Tuesday, April 12, 2016

CCNAv2 Completed Packet Tracer 9.5.2.6

Greetings, and welcome to Seeseenayy.

Packet Tracer Details: This packet tracer asks us to finish the addressing scheme, configure routing, and implement named access control lists for both routers and any other affected devices. This PT is only harder because of how much we have to do. To summarize it, all we have to really configure is OSPF, the ACLs, and some here-and-there type of things.

Below you will find a download of the completed packet tracer file. It is recommended that you read the tutorial, it provides knowledge on the configuration of this ACL.


Download(s)

Alternatively, you may use the commands from the tutorial.

Tutorial / Walk-through 
This Packet Tracer demonstrates how to use ACLs for IPv6 addresses. Generally, the method to do this is similar or the same, yet there are some differences. We've seen this type of formatting change before, such as OSPF's IPv6 versus IPv4 configuring. 

Create an ACL, remeber to use the correct formatting, as this is an IPv6 
R1>en
R1#conf t
R1(config)#ipv6 access-list BLOCK_HTTP
R1(config-ipv6-acl)#deny tcp any host 2001:db8:1:30::30 eq www
R1(config-ipv6-acl)#deny tcp any host 2001:db8:1:30::30 eq 443
R1(config-ipv6-acl)#permit ipv6 any any 

So, I have a question for you, reader. 

The purpose of ACL was to stop a DOS attack on Server 3 from a computer with the address of "2001:DB8:1:11::0/64", right? 
So, PC1 should be able to visit the website, but PC2 should not be able to.
After all, you made an ACL for this, correct? Well... try to connect to the website on PC2. Does your ACL work?

It shouldn't, unless you've already done the next step.

So...
PC2 is the cause for issues, so we need to apply this ACL onto that interface.
The interface that houses PC2 is G0/1, so apply the interface there.


R1(config)#int g0/1
R1(config-if)#ipv6 traffic-filter BLOCK_HTTP in

Good! So lets go into R3 to complete the next steps (which is blocking ICMP).
R3>en
R3#conf t
R3(config)#ipv6 access-list BLOCK_ICMP
R3(config-ipv6-acl)#deny icmp any any
R3(config-ipv6-acl)#permit ipv6 any any

Though... something is wrong...
The data from G0/0 (what we need to secure) is outbound, therefor, we need to block outbound pings, as such.

R3(config-ipv6-acl)#
R3(config-ipv6-acl)#int g0/0
R3(config-if)#ipv6 traffic-filter BLOCK_ICMP out 

2 comments:

  1. Why is g0/0 a better option?

    I felt like s0/0/1 would have been the better option. The reason for why I thought that was the better option is if filtering is done on s0/0/1 (inbound), ICMP packets are dropped immediately when they arrived.

    Applying on G0/0 means the ICMP packes will be passed on to the outgoing interface, and then ACL filtering takes place. This results in unnecessary processing.

    Can you explain to me why G0/0 (outbounds) is the better option?

    ReplyDelete
    Replies
    1. For at least one reason, I reckon that the other segment of the network would require access that the ACL has denied.

      Delete

Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.