Demonstrate the use of
Reflexive Access Control Lists.
Equipment Requirements:
Two routers
One switch with two VLANs set or
two switches or two hubs
Two workstations
Preliminary:
Construct the above network, using
IGRP as your routing protocol. Use the network address 172.32.3.0/24
on the serial link between the two routers. The router IP
configurations are as follows:
Router-A
Router-B
E0=172.32.4.1
E0=172.32.2.1
S0=172.32.3.1
S1=172.32.3.2
SM=255.255.255.0
SM=255.255.255.0
When construction of the network is
complete, verify that routers can communicate and are sharing their
routing tables. Also verify that the workstations can communicate
together correctly. For verification use the show
ip route command, show
interfaces command, show
running-configuration
command, ping,
telnet,
and any other relevant command(s).
Scenario:
For this Lab we will be using
Router-B as the border router where we will configure the reflexive
access list. We want to prevent the users outside of subnetwork
172.32.2.0 from accessing subnetwork 172.32.2.0. However, the users
inside the subnetwork need to have access out and be able to receive
information back.
From the "Router-B"
console:
Step
1
Enter the EXEC mode.
Step
2
Enter the configuration
mode by entering configure terminal command at the router prompt.
Step
3
Determine if the access
list should be applied to an internal interface or an external
interface. Setup the access lists accordingly. We will need to
configure both an inbound access list and an outbound access list.
For this example the outbound access list will used to modify the
inbound access list.
Note: We will be using
named access lists for this example.
Enter ip
access-list extended filterincoming
What happens to the
router prompt?
Enter permit igrp any any
Why would we want to permit igrp on our incoming access list?
Enter evaluate
internaltraffic
Describe how this access control list
will work.
Enter exit
Enter ip
access-list extended filteroutgoing
How does the prompt change?
Enter permit
tcp any any reflect
internaltraffic
What does this statement in the
access list do?
Enter exit
Step
4
Apply the access lists to the correct
interface, and in the correct direction.
Enter interface
serial 1
Enter ip
access-group filterincoming in
Enter ip
access-group filteroutgoing out
Enter exit
Which access list will be applied to
information coming into interface S1?
Which access list will be applied to
information going out of interface S1?
Step
5
Set global timeout values.
Enter ip
reflexive-list timeout 120
How long does it take for the
reflexive access list to expire?
Enter CTRL-Z
Enter copy
running-configuration startup-configuration
Why did we copy the running
configuration to the startup config?
Step
6
Verify that reflexive access list is
working correctly From console on router-B
Enter show access-list
What does the router respond with?
From a workstation on subnetwork
172.32.4.0 Try to ping the workstation on subnetwork 172.32.2.0
Were you successful?
Try to telnet to 172.32.2.1
(Router-B)
Were you successful?
From a workstation on subnet
172.32.2.0 Now try to ping the workstation on subnet 172.32.4.0
Were you successful?
Now try to telnet to 172.32.3.1
(Router-A)
Were you successful?
Why were you successful this time?
Step
7
Check the access list on the router.
From Router-B EXEC prompt