Differences
This shows you the differences between two versions of the page.
|
sred:laborator_1._acl [2021/11/01 23:03] horia.stoenescu [Tutorial exercises using ACLs] |
sred:laborator_1._acl [2022/10/14 23:55] (current) horia.stoenescu [Setup] |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| === Local host prerequisites === | === Local host prerequisites === | ||
| - | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewalls and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. | + | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. |
| You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | ||
| Line 31: | Line 31: | ||
| - add routes to make sure the endpoints can ping each other | - add routes to make sure the endpoints can ping each other | ||
| + | |||
| + | <note tip> | ||
| + | In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]] | ||
| + | </note> | ||
| **Topology**: | **Topology**: | ||
| Line 440: | Line 444: | ||
| 1. **Reflexive ACLs** [5p]: | 1. **Reflexive ACLs** [5p]: | ||
| - | Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server). | + | Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server). |
| You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions. | You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions. | ||
| Line 446: | Line 450: | ||
| 2. **Temporary access control** [5p]: | 2. **Temporary access control** [5p]: | ||
| - | Add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry. | + | Add another time-range (router time should be out of it - like 'outside working hours'). |
| - | Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | + | |
| + | Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above). | ||
| + | |||
| + | Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT. | ||
| + | |||
| + | Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | ||
