No muss, and just a little fuss with thinking about SNMP, today’s lab is mostly about how to match packets with an extended numbered ACL. Do the lab for yourself, and check here when you’re done.
Answers
Figure 1: Two Router ROAS Topology
Example 5: R1 Config
interface GigabitEthernet0/2.3 ip access-group ThisACL in ! ip access-list extended ThisACL permit tcp host 10.0.3.100 eq telnet 20.0.2.0 0.0.0.255 permit tcp host 10.0.3.100 eq 22 20.0.2.0 0.0.0.255 permit udp host 10.0.3.100 eq snmp 20.0.2.0 0.0.0.255 deny tcp 10.0.3.0 0.0.0.255 eq telnet 20.0.2.0 0.0.0.255 deny tcp 10.0.3.0 0.0.0.255 eq 22 20.0.2.0 0.0.0.255 deny udp 10.0.3.0 0.0.0.255 eq snmp 20.0.2.0 0.0.0.255 permit ip any any
Commentary
The primary use of access-lists is to control which traffic is allowed to come in and go out of the interfaces of a device. On Cisco devices there are a number of different ways to configure them; for IPv4 the two main methods are via the use of standard or extended ACL’s. Standard ACL’s are simpler and only allow matching based on the source IP host or network of the traffic. Extended ACL’s are more complex and allow matching on both source and destination host or network as well as matching based on the protocol being used. It is important to note however that ACL’s are not limited to the blocking or permitting of specific traffic, they are also used in a number of different features from Network Address Translation (NAT) to route-maps.
With this lab you were tasked with configuring an extended named ACL that would be used to block specific traffic. In particular, the two requirements ask that you match packets coming from servers, which means that the source TCP or UDP port in those packets will be used to match the well-known ports used by those servers. The first requirement asked you to match packets from a specific server, while the second requirement asked that you match packets coming from an entire subnet.
For that first requirement, you needed to match the specific server address (10.0.3.100) with the host 10.0.3.100 parameters, and the destination subnet with the 20.0.2.0 0.0.0.255 parameters. Beyond that, for three consecutive commands, the ACL needed a separate statement to match each service noted in the requirements, for the well-known port used by Telnet (21), SSH (22), and SNMP (161), and for the correct transport protocols (see example 1).
For the second requirements, the logic works the same, except that the source field in each case matches the source subnet with the 10.0.3.0 0.0.0.255 parameters.
The last step is to apply the ACL to the appropriate interface. It is considered best practice to apply standard ACLs to the interface that is closest to the destination and extended ACLs to the interface that is closest to the source. In this case since you are configuring an extended ACL you are looking for the interface that is closest to the source. Since R1 is configured with a Router-on-a-Stick (ROAS) configuration the closest interface would be a sub-interface not a physical interface. The source network is 10.0.3.0/24 which is located off R1’s G0/2.3 sub-interface, so the answer applies the ACL inbound on this interface using the ip access-group ThisACL in command.
Finally, note that this lab glossed over one SNMP issue. As worded, the lab exercise requirements mentioned Telnet, SSH and SNMP server. As it turns out, SNMP does not often use client and server terms. However, the device using well-known UDP port 161, which is matched by an IOS ACL with the snmp keyword, is the SNMP agent running on the networking device. So, in the literal sense, the ACL listed here is correct. However, many people incorrectly think of the Network Management Station as the the server; if that was your intent, then note that the NMS would not send packets with source UDP port 161, but rather with destination UDP port 161 when communicating to SNMP agents throughout the network.