This lab will teach you how to configure the ACL to control access to specific networks and/or host exec session is established through a VTY line is used for remote management.
- If you are using GNS3, than the boot devices start free CCNA R1,R2, R3 and SW1 load Binder GNS3 topology.
- Establish a with R1, R2, R3, and SW1 to configure their respectable name of the host device console session.
- FastEthernet0/0 10.1.1.1/24 IP address is configured on the interface of R1.
- FastEthernet0/0 10.1.1.2/24 IP address is configured on the interface of R2.
- FastEthernet0/0 10.1.1.3/24 IP address is configured on the interface of R3.
- Level 15 privileges will be used to validate local R1 VTY exec session is configured on a local user name and password.
- Configure R1 accepts Telnet and SSH sessions.
Lab Objectives:
- Creates a named extended access lists are called VTY_ACCESS
- Denied access to the vty line via a telnet host version 10.1.1.3.
- Allows the network 10.1.1.0/24 using Telnet or SSH
- Denies all other traffic and log rejected attempts to connect.
- Access class command configure vty line of the access list.
- Please verify your configuration and connectivity using R2 and R3.
One of the biggest new features and 12.3T of the main line are managed using the extended access list, allow specific traffic to Cisco device connections to vty lines by using a specific protocol; IE,Telnet or SSH exec sessions.
Step 1. Known as VTY_ACCESS of a named access list configured on R1
R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#
Step 2. Denying access to vty lines via a telnet host version 10.1.1.3. In order to accomplish this goal, you need to specify the host version 10.1.1.3 as source and target any EQ Telnet as shown below;
R1(config-ext-nacl)#10 deny tcp host 10.1.1.3 any eq telnet
When traffic destined to the device control plane, in ACL, it is represented as 0.0.0.0/0;AKA: any
Step 3. Allow the network 10.1.1.0/24 using Telnet or SSH. This goal will require two access lists, one for the Telnet (TCP port 23) and another for SSH (TCP port 22) is shown below;
R1(config-ext-nacl)#20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Step 4. Deny all other traffic and log the denied connection attempts.
R1(config-ext-nacl)#500 deny ip any any log
Step 5. Use the class command on vty lines configured access list.
R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end
R1#
Step 6. Verify that your configuration and connectivity using R2 and R3.
Verify connectivity using the R2 and R3 first must verified before your visit on-R1 in the IP access list using the list displayed
R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
500 deny ip any any log
R1#
You can verify that Telnet is rejected by executing in privileged mode displays the access list command on R1 ACL using a vty line. This will show you each of the access control list entries; next to the hit count
R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet (1 match)
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22 (4 matches)
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet (6 matches)
500 deny ip any any log
R1#
0 comments:
Post a Comment