ipexpert lab 9: ACL-s and filters

From: George Goglidze (goglidze@gmail.com)
Date: Sun Oct 07 2007 - 10:53:37 ART

• Next message: Sadiq Yakasai: "Re: BGP MD5 Error Message"
• Previous message: Grace Simon: "BGP MD5 Error Message"
• Next in thread: Rich Collins: "Re: ipexpert lab 9: ACL-s and filters"
• Maybe reply: Rich Collins: "Re: ipexpert lab 9: ACL-s and filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

In ipexpert lab 9 task 2:
Create an access-list on R4 named lambeau. The access-list should permit web
and ftp traffic
for all the users on the 10.1.1.0/24 network (there are web/ftp clients and
servers on the 10.1.1.0/24 network).
There is a possibility that in the future another router will be added on
the 10.1.1.0/24 network
and it will want to join the OSPF network so OSPF traffic should also be
allowed.
All other traffic should be denied at the earliest point on R4 (no traffic
that is prohibited should reach the routing engine).
All routing adjacencies must be maintained.

ipexpert gives us following solution to this problem:

!
interface FastEthernet0/0
 ip address 10.10.1.4 255.255.255.0
 ip access-group lambeau in
 duplex auto
 speed auto
!

ip access-list extended lambeau
 permit tcp 10.1.1.0 0.0.0.255 any eq www
 permit tcp 10.1.1.0 0.0.0.255 any eq ftp
 permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
 remark those three lines cover stuff the users generate
 permit tcp 10.1.1.0 0.0.0.255 eq www any
 remark that line covers the replies from web servers on the inside
 permit tcp 10.1.1.0 0.0.0.255 any established
 remark that line is necessary for the FTP server responses since ports vary
 permit ospf 10.1.1.0 0.0.0.255 any

---------------------

I think they don't meet all the requirements, and I need your opinion on
this one.

1)
 permit tcp 10.1.1.0 0.0.0.255 any eq www
 permit tcp 10.1.1.0 0.0.0.255 any eq ftp
 permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data

these are not correct because the traffic is coming from port 80/21/20 not
going to these ports.
it should be like this:
 permit tcp 10.1.1.0 0.0.0.255 eq www any
 permit tcp 10.1.1.0 0.0.0.255 eq ftp any
 permit tcp 10.1.1.0 0.0.0.255 eq ftp-data any

2)
permit tcp 10.1.1.0 0.0.0.255 eq www any
permit tcp 10.1.1.0 0.0.0.255 any established
after our corrections in step 1 we don't need these any more.

and as well it would not be correct because traffic is coming in from
interface s1/0 and we don't put this access-list on s1/0.
so the last requirement that traffic should not get to routing engine is not
met.
the routing table will be looked up, and after trying to pass int f0/0 will
be dropped/allowed access.

what I really would do is put acl on s1/0 direction IN and change it
following way:

ip access-list extended lambeau
 permit tcp any 10.10.1.0 0.0.0.255 eq ftp
 permit tcp any 10.10.1.0 0.0.0.255 eq ftp-data
 permit tcp any 10.10.1.0 0.0.0.255 eq www
 deny ip any 10.10.1.0 0.0.0.255
 permit ip any any
!

Please tell me what you think about this.

Thanks a lot.

• Next message: Sadiq Yakasai: "Re: BGP MD5 Error Message"
• Previous message: Grace Simon: "BGP MD5 Error Message"
• Next in thread: Rich Collins: "Re: ipexpert lab 9: ACL-s and filters"
• Maybe reply: Rich Collins: "Re: ipexpert lab 9: ACL-s and filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART