CISCO ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP)

EIGRP - Access Control (ACL)

The Access Control List (ACL) is a series of rules widely used to filter traffic in a network. ACLs with capacibilites for packet filtering, such as routers and firewalls can be configured on network equipment. ACLs include a list of packet classifying criteria that enable you to decide if network traffic should be permitted or rejected. They are used for packets leaving or joining an interface on the interface basis.

To understand the benefits of using ACLs in your network, let's practice by the following command to apply on the topology below,

hostname R1 int e0/0 ip add 12.1.1.1 255.255.255.0 no shutdown int lo 0 ip add 1.1.1.1 255.255.255.0 no shutdown do sh ip int brief do ping 12.1.1.2 source 1.1.1.1 do ping 12.1.1.2 source 12.1.1.1

hostname R2 int e0/0 ip add 12.1.1.2 255.255.255.0 no shutdown ip route 1.1.1.0 255.255.255.0 12.1.1.2 access-list 1 deny host 1.1.1.1 access-list 1 permit any int e0/0 ip access-group 1 in no access-list 1 int e0/0 no ip access-group 1 in

After you learn how to define the ACL into two router, now i will guide you to apply it into three router, see the picture below,

After you make the topology design, now you follow the command below,

Hostname R1 int e0/0 ip addr 12.1.1.1 255.255.255.0 no shutdown int lo1 ip addr 1.1.1.1 255.255.255.0 no shutdown int lo2 ip addr 2.2.2.2 255.255.255.0 no shutdown router rip versions 2 network 12.1.1.0 no auto-summary router rip version 2 network 1.1.1.0 network 2.2.2.0 do ping 3.3.3.3 source 1.1.1.1 do ping 4.4.4.4 source 1.1.1.1 do ping 3.3.3.3 source 2.2.2.2 do ping 3.3.3.3 source 2.2.2.2 telnet 4.4.4.4 cisco telnet 3.3.3.3 cisco

Hostname R2 int e0/0 ip addr 12.1.1.2 255.255.255.0 no shutdown int e0/1 ip addr 23.1.1.2 255.255.255.0 no shutdown router rip version 2 network 12.1.1.0 network 23.1.1.0 no auto-summary access-list 100 deny icmp 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255 access-list 100 deny icmp 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255 access-list 100 permit ip any any int e0/0 ip access-group 100 in access-list 101 permit tcp any 3.3.3.0 0.0.0.255 eq 23 show access-lists

Now, the command show acces-lists, it means, it can show the list of the access control list, the command below if you want to make sure that you can delete the access-list by the command below,

int e0/1 ip access-group 101 out no ip access-group 101 out do show access-lists

The next step is, for make sure that you can telnet-ac1, follow the command below,

ip access-list extended telnet-ac1 deny tcp any 4.4.4.0 0.0.0.255 eq 23 permit ip any any int e0/1 ip access-group telnet-ac1 out

Now, you can delete the telnet-ac1 with the command below,

ip access-group telnet-ac1 out

Hostname R3 int e0/0 ip addr 23.1.1.3 255.255.255.0 no shutdown int lo1 ip addr 3.3.3.3 255.255.255.0 no shutdown int lo2 ip addr 4.4.4.4 255.255.255.0 no shutdown router rip version 2 network 23.1.1.0 network 4.4.4.0 no auto-summary line vty 4 password cisco login transport input telnet do show run

Exercise 1

See the picture below,

After you understand about the command above, now you can use the extended access-lists by the picture below and define that the router 1 can telnet to router 3 and also router 1 can not ping to router 3. so follow the following command,

hostname R1 ip route 23.1.1.0 255.255.255.0 e0/0 12.1.1.2 int e0/0 ip addr 12.1.1.1 255.255.255.0 no shutdown do ping 23.1.1.3 do telnet 23.1.1.3

hostname R2 ip access-list ex rule permit tcp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 eq 23 deny icmp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 int e0/0 ip access-group rule in ip addr 12.1.1.2 255.255.255.0 no shutdown int e0/1 ip addr 23.1.1.2 255.255.255.0 no shutdown

hostname R3 ip route 12.1.1.0 255.255.255.0 e0/0 23.1.1.2 line vty 0 4 password cisco login transport input telnet int e0/0 ip addr 23.1.1.3 255.255.255.0 no shutdown

Exercise 2

You can see the picture below,

After you make the topology design like above picture. Now we will practice, and you have to define 3 things, which are. First, that 172.16.4.0/24 cannot reach Router 1. Second, you can insert the rules that resulting Linux 4 can ping to Router 1 but Linux 5 cannot ping to Router 1. The last, make the rules that Linux 5 can do telnet to Router 1 but Linux 4 cannot telnet to Router 1. Practice by the following command below,

Hostname R1 ip route 172.16.4.0 255.255.255.0 e0/0 172.16.3.2 int e0/0 ip addr 172.16.3.1 255.255.255.0 no shutdown line vty 0 4 password cisco login transport input ssh

Hostname R2 ip access-list ex rule deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 int e0/0 ip addr 172.16.3.2 255.255.255.0 no shutdown int e0/1 ip access-group rule in ip addr 172.16.4.2 255.255.255.0 no shut exit ip access-list ex rule 5 permit icmp 172.16.4.100 0.0.0.0 172.16.3.0 0.0.0.255 6 permit tcp 172.16.4.200 0.0.0.0 172.16.3.0 0.0.0.255 eq 22

Linux 4

ip addr add 172.16.4.200/24 brd + dev eth0 ip route add default via 172.16.4.2 timedatectl set-timezone Asia/Taipei systemctl restart ntp.service apt update apt install telnet telnet 172.16.3.1

Linux 5

ip addr add 172.16.4.100/24 brd + dev eth0 ip route add default via 172.16.4.2 timedatectl set-timezone Asia/Taipei systemctl restart ntp.service apt update apt install telnet ping 172.16.3.1

Lia Astuti

CISCO ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP)

Course Content

CISCO ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP)

EIGRP - Access Control (ACL)

Exercise 1

Exercise 2