CISCO ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP)

EIGRP - Access Control (ACL)

The Access Control List (ACL) is a series of rules widely used to filter traffic in a network. ACLs with capacibilites for packet filtering, such as routers and firewalls can be configured on network equipment. ACLs include a list of packet classifying criteria that enable you to decide if network traffic should be permitted or rejected. They are used for packets leaving or joining an interface on the interface basis.

To understand the benefits of using ACLs in your network, let's practice by the following command to apply on the topology below,

  • hostname R1

    int e0/0

    ip add 12.1.1.1 255.255.255.0

    no shutdown

    int lo 0

    ip add 1.1.1.1 255.255.255.0

    no shutdown

    do sh ip int brief

    do ping 12.1.1.2 source 1.1.1.1

    do ping 12.1.1.2 source 12.1.1.1

    • hostname R2

      int e0/0

      ip add 12.1.1.2 255.255.255.0

      no shutdown

      ip route 1.1.1.0 255.255.255.0 12.1.1.2

      access-list 1 deny host 1.1.1.1

      access-list 1 permit any

      int e0/0

      ip access-group 1 in

      no access-list 1

      int e0/0

      no ip access-group 1 in

    • After you learn how to define the ACL into two router, now i will guide you to apply it into three router, see the picture below,

      After you make the topology design, now you follow the command below,

      • Hostname R1

        int e0/0

        ip addr 12.1.1.1 255.255.255.0

        no shutdown

        int lo1

        ip addr 1.1.1.1 255.255.255.0

        no shutdown

        int lo2

        ip addr 2.2.2.2 255.255.255.0

        no shutdown

        router rip

        versions 2

        network 12.1.1.0

        no auto-summary

        router rip

        version 2

        network 1.1.1.0

        network 2.2.2.0

        do ping 3.3.3.3 source 1.1.1.1

        do ping 4.4.4.4 source 1.1.1.1

        do ping 3.3.3.3 source 2.2.2.2

        do ping 3.3.3.3 source 2.2.2.2

        telnet 4.4.4.4

        cisco

        telnet 3.3.3.3

        cisco

        • Hostname R2

          int e0/0

          ip addr 12.1.1.2 255.255.255.0

          no shutdown

          int e0/1

          ip addr 23.1.1.2 255.255.255.0

          no shutdown

          router rip

          version 2

          network 12.1.1.0

          network 23.1.1.0

          no auto-summary

          access-list 100 deny icmp 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

          access-list 100 deny icmp 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255

          access-list 100 permit ip any any

          int e0/0

          ip access-group 100 in

          access-list 101 permit tcp any 3.3.3.0 0.0.0.255 eq 23

          show access-lists

        • Now, the command show acces-lists, it means, it can show the list of the access control list, the command below if you want to make sure that you can delete the access-list by the command below,

          • int e0/1

            ip access-group 101 out

            no ip access-group 101 out

            do show access-lists

        The next step is, for make sure that you can telnet-ac1, follow the command below,

        • ip access-list extended telnet-ac1

          deny tcp any 4.4.4.0 0.0.0.255 eq 23

          permit ip any any

          int e0/1

          ip access-group telnet-ac1 out

      Now, you can delete the telnet-ac1 with the command below,

      • ip access-group telnet-ac1 out

  • Hostname R3

    int e0/0

    ip addr 23.1.1.3 255.255.255.0

    no shutdown

    int lo1

    ip addr 3.3.3.3 255.255.255.0

    no shutdown

    int lo2

    ip addr 4.4.4.4 255.255.255.0

    no shutdown

    router rip

    version 2

    network 23.1.1.0

    network 4.4.4.0

    no auto-summary

    line vty 4

    password cisco

    login

    transport input telnet

    do show run

  • Exercise 1

    See the picture below,

    After you understand about the command above, now you can use the extended access-lists by the picture below and define that the router 1 can telnet to router 3 and also router 1 can not ping to router 3. so follow the following command,

    • hostname R1

      ip route 23.1.1.0 255.255.255.0 e0/0 12.1.1.2

      int e0/0

      ip addr 12.1.1.1 255.255.255.0

      no shutdown

      do ping 23.1.1.3

      do telnet 23.1.1.3

      • hostname R2

        ip access-list ex rule

        permit tcp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 eq 23

        deny icmp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255

        int e0/0

        ip access-group rule in

        ip addr 12.1.1.2 255.255.255.0

        no shutdown

        int e0/1

        ip addr 23.1.1.2 255.255.255.0

        no shutdown

        • hostname R3

          ip route 12.1.1.0 255.255.255.0 e0/0 23.1.1.2

          line vty 0 4

          password cisco

          login

          transport input telnet

          int e0/0

          ip addr 23.1.1.3 255.255.255.0

          no shutdown

        • Exercise 2

          You can see the picture below,

          After you make the topology design like above picture. Now we will practice, and you have to define 3 things, which are. First, that 172.16.4.0/24 cannot reach Router 1. Second, you can insert the rules that resulting Linux 4 can ping to Router 1 but Linux 5 cannot ping to Router 1. The last, make the rules that Linux 5 can do telnet to Router 1 but Linux 4 cannot telnet to Router 1. Practice by the following command below,

          • Hostname R1

            ip route 172.16.4.0 255.255.255.0 e0/0 172.16.3.2

            int e0/0

            ip addr 172.16.3.1 255.255.255.0

            no shutdown

            line vty 0 4

            password cisco

            login

            transport input ssh

            • Hostname R2

              ip access-list ex rule

              deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255

              int e0/0

              ip addr 172.16.3.2 255.255.255.0

              no shutdown

              int e0/1

              ip access-group rule in

              ip addr 172.16.4.2 255.255.255.0

              no shut

              exit

              ip access-list ex rule

              5 permit icmp 172.16.4.100 0.0.0.0 172.16.3.0 0.0.0.255

              6 permit tcp 172.16.4.200 0.0.0.0 172.16.3.0 0.0.0.255 eq 22

            • Linux 4

              • ip addr add 172.16.4.200/24 brd + dev eth0

                ip route add default via 172.16.4.2

                timedatectl set-timezone Asia/Taipei

                systemctl restart ntp.service

                apt update

                apt install telnet

                telnet 172.16.3.1

            Linux 5

            • ip addr add 172.16.4.100/24 brd + dev eth0

              ip route add default via 172.16.4.2

              timedatectl set-timezone Asia/Taipei

              systemctl restart ntp.service

              apt update

              apt install telnet

              ping 172.16.3.1