Escenario de ACL para CCNA 4
Fecha: 1 de Septiembre del 2012
Es un ejercicio de complejidad media, en el cual hay
que desarrollar las ACL y ubicarlas en posiciones estratégicas,
ya que la topología se altera en caso de falla de los
proveedores del servicio WAN.
La topología es asimétrica, no existe balance de
carga por la WAN, y la sucursal Tucumán utiliza sólo un ISP.
Los requisitos son:
1. Sucursal Tucuman accede sólo a Intranet server
2. Sucursal Córdoba accede a Intranet server y Rosario server
3. Sucursal Córdoba utiliza DHCP en Rosario
4. Sucursal Córdoba genera Syslogs hacia server en Rosario
5. Ambas sucursales utilizan el DNS interno
6. Por seguridad el ICMP no está permitido
7. La gestión de router iPlan es sólo de iPlan
8. La gestión de router Telecom es sólo de Telecom
Passwords: telecom
9. Los equipos de Rosario y Córdoba no pueden administrarse por Telecom o iPlan
Escenario (puede bajarse de ftp://ftp.vilarrasa.com.ar/
, user y pass:ccna)
Configuraciones
Cordoba#sh runn (sólo lo relevante)
Building configuration...
Current configuration :
1750 bytes
!
hostname Cordoba
!
enable secret class (necesario para Telnet, se muestra sin encriptar)
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.224.0
ip helper-address 192.168.0.3 (reenvía
el DHCP a Rosario)
ip access-group Cordoba in
!
interface Serial0/0/0
description WAN via iPlan
ip address 172.16.0.13 255.255.255.252
clock rate 1000000
!
interface Serial0/0/1
description WAN via Telecom
ip address 172.16.0.5 255.255.255.252
!
router eigrp 100 (para WAN Telecom)
network 172.16.0.4 0.0.0.3
network 10.0.0.0 0.0.31.255
no auto-summary
!
router ospf 1 (para WAN iPlan)
log-adjacency-changes
network 10.0.0.0 0.0.31.255 area 0
network 172.16.0.12 0.0.0.3 area 0
!
ip access-list standard
telnet (punto 9.)
permit 192.168.0.0 0.0.0.255
permit 10.0.0.0 0.0.31.255
ip access-list extended
Cordoba
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq www (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq 443 (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq www (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq 443 (punto 2.)
permit udp 10.0.0.0 0.0.31.255 host 192.168.0.10 eq domain (punto 5.)
permit udp any any eq bootps (punto
3.)
deny icmp any any (punto 6.)
remark Acceso Telnet desde Cordoba
permit tcp 10.0.0.0 0.0.31.255 host 10.0.0.1 eq telnet
remark Acceso Telnet a Rosario
permit tcp 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 eq telnet
permit udp 10.0.0.0 0.0.31.255 host 192.168.0.5 eq 514 (punto 4.)
deny ip any any (punto 2.)
!
logging trap debugging (necesario para punto 4.)
logging 192.168.0.5 (necesario para punto 4.)
line con 0
line vty 0 4
access-class telnet in (punto 9.)
password cisco
login
!
end
Rosario#sh runn (sólo lo relevante)
Building configuration...
Current configuration :
1896 bytes
!
hostname Rosario
!
enable secret class (necesario para Telnet, se muestra sin encriptar)
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group Rosario in (para
tráfico de retorno y punto 6.)
!
interface Serial0/0/0
description WAN via Telecom
ip address 172.16.0.1 255.255.255.252
ip access-group 101 in
clock rate 1000000
!
interface Serial0/0/1
description WAN via iPlan
ip address 172.16.0.9 255.255.255.252
ip access-group 100 in
!
router eigrp 100 (para WAN Telecom)
network 192.168.0.0
network 172.16.0.0 0.0.0.3
no auto-summary
!
router ospf 1 (para WAN iPlan)
log-adjacency-changes
network 192.168.0.0 0.0.0.255 area 0
network 172.16.0.8 0.0.0.3 area 0
!
access-list 100 permit
ospf any any (para WAN iPlan)
access-list 100 deny icmp
any any (punto 6.)
access-list 100 permit tcp
10.1.0.0 0.0.0.255 host 192.168.0.4 eq www (punto
1.)
access-list 100 permit tcp
10.1.0.0 0.0.0.255 host 192.168.0.4 eq 443 (punto
1.)
access-list 100 permit udp
10.1.0.0 0.0.0.255 host 192.168.0.10 eq domain (punto
5.)
access-list 100 permit ip
10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255
(punto 2.)
access-list 100 permit udp
host 171.16.0.13 host 192.168.0.5 eq 514 (punto 4.)
access-list 101 permit
eigrp any any (para WAN Telecom)
access-list 101 deny icmp
any any (punto 6.)
access-list 101 permit ip
10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 (punto
2.)
access-list 101 permit udp
host 171.16.0.5 host 192.168.0.5 eq 514 (punto 4.)
ip access-list standard
telnet (punto 9.)
permit 192.168.0.0 0.0.0.255
permit 10.0.0.0 0.0.31.255
deny any
ip access-list extended
Rosario
deny icmp any any (punto 6.)
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.31.255 (tráfico de retorno a Córdoba)
permit ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.0.255 (tráfico de retorno a Tucumán)
!
logging trap debugging (necesario punto 4.)
logging 192.168.0.5 (necesario punto 4.)
line con 0
line vty 0 4
access-class telnet in (punto 9.)
password cisco
login
!
end
Telecom#sh runn (sólo lo necesario)
Building configuration...
Current configuration :
858 bytes
!
hostname Telecom
!
enable secret telecom (necesario para Telnet, se muestra sin encriptar)
!
interface FastEthernet0/0
ip address 10.1.0.1 255.255.255.248
!
interface Serial0/0/0
ip address 172.16.0.6 255.255.255.252
clock rate 1000000
!
interface Serial0/0/1
ip address 172.16.0.2 255.255.255.252
!
router eigrp 100 (la LAN de Telecom no participa en EIGRP)
network 172.16.0.0 0.0.0.3
network 172.16.0.4 0.0.0.3
no auto-summary
!
ip access-list standard
telnet (punto 8.)
permit 10.1.0.0 0.0.0.7
deny any
!
line vty 0 4
access-class telnet in (punto 8.)
password telecom (punto 8.)
login
!
end
Verificación, se deben probar TODOS los servicios
permitidos y denegados para conocer la efectividad de la ACL.
Rosario#sh access-lists
Extended IP access list
100 (ACL en interfaz serial a iPlan, se probó con
Telecom DOWN)
permit ospf any any (405 match(es))
deny icmp any any (5 match(es)) (punto 6.)
permit tcp 10.1.0.0 0.0.0.255 host 192.168.0.4 eq www (48
match(es)) (punto 1.)
permit tcp 10.1.0.0 0.0.0.255 host 192.168.0.4 eq 443 (28
match(es)) (punto 1.)
permit udp 10.1.0.0 0.0.0.255 host 192.168.0.10 eq domain (13
match(es)) (punto 5.)
permit ip 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 (12
match(es)) (punto 2. con Telecom DOWN)
permit udp host 172.16.0.13 host 192.168.0.5 eq 514 (16
match(es)) (punto 4.)
Extended IP access list
101 (ACL en interfaz serial a Telecom)
permit eigrp any any (789
match(es))
deny icmp any any (12 match(es)) (punto 6.)
permit ip 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 (200
match(es)) (punto 2.)
permit udp host 172.16.0.5 host 192.168.0.5 eq 514 (30
match(es)) (punto 4.)
Standard IP access list
telnet (punto 9.)
permit 192.168.0.0 0.0.0.255 (2 match(es))
permit 10.0.0.0 0.0.31.255 (2 match(es))
deny any (4 match(es))
Extended IP access list
Rosario
deny icmp any any (6 match(es)) (punto 6.)
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.31.255 (111
match(es))(tráfico de retorno)
permit ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.0.255 (81
match(es))(tráfico de retorno)
Rosario#
Cordoba#sh access-lists
Standard IP access list
telnet (punto 9.)
permit 192.168.0.0
0.0.0.255 (2 match(es))
permit 10.0.0.0 0.0.31.255 (4 match(es))
Extended IP access list
Cordoba
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq www (55
match(es)) (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq 443 (25
match(es)) (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq www (20
match(es)) (punto 2.)
permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq 443 (30
match(es)) (punto 2.)
permit udp 10.0.0.0 0.0.31.255 host 192.168.0.10 eq domain (23
match(es)) (punto 5.)
permit udp any any eq bootps (19 match(es)) (punto 3.)
deny icmp any any (8 match(es)) (punto 6.)
permit tcp 10.0.0.0 0.0.31.255 host 10.0.0.1 eq telnet (101
match(es)) (punto 9.)
permit tcp 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 eq telnet (17
match(es)) (punto 9.)
permit udp 10.0.0.0 0.0.31.255 host 192.168.0.5 eq 514 (8
match(es)) (punto 4.)
deny ip any any (24 match(es)) (relativo al punto 2.)
Cordoba#
Variante de las ACL para equipos reales, en un router 1841 aplicamos
las mismas ACL que en router Cordoba.
1841_WAN#sh
access-lists (verificamos que las líneas están
numeradas de 10 en 10)
Standard IP access list
telnet
10 permit 192.168.0.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.31.255
Extended IP access list
Cordoba
10 permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq www
20 permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.2 eq 443
30 permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq www
40 permit tcp 10.0.0.0 0.0.31.255 host 192.168.0.4 eq 443
50 permit udp 10.0.0.0 0.0.31.255 host 192.168.0.10 eq domain
60 permit udp any any eq bootps
70 deny icmp any any
80 permit tcp 10.0.0.0 0.0.31.255 host 10.0.0.1 eq telnet
90 permit tcp 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 eq
telnet
100 permit udp 10.0.0.0 0.0.31.255 host 192.168.0.5 eq syslog
110 deny ip any any
1841_WAN#
Punto 4. Verificamos
en el server - > Config - > Syslog , eventos que generan logs.
Prueba de la línea deny ip any any de la ACL
Cordoba, ya
que el ICMP está bloqueado y no hace match en esta línea,
se debe verificar con otra aplicación u otra
dirección HTTP.
PC>ipconfig
IP
Address......................: 10.0.0.3
Subnet
Mask.....................: 255.255.224.0
Default
Gateway.................: 10.0.0.1
PC>ftp 192.168.0.2
Trying to
connect...192.168.0.2
%Error opening
ftp://192.168.0.2/ (Timed out)
.
Packet Tracer PC Command Line 1.0
PC>(Disconnecting from
ftp server)
Prueba de navegar otro server que no sea intranet y
rosario
Cae vínculo Telecom, para verificar
funcionamiento completo de ACL 100 ya que por defecto utiliza la ACL 101
debido a la menor distancia administrativa del EIGRP
frente al OSPF de iPlan (90 contra 110).
Rosario#sh ip route
---resumido---
10.0.0.0/8 is variably subnetted, 2
subnets, 2 masks
D 10.0.0.0/19 [90/2684416] via
172.16.0.2, 00:09:29, Serial0/0/0
O 10.1.0.0/24 [110/65] via 172.16.0.10,
01:05:44, Serial0/0/1
172.16.0.0/30 is subnetted, 4 subnets
C 172.16.0.0 is directly connected,
Serial0/0/0
D 172.16.0.4 [90/2681856] via 172.16.0.2,
00:09:29, Serial0/0/0
C 172.16.0.8 is directly connected,
Serial0/0/1
O 172.16.0.12 [110/128] via 172.16.0.10,
01:05:44, Serial0/0/1
C 192.168.0.0/24 is directly connected,
FastEthernet0/0
Rosario#
%LINK-5-CHANGED: Interface
Serial0/0/0, changed state to down
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/0, changed state to down
%DUAL-5-NBRCHANGE:
IP-EIGRP 100: Neighbor 172.16.0.2 (Serial0/0/0) is down: interface down
Rosario#sh ip route (se activa en la tabla el OSPF AD:110)
---resumido---
10.0.0.0/8 is variably subnetted, 2
subnets, 2 masks
O 10.0.0.0/19 [110/129] via 172.16.0.10,
00:22:10, Serial0/0/1
O 10.1.0.0/24 [110/65] via 172.16.0.10,
01:05:59, Serial0/0/1
172.16.0.0/30 is subnetted, 2 subnets
C 172.16.0.8 is directly connected,
Serial0/0/1
O 172.16.0.12 [110/128] via 172.16.0.10,
01:05:59, Serial0/0/1
C 192.168.0.0/24 is directly connected,
FastEthernet0/0
Rosario#
Variante de las ACL para protocolos de enrutamiento
Rosario#
%LINK-5-CHANGED: Interface
Serial0/0/1, changed state to down (generamos
"ruido" ospf)
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/1, changed state to down
%OSPF-5-ADJCHG: Process 1,
Nbr 200.69.0.1 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down
or detached
%LINK-5-CHANGED: Interface
Serial0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/1, changed state to up
00:49:57: %OSPF-5-ADJCHG:
Process 1, Nbr 200.69.0.1 on Serial0/0/1 from LOADING to FULL, Loading Done
Rosario#sh ip ospf nei (verificamos)
Neighbor ID Pri
State Dead Time Address Interface
200.69.0.1 0
FULL/ - 00:00:32 172.16.0.10
Serial0/0/1
Rosario#
%LINK-5-CHANGED: Interface
Serial0/0/0, changed state to down (generamos
"ruido" eigrp)
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/0, changed state to down
%DUAL-5-NBRCHANGE:
IP-EIGRP 100: Neighbor 172.16.0.2 (Serial0/0/0) is down: interface down
%LINK-5-CHANGED: Interface
Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/0, changed state to up
%DUAL-5-NBRCHANGE:
IP-EIGRP 100: Neighbor 172.16.0.2 (Serial0/0/0) is up: new adjacency
Rosario#sh access-lists
Extended IP access list
100 (verificar direcciones multicast y unicast)
permit ospf host 172.16.0.10 host 224.0.0.5 (35 match(es))
(HELLO de OSPF)
permit ospf host 172.16.0.10 host 172.16.0.9 (16 match(es))(intercambio de datos)
deny icmp any any (5 match(es))
permit tcp 10.1.0.0 0.0.0.255 host 192.168.0.4 eq www (48
match(es))
permit tcp 10.1.0.0 0.0.0.255 host 192.168.0.4 eq 443 (28
match(es))
permit udp 10.1.0.0 0.0.0.255 host 192.168.0.10 eq domain (13
match(es))
permit ip 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 (12
match(es))
permit udp host 172.16.0.13 host 192.168.0.5 eq 514 (16
match(es))
Extended IP access list
101 (verificar direcciones multicast y unicast)
permit eigrp host 172.16.0.2 host 224.0.0.10 (58 match(es))(HELLO de EIGRP)
permit eigrp host 172.16.0.2 host 172.16.0.1 (9 match(es)) (intercambio de datos)
deny icmp any any (12 match(es))
permit ip 10.0.0.0 0.0.31.255 192.168.0.0 0.0.0.255 (200
match(es))
permit udp host 172.16.0.5 host 192.168.0.5 eq 514 (30
match(es))
Rosario#
Detalle del punto 8., aplicado en router Telecom, en router iPlan el acceso a
CLI no está permitido.
ip access-list stand
telnet
permit 10.1.0.0 0.0.0.7 (red interna
Telecom, ver wildcard diferente a Tucumán)
deny any
exit
line vty 0 4
access-class telnet in
exit
Verificación:
PC>telnet 10.1.0.1 (Desde host Telecom)
Trying 10.1.0.1 ...Open
User Access Verification
Password:
Telecom>
Rosario#telnet
172.16.0.2 (vía WAN ya que la red LAN de Teco no
participa del EIGRP)
Trying 172.16.0.2 ...
% Connection timed out;
remote host not responding
Rosario#
Telecom#sh access-lists
telnet
Standard IP access list
telnet
permit 10.1.0.0 0.0.0.7 (2 match(es))
deny any (4 match(es)) (también
bloquea tráfico de retorno la ACL 101)
Telecom#
Rosario -- telnet -- > Telecom (ACL Telnet
bloquea)
Rosario (ACL 101) < -- retorno de telnet --
Telecom
Punto 9.
ip access-list stand
telnet (tanto Córdoba y Rosario)
permit 192.168.0.0 0.0.0.255
permit 10.0.0.0 0.0.31.255
deny any (bloquea Telecom e iPlan y
enlaces WAN de Rosario y Córdoba)
exit
line vty 0 4
access-class telnet in
exit
Verificación:
Rosario#sh access-lists
telnet
Standard IP access list
telnet
permit 192.168.0.0 0.0.0.255 (2 match(es))
permit 10.0.0.0 0.0.31.255 (2 match(es))
deny any (no matchea ya que las ACL
100 y 101 detienen todo tráfico extra a Córdoba)
Rosario#
Cordoba#sh access-lists
telnet
Standard IP access list
telnet
permit 192.168.0.0 0.0.0.255 (4 match(es))
permit 10.0.0.0 0.0.31.255 (2 match(es))
deny any (10 match(es))(desde
router Telecom ya que no hay ACL en interface WAN)
Cordoba#
(2012) Bored tales from uncle Ernest
Rosario, Argentina