Subnetting - Access Control List question.

overkastoverkast Member Posts: 3 ■□□□□□□□□□
Hi People,

I'm not afraid to admit I need some help. Guys i need some help! lol
I really need to see the correct answer for this lab (see URL) (All configuring of routers - setting up network, also ACL) - also if somebody could show me their "working out" they used to solve this problem.

http://www.west-net.com.au/Private/Lab.gif

Is there any chance somebody could help me out?

Thanks for your time,
Overkast

Comments

  • sikdoggsikdogg Member Posts: 43 ■■□□□□□□□□
    Given that you have a full class B network to to use and you only have 4 segments to address, the simplest solution is to use a 24 bit mask. This will give you 256 networks with 254 hosts each. This is somewhat of an overkill for the point-to-point links, but it will get the job done. This is not necessarily the best use of IP addresses and would not be done in a real environment, but for the lab it makes things easier.

    I would start by assigning 167.45.1.0/24 to the Melbourne Ethernet segment. 167.45.2.0/24 to the link between Melbourne and Adelaide. 167.45.3.0/24 to the link between Adelaide to Perth. Finally, 167.45.4.0/25 to the Perth Ethernet segment.

    I would assign IP addresses to each router's interfaces in the following manner:
    Melbourne E0: 167.45.1.1/24
    Melbourne S1: 167.45.2.2/24
    Adelaide S0: 167.45.2.1/24
    Adelaide S1: 167.45.3.1/24
    Perth S0: 167.45.3.2/24
    Perth E0: 167.45.4.1/24

    Once the interface addressing is complete, you must decide how to route (static or dynamic). For simplicity, let's use static routes.
    Melbourne router: ip route 0.0.0.0 0.0.0.0 167.45.2.1
    Adelaide router: ip route 167.45.1.0 255.255.255.0 167.45.2.2
    ip route 167.45.4.0 255.255.255.0 167.45.3.2
    Perth router: ip route 0.0.0.0 0.0.0.0 167.45.3.1
    This should allow you to ping any router interface from any router.

    Next is the Access-list. Since you want to specify a port (telnet or port 23) to permit or deny, you must use an extended IP access-list. You can either create the access-list on the Perth and Melbourne routers and apply it outbound on their serial interfaces, or configure them on the Adelaide router and apply the lists inbound on the serial interfaces. I would choose to the latter and configure the ACLs on the Adelaide router as follows:

    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.2.1 eq 23
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.3.1 eq 23
    access-list 101 permit ip any any
    conf t
    int s0
    ip access-group 101 in

    access-list 102 deny tcp 167.45.4.0 0.0.0.127 host 167.45.3.1 eq 23
    access-list 102 deny tcp 167.45.4.0 0.0.0.127 host 167.45.2.1 eq 23
    access-list 102 permit ip any any
    conf t
    int s1
    ip access-group 102 in
    (You could also combine both access-lists into one larger list and apply the one list inbound on both serial interfaces)

    That should do the trick. I didn't try this on my lab, but it should work fine. It should also work if you choose to use a dynamic routing protocol (RIP or IGRP). If you do choose to use a dynamic routing protocol, you could opt to apply the access-lists as distribute-lists.
  • overkastoverkast Member Posts: 3 ■□□□□□□□□□
    Your a champ SIKDOGG

    I really appreciate the effort you went to to explain it in such detail. I should have said that I was only needing to configure the Perth Terminal.

    One question -
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.2.1 eq 23
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.3.1 eq 23
    access-list 101 permit ip any any
    conf t
    int s0
    ip access-group 101 in

    Is the eq 23 the only way to clarify it being TELNET? or can you have
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.2.1 eq telnet
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.3.1 eq telnet
    access-list 101 permit ip any any
    conf t
    int s0
    ip access-group 101 in

    Thanks a lot - once again!

    Cheers,
    Overkast
  • sikdoggsikdogg Member Posts: 43 ■■□□□□□□□□
    Is the eq 23 the only way to clarify it being TELNET? or can you have
    access-list 101 deny tcp 167.45.1.0 0.0.0.127 host 167.45.2.1 eq telnet



    Yes, that would work as well (depending on the version of IOS that you have running), especially if you're running a fairly current version of IOS. In fact, if you use the port number, the IOS may actually change it to the known service name.
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    You can display the list of TCP or UDP ports if you type a ? in the place of a port number in the command. I'm working on an extensive Access List TechNote which should be finished today or tomorrow :)

    Johan
Sign In or Register to comment.