Show page

Differences

This shows you the differences between two versions of the page.

--- sred:laborator_1._acl [2021/10/22 18:41]
horia.stoenescu [Exercises]
+++ sred:laborator_1._acl [2022/10/14 23:55] (current)
horia.stoenescu [Setup]
@@ Line 7: / Line 7: @@
 === Local host prerequisites ===
-If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]].
+If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches.
+You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]].
 For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]].
@@ Line 30: / Line 31: @@
 - add routes to make sure the endpoints can ping each other
+<note tip>
+In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]]
+</note>
 **Topology**:
@@ Line 291: / Line 296: @@
      permit icmp host 1.1.1.2 host 2.2.2.2  (29 matches) (time left 247)
 </code>
-**Exercise**: do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server).
 <note>
@@ Line 330: / Line 332: @@
 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between ()
-# apply again ONLY_CLIENT1 to in and ICMP_OUT_CLIENT to out on e1/1
+# apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1
 </code>
@@ Line 346: / Line 348: @@
 </code>
-**Exercise**: add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry.
+<note>
-Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely.
+If the current time is out of range, then the acl entry is marked as **inactive**:
+<code>
+cisco_7200(config-if)#do sh ip access ONLY_CLIENT1
+Extended IP access list ONLY_CLIENT1
+ permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches)
+# see the time
+Router(config-if)#do sh clock
+*00:00:24.148 UTC Tue Oct 5 2021
+Router(config-if)#
+Router(config-if)#do sh time-range PERIODIC
+time-range entry: PERIODIC (inactive)
+   periodic weekdays 13:00 to 23:59
+   used in: IP ACL entry
+</code>
+</note>
 b. using **lock-and-key**:
@@ Line 425: / Line 442: @@
 ==== Exercises ====
-. Reflexive ACLs [5p]:
+. **Reflexive ACLs** [5p]:
+Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server).
+You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions.
+. **Temporary access control** [5p]:
+Add another time-range (router time should be out of it - like 'outside working hours').
-Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server).
+Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above).
-. Temporary access control [5p]:
+Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT.
-Add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry.
+Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely.
-Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely.