CCNA LAB41: Restricting Inbound Telnet Access Using Extended ACLs

小乔

Lab Objective:
The objective of this lab exercise is for you to learn and understand how to create and apply extended access control lists to restrict Telnet access to a router or switch.

Lab Purpose:
Configuring and applying extended ACLs to restrict Telnet access is a fundamental skill. Extended ACLs filter based on source and destination address, as well as Layer 4 protocols TCP and UDP. Extended ACLs should be applied as close to the source as possible. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to restrict inbound Telnet traffic to the router or switch using ACLs.

Certification Level:
This lab is suitable for CCENT and CCNA certification exam preparation.

Lab Difficulty:
This lab has a difficulty rating of 8/10.

Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 20 minutes.

Lab Topology:
Please use the following topology to complete this lab exercise:



Task 1:
Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 2 Mbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.

Task 3:
Configure a static default route on R1 pointing to R3 over the Serial connection between the two routers. Next, configure the Loopback interfaces specified in the diagram on R3. Finally, configure R1 to allow Telnet sessions. Use the password CISCO for Telnet login.

Task 4:
To test connectivity, ping R1 from R3 Loopback10, Loopback20, and Loopback30 interfaces.

Task 5:
Create an extended named ACL called TELNET-IN on R1. This ACL should permit Telnet traffic from host 10.10.10.3 to any IP address on R1; deny Telnet from host 10.20.20.3 to any IP address on R1; permit Telnet from host 10.30.30.3 to any IP address on R1. Apply this ACL to the Telnet lines on R1 for inbound traffic.

Task 6:
To test your ACL configuration, telnet to R1 from R3 Loopback10, Loopback20, and Loopback30 interfaces using the telnet <ip_address> /source-interface <interface> command. If your ACL configuration is correct, only Telnet from R3 Loopback10 and Loopback20 should work. Verify matches against your ACL.

Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.

Task 2:
For reference information on configuring IP addresses and clock rates, please refer to earlier labs.

Task 3:
R1#config t
Enter configuration commands, one per line.  End with CTRL/Z.
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0 172.16.1.2
R1(config)#line vty 0 4
R1(config-line)#password CISCO
R1(config-line)#login
R1(config-line)#end
R1#

R3#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
R3(config)#int loop10
R3(config-if)#ip address 10.10.10.3 255.255.255.128
R3(config-if)#exit
R3(config)#int loop20
R3(config-if)#ip address 10.20.20.3 255.255.255.240
R3(config-if)#exit
R3(config)#int loop30
R3(config-if)#ip address 10.30.30.3 255.255.255.248
R3(config-if)#exit
R3(config)#line vty 0 4
R3(config-line)#password CISCO
R3(config-line)#login
R3(config-line)#end
R3#
Task 4:
R1#ping 10.10.10.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#ping 10.20.20.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.3, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R1#ping 10.30.30.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.30.3, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Task 5:
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended TELNET-IN
R1(config-ext-nacl)#remark “Permit Telnet From Host 10.10.10.3”
R1(config-ext-nacl)#permit tcp host 10.10.10.3 any eq 23
R1(config-ext-nacl)#remark “Deny Telnet From Host 10.20.20.3”
R1(config-ext-nacl)#deny tcp host 10.20.20.3 any eq 23
R1(config-ext-nacl)#remark “Permit Telnet From Host 10.30.30.3”
R1(config-ext-nacl)#permit tcp host 10.30.30.3 any eq 23
R1(config-ext-nacl)#exit
R1(config)#line vty 0 4
R1(config-line)#access-class TELNET-IN in
R1(config-line)#end
R1#
Of course, we would permit all other IP traffic normally in an ACL but we are just testing out the block Telnet feature for this example.

Task 6:
R3#telnet 172.16.1.1 /source-interface loopback10
Trying 172.16.1.1 ... Open

User Access Verification
Password:
R1#

R3#telnet 172.16.1.1 /source-interface loopback20
Trying 172.16.1.1 ...
% Connection refused by remote host

R3#telnet 172.16.1.1 /source-interface loopback30
Trying 172.16.1.1 ... Open

User Access Verification

Password:
R1#
NOTE: The access-class command is used to apply ACLs to the router or switch VTY lines to prevent inbound Telnet and/or SSH sessions from reaching the device. This is not the same as using ACLs that are applied to interfaces to prevent Telnet and/or SSH sessions from reaching the device. Make a mental note of this.

Based on our example above, we can see matches to the ACL rules as follows:

R1#sh ip access-lists TELNET-IN
Extended IP access list TELNET-IN

  10 permit tcp host 10.10.10.3 any eq telnet (2 matches)
  20 deny tcp host 10.20.20.3 any eq telnet (1 match)
  30 permit tcp host 10.30.30.3 any eq telnet (2 matches)


来源: CCNA LAB39: Configuring and Applying Extended Named ACLs Inbound
来源: CCNA LAB40: Configuring and Applying Extended Numbered ACLs