Differences
This shows you the differences between two versions of the page.
|
sred:laborator_1._acl [2020/10/23 17:28] horia.stoenescu [Setup] |
sred:laborator_1._acl [2022/10/14 23:55] (current) horia.stoenescu [Setup] |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| ==== Setup ==== | ==== Setup ==== | ||
| - | The topology consists of one Cisco router model 7200 with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and 3 Ubuntu machines which serves as server and clients (client1 and client2). | ||
| - | Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//). | + | === Story === |
| + | In an imaginary scenario, our company is at the beginning and has few money to invest in infrastructure. We have a HQ with 1 Linux machine serving as the web server and 2 branches represented with 1 client per each one. The routing between them is done using a Cisco router and minimum filtering provided by ACLs. | ||
| + | |||
| + | === Local host prerequisites === | ||
| + | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. | ||
| + | You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | ||
| + | |||
| + | For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]]. | ||
| + | |||
| + | === Lab infra === | ||
| + | After starting the nodes, in order to access the machine you need | ||
| + | |||
| + | The topology consists of one Cisco router model 7200 (with image name **c7200-adventerprisek9-mz.124-11.T1.image** - see this [[http://31.22.89.2/cisco-ios/7200/|link]] for other 7200 images) with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and 3 Ubuntu machines which serves as server and clients (client1 and client2). | ||
| + | |||
| + | To simulate this, we are using an eve-ng virtual machine that should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//). | ||
| + | |||
| + | <note> | ||
| + | For Cisco router node we are using idle value: 0x6149f77c (as this is the one has the highest count value). This way, we make sure that dynamips process is not in high cpu load. | ||
| + | </note> | ||
| You have to do the following: | You have to do the following: | ||
| Line 14: | Line 31: | ||
| - add routes to make sure the endpoints can ping each other | - add routes to make sure the endpoints can ping each other | ||
| + | |||
| + | <note tip> | ||
| + | In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]] | ||
| + | </note> | ||
| **Topology**: | **Topology**: | ||
| {{:sred:lab1_topology.png?800|}} | {{:sred:lab1_topology.png?800|}} | ||
| - | |||
| - | === Mapping ip-student === | ||
| - | Each student has one eve-ng machine assigned - see [[https://docs.google.com/spreadsheets/d/1pSiqNA7tuby5lhVGGtCp3cYCJk-O3oSsAQDmDN7oyMQ/edit?usp=sharing|here]] the list. | ||
| <note> | <note> | ||
| - | Credentials webui eve-ng: user: admin; password: eve | + | Credentials webui eve-ng: user: **admin**; password: **eve** |
| - | Enable password router: cisco | + | |
| + | Credentials ubuntu machines: user: **eve**; password: **eve** | ||
| - | Credentials ubuntu machines: user:eve; password:eve | + | No enable password is set for router! |
| </note> | </note> | ||
| - | ==== Exercises using ACLs ==== | + | ==== Tutorial exercises using ACLs ==== |
| 1. **Standard ACL - basic filtering**: | 1. **Standard ACL - basic filtering**: | ||
| Line 277: | Line 296: | ||
| permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | ||
| </code> | </code> | ||
| - | |||
| - | |||
| - | **Exercise**: do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server). | ||
| <note> | <note> | ||
| Line 316: | Line 332: | ||
| 10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | ||
| | | ||
| - | # apply again ONLY_CLIENT1 to in and ICMP_OUT_CLIENT to out on e1/1 | + | # apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1 |
| </code> | </code> | ||
| Line 332: | Line 348: | ||
| </code> | </code> | ||
| - | **Exercise**: add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry. | + | <note> |
| - | Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | + | If the current time is out of range, then the acl entry is marked as **inactive**: |
| + | <code> | ||
| + | cisco_7200(config-if)#do sh ip access ONLY_CLIENT1 | ||
| + | Extended IP access list ONLY_CLIENT1 | ||
| + | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches) | ||
| + | |||
| + | # see the time | ||
| + | Router(config-if)#do sh clock | ||
| + | *00:00:24.148 UTC Tue Oct 5 2021 | ||
| + | Router(config-if)# | ||
| + | Router(config-if)#do sh time-range PERIODIC | ||
| + | time-range entry: PERIODIC (inactive) | ||
| + | periodic weekdays 13:00 to 23:59 | ||
| + | used in: IP ACL entry | ||
| + | </code> | ||
| + | </note> | ||
| b. using **lock-and-key**: | b. using **lock-and-key**: | ||
| Line 409: | Line 440: | ||
| </code> | </code> | ||
| + | ==== Exercises ==== | ||
| + | |||
| + | 1. **Reflexive ACLs** [5p]: | ||
| + | |||
| + | Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server). | ||
| + | |||
| + | You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions. | ||
| + | |||
| + | 2. **Temporary access control** [5p]: | ||
| + | |||
| + | Add another time-range (router time should be out of it - like 'outside working hours'). | ||
| + | |||
| + | Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above). | ||
| + | |||
| + | Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT. | ||
| + | |||
| + | Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | ||
