Demonstrate the use of Lock-and-Key
security (dynamic access lists).
Equipment Requirements:
Two routers
One switch with two VLANs
set or two switches or two hubs
Two workstations
Preliminary:
Construct the above network, using
IGRP as your routing protocol. Use the network address 172.32.3.0/24
on the serial link between the two routers.
The router ip configurations are as
follows:
Router-A
Router-B
E0=172.32.4.1
E0=172.32.2.1
S0=172.32.3.1
S1=172.32.3.2
SM=255.255.255.0
SM=255.255.255.0
When construction of the network is
complete, verify that routers can communicate and are sharing their
routing tables. Also verify that the workstations can communicate
together correctly. For verification use the show
ip route command, show
interfaces command, show
running-configurationcommand, ping,
telnet,
and any other relevant command(s).
Scenario:
For this Lab we will be using
Router-B as the border router where we will configure the
lock-and-key security (dynamic access list). We want to prevent the
users in subnetwork 172.32.2.0 from accessing the rest of the
network unless they have the correct username and password.
From the "Router-B"
console:
Step
1
Enter the EXEC mode.
Step
2
Enter the configuration mode by
entering configure
terminal command at the
router prompt.
Step
3
Setup the access list
Enter access-list
103 permit tcp any
host 172.32.2.1 eq
telnet
What does this one line of the
access list do?
Enter access-list
103 dynamic mytest103 timeout 5 permit ip any any
What does this one line of the
access list do?
Step
4
Apply the access list to the correct
interface, and in the correct direction.
Enter interface
ethernet 0 Enter ip access-group 103 in
Enter exit
Will the access list be applied to
information coming into interface e0 or will it be applied to
information coming out of interface e0?
Step
5
Define the virtual terminals that
will be used for Lock-and-Key
Enter line
vty 0 3
Enter login
local
Enter autocommand
access-enable host timeout 2
Enter exit
Note: If we left out the word
"host", as soon as anyone entered a correct lock-and-key
username password, then everyone one the subnetwork would have
access to the rest of the network.
Which virtual terminals did we use
for lock-and-key?
In the last command that we
entered, what does the "timeout 2" mean?
Step
6
Configure user authentication, for
all users required.
Enter username
john password doe
Enter username
mary password jane
Enter CTRL-Z
Enter copy
running-configuration startup-configuration
Why did we copy the running
configuration to the startup config?
Step
7
Verify that lock-and-key is working
correctly
From a workstation on
subnetwork 172.32.2.0
Try to ping the workstation on
subnetwork 172.32.4.0
Were you successful?
Try to telnet to 172.32.3.1
(Router-A)
Were you successful?
Telnet to 172.32.2.1 (Router-B)
Enter username
john
Enter password doe
What happened next?
Now try to ping the workstation on
subnet 172.32.4.0
Were you successful?
Now try to telnet to 172.32.3.1
(Router-A)
Were you successful?
Why were you successful this time?
Step
8
Check the access list on the router.
From Router-B EXEC prompt:
Enter show
access-lists
What has changed in the access
list?
Enter clear
access-template 103 mytest103 host x.x.x.x any