Testing Extended ACL's

mattrgeemattrgee Member Posts: 201
Hi all,

Can anyone recommend a good method for testing extended ACL's? Testing standard ACL's is pretty straight forward, deny a source here, permit a source there etc.. However, permiting and denying protocols and ports with Extended ACL's would be far more beneficial for learning the technology.

I'm trying to avoid bring an additional pc into the topology purely for hosting a ftp server or similar as it seems abit over kill. Is there anyway I could configure a router to reply to traffic sent of port 21 for example?

Ideas welcome.

Thanks.

Comments

  • mamonomamono Member Posts: 776 ■■□□□□□□□□
    You could just block ICMP on an extended ACL, that should be pretty easy to test. You won't accidentally be disconnected if you were remotely connected to the router and happened to enact a misconfiguration.

    Happily ping away. No need to add another PC, just ping the interfaces and deny/permit to your heart's content.
  • tech-airmantech-airman Member Posts: 953
    mattrgee wrote:
    Hi all,

    Can anyone recommend a good method for testing extended ACL's? Testing standard ACL's is pretty straight forward, deny a source here, permit a source there etc.. However, permiting and denying protocols and ports with Extended ACL's would be far more beneficial for learning the technology.

    I'm trying to avoid bring an additional pc into the topology purely for hosting a ftp server or similar as it seems abit over kill. Is there anyway I could configure a router to reply to traffic sent of port 21 for example?

    Ideas welcome.

    Thanks.

    mattrgee,

    At the Windows Command Prompt, you can type the following....
    >telnet [destination IP address] [destination port]
    

    For example...
    >telnet 192.168.1.15 80
    

    In the case of the abovementioned example, you're going to need a host on the other end of the network with an IP address of 192.168.1.15 and running a web server. So unfortunately, you can't "...avoid bring[ing] an additional pc into the topology..."

    Your question of "Is there anyway I could configure a router to reply to traffic sent of port 21 for example?" has a problem. Port 21 is used by FTP for connection control. Usually port 20 is used by FTP for the data flow. I know that a Cisco router can be an FTP client but not a FTP server. So even if a Cisco router is used as an FTP client, it won't help you understand and practice extended ACL usage because any traffic that comes FROM the router is NOT affected by ANY ACL.

    Since you mention "...would be far more beneficial for learning the technology..." how about taking your own advice and understand each technology, such as how FTP works, how web access works, how e-mail works, and so on. Then it'll help you understand why you're creating and applying an access control list at all. Does this make sense?
  • mattrgeemattrgee Member Posts: 201
    I totally understand the technology, my thoughts are focused towards simulating common services in a lab environment. Bringing additional pc's into a topology can be a real pain when your short on space, so being able to simulate services running on their designated ports with minimal equipment can be a real benefit. i.e. simulating an ftp server on port 21 without a physical server.
  • tech-airmantech-airman Member Posts: 953
    mattrgee,
    mattrgee wrote:
    I totally understand the technology, my thoughts are focused towards simulating common services in a lab environment. Bringing additional pc's into a topology can be a real pain when your short on space, so being able to simulate services running on their designated ports with minimal equipment can be a real benefit. i.e. simulating an ftp server on port 21 without a physical server.

    The above bolded sections of what you just said conflict with each other. If you "...totally understand the technology..." then you'll know that: 1) FTP is the communications between a client host and a server host at the Application Layer 2) Routers operate at the Network Layer. So since you "..totally understand the technology..." explain how the Data Link Layer Frame is supposed to be encapsulated by the last router or switch then decapsulated by the NIC of an FTP server that doesn't physically exist?
  • mattrgeemattrgee Member Posts: 201
    Your missing the point here.

    The question is about exploring other possiblities. Do I need physical routers to create a topology? No. Do I need a physical PC to serve as a DHCP server? No I boot up VMWare and load a virtual instance. We all know what port FTP uses, we all understand the OSI model.

    I suggest you do some Googling on VMWare, GNS3 and Dynamips.
  • tech-airmantech-airman Member Posts: 953
    mattrgee,
    mattrgee wrote:
    Your missing the point here.

    The question is about exploring other possiblities. Do I need physical routers to create a topology? No.

    Actually yes. Cisco is testing if you understand their networking devices all the way down to the Physical Layer.
    mattrgee wrote:
    Do I need a physical PC to serve as a DHCP server? No I boot up VMWare and load a virtual instance.

    Yes, you will need a physical PC for your VMWare to run on.
    mattrgee wrote:
    We all know what port FTP uses, we all understand the OSI model.

    What port does FTP use? You still haven't explained how you're going to encapsulate the FTP packet into an FTP frame to travel down the patch cable to the NIC of the FTP server then decapsulate the frame up to the FTP application server?
    mattrgee wrote:
    I suggest you do some Googling on VMWare, GNS3 and Dynamips.

    You are being notified that you are not authorized to use Cisco IOS on a GNS3 and/or Dynamips computer because it is a violation of the Cisco End User License Agreement.

    Source:
    1. End User License Agreement [Products & Services] - Cisco Systems - http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  • mattrgeemattrgee Member Posts: 201
    I don't know what question you are trying to answer tech-airman but it certainly isn't mine.

    Thanks for the reply Mamono, I'll look into it.

    Question Answered.
Sign In or Register to comment.