 | ||
| + | Router(config-if)# | ||
| + | Router(config-if)#do sh time-range PERIODIC | ||
| + | time-range entry: PERIODIC (inactive) | ||
| + | periodic weekdays 13:00 to 23:59 | ||
| + | used in: IP ACL entry | ||
| + | </code> | ||
| + | </note> | ||
| b. using **lock-and-key**: | b. using **lock-and-key**: | ||
| Line 425: | Line 442: | ||
| ==== Exercises ==== | ==== Exercises ==== | ||
| + | 1. **Reflexive ACLs** [5p]: | ||
| + | |||
| + | Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server). | ||
| + | |||
| + | You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions. | ||
| + | |||
| + | 2. **Temporary access control** [5p]: | ||
| + | |||
| + | Add another time-range (router time should be out of it - like 'outside working hours'). | ||
| + | |||
| + | Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above). | ||
| + | |||
| + | Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT. | ||
| + | |||
| + | Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | ||
