CCIE Routing & Switching Advanced Technologies Class

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 34m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 59m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section for IOS security, we're going to look at some
0:00:16	other options with access lists specifically how time
0:00:19	based access lists work, lock and key access list
0:00:22	and reflexive access list.
0:00:26	Now the time range is similar to the time ranges we saw before
0:00:30	in the key chain based authentication that is used with
0:00:34	either RIP or EIGRP
0:00:36	where we can specify an absolute time which could be
0:00:40	for example from January 1st, 2020 to December 31st, 2020
0:00:46	or a periodic time that could be every weekday or every weekend
0:00:52	from 9 am to 5 pm
0:00:56	So the first step for time based access lists is to
0:00:59	define the time range in global configuration.
0:01:04	So here on Router 6, if we say time range let's say
0:01:09	work hours for example
0:01:13	and this is going to be a periodic time range
0:01:17	that is every weekday
0:01:21	from 09:00
0:01:25	to let's say 5 pm would be 17:00
0:01:31	Now notice it says here it stays valid until the beginning of the next
0:01:34	minute. Within the scope of the lab exam, I doubt that they would
0:01:38	really be that specific whether the question says we want to
0:01:42	match traffic that is from 9am to 5 pm, whether it's saying
0:01:46	17:00 or 17:01 versus 16:59 it's really not going to make
0:01:53	that much of a difference. When you actually look at the time range
0:01:56	it's not a real time process to begin with on the router
0:02:00	so if there's a -- the router's under a lot of load
0:02:02	you'll see that the time range may not become active
0:02:06	until maybe ten or twenty seconds after the minute to begin with.
0:02:11	So once we define this, if we look at the show time
0:02:15	range, it's going to tell us whether it's currently active
0:02:19	or inactive and this is based on the router's
0:02:22	local clock, so generally if we were going to be doing
0:02:26	time ranges for any type of access list filtering for traffic
0:02:30	filters or for example maybe time based quality of service
0:02:34	generally you would want the router to synchronize
0:02:37	its time through NTP
0:02:41	If we look at the show clock
0:02:44	right now Router 6 says that it's 8:34 am
0:02:48	so this time range is not going to become active
0:02:52	for about another 25 minutes or so.
0:02:55	If I were to change the clock or to change the time range
0:02:59	if I were to say clock set
0:03:01	was to 10:35:00
0:03:08	may 18 2011
0:03:11	then look at the show time range
0:03:14	we can see now that particular time range is active
0:03:17	which essentially means that any access list entry
0:03:21	that is now referencing that time range is also going to be active.
0:03:27	So if we look at Router 6 in the diagram
0:03:30	let's assume that we want to filter traffic that is coming
0:03:33	in from the VLAN 67 interface
0:03:37	and we want to deny let's say deny telnet
0:03:45	from 9 am to 5 pm
0:03:50	so as the traffic comes inbound, we're going to say permit
0:03:53	or deny TCP
0:03:57	any any equal to 23, but only if it is matched on
0:04:00	this particular time range.
0:04:02	Then when we look at the show access list, it's going to
0:04:04	tell us whether the time range is active or inactive
0:04:07	based on the router's local clock.
0:04:11	So since we have the time range defined, now we just
0:04:13	need to tie it to an access list. We'll say access list
0:04:16	104 deny tcp any any equal to 23
0:04:22	and I'm going to call this specific time range which is the work hours.
0:04:28	then access list 104 is going to permit ip any any
0:04:33	and this is going to be applied inbound on Fast Ethernet 0/0.67
0:04:39	so ip access group 104 in
0:04:42	If we look at the show access list
0:04:45	it says that that entry number 10 is currently
0:04:49	active because whatever the time range is that is matching
0:04:52	work hours is including whatever the current
0:04:56	local clock is on the router.
0:04:58	So now if I were to go to switch 1,
0:05:01	and let's say that we telnet to the loopback of
0:05:06	or actually it's going to have to be something that's
0:05:08	reachable via that interface let's say to
0:05:15	let's try this address on Router 4 so this is transiting through Router 6
0:05:18	if I were to telnet to this
0:05:23	we can see right now the packet is denied.
0:05:28	Now you can see from the output here, it's a little
0:05:29	bit different when the packet is simply dropped based on an
0:05:33	access list versus you not having the actual route to the
0:05:39	destination or someone in the transit path not having
0:05:42	the route.
0:05:44	So let's say for example that I were to telnet to 155.28.67.100
0:05:54	so this is matching the addresses on the link
0:05:57	directly between Router 6 and Switch 1
0:06:00	but this .100 address I don't have this allocated currently
0:06:03	in the network.
0:06:05	So when the router sends the traffic there
0:06:08	right now it's sending the TCP SYN out
0:06:11	it's not getting a syn and acknowledgement back inbound
0:06:16	so it means that the router is waiting for the TCP SYN
0:06:19	timeout to expire.
0:06:23	And the result of this basically is that the telnet
0:06:26	session is going to hang.
0:06:27	Now this is different than the packet simply being denied
0:06:30	by the access list
0:06:32	because if we look at the change, if we were to telnet
0:06:37	to 146.100
0:06:41	that's simply returned as the destination is unreachable.
0:06:45	So this is based on the ICMP unreachable message coming back in
0:06:50	that Switch 1 knows to terminate the session.
0:06:54	So it's kind of a shortcut to know whether the access list
0:06:56	is dropping it or whether it's some other potential
0:06:59	reachability problem.
0:07:02	Now if I were to change the time on Router 6
0:07:06	let's say clock set
0:07:08	to let's say 1 am 01:00
0:07:16	January 1
0:07:19	or actually I need to know that it's a weekday, so let's
0:07:21	say today so
0:07:23	it is
0:07:27	May 18 2001
0:07:32	01:00:00
0:07:34	if we show clock
0:07:36	we can see the time is 1 am now.
0:07:39	If we look at the show access list
0:07:42	it should say now that our time range is inactive
0:07:45	which means that the access list entry is inactive
0:07:49	which then implies that we should be able to reach
0:07:52	that destination.
0:07:56	So essentially, any application that you can use for an access
0:07:59	list, you could tie a time range to it.
0:08:03	So whether this is for traffic filtering for the
0:08:06	extended access list being applied directly to the interface
0:08:09	or whether this is called from the zone based policy
0:08:12	firewall maybe inside of a class map type inspect
0:08:16	We could also use it for time based quality of service
0:08:19	so any classification we can do with an ACL we can then
0:08:22	apply a time range onto it.
0:08:24	Our next variation of the access list would be the
0:08:27	dynamic ACL which is also known as lock and key
0:08:31	access list that is used to temporarily open up a
0:08:35	hole in an access list based on authentication.
0:08:40	Now some of the potential applications for this would be
0:08:42	for users on the inside network as they're trying to
0:08:46	leave to go out, we could force them to
0:08:49	authenticate before they're allowed to send traffic out
0:08:52	to the outside network.
0:08:54	So let's say that on the inside we want to make sure that
0:08:57	not all of the users can do web browsing.
0:09:00	So we could create an access list that's going outbound
0:09:02	that says match traffic that's going to TCP port 80
0:09:07	and if they match this entry, it's going to be a dynamic ACL.
0:09:10	So they would have to authenticate before the entry is actually active.
0:09:15	So it's kind of similar to how the time range is working here
0:09:18	where the entry can be either active or inactive
0:09:22	but in this case we're doing it based on the time of the day
0:09:26	where with the dynamic access list, we're doing it
0:09:28	based on authentication.
0:09:31	Another use for this would be to poke a hole in the firewall
0:09:35	that is applied to the outside interface
0:09:38	so maybe we have some sort of internal resource
0:09:40	that we want to access from the outside
0:09:43	but we don't want everyone to be able to use that access list
0:09:46	entry, so when the user authenticates, it's opening up
0:09:49	the ACL entry for them and then they're allowed to
0:09:52	send the traffic in.
0:09:56	Now in general, this technology is kind of considered legacy
0:09:58	because you could use better solutions for this
0:10:01	like Easy VPN or SSL VPN to get access from the
0:10:05	outside in. Additionally, this has been replaced by the authentication
0:10:09	proxy feature which is essentially per user access lists
0:10:14	that are dynamically downloaded from either RADIUS or a TACACS server.
0:10:20	But again, within the scope of routing and switching since
0:10:22	we're not going to have an actual AAA server, I doubt that
0:10:25	you would be tested on authentication proxy
0:10:28	because the router's configuration is basically
0:10:30	just one or two commands. The vast majority of the auth proxy
0:10:33	configuration is going to be on the AAA server itself.
0:10:37	When you look at the configuration for this
0:10:39	especially the example that's done in the configuration guide
0:10:41	for the documentation, it's a little bit confusing the example they
0:10:45	use because they are -- it has to do with the logic of the
0:10:51	permit and deny they're using in the access list, so I'll show an
0:10:54	example here that makes it a little bit clearer
0:10:57	but the key is that the dynamic entry
0:11:01	is inactive in the access list
0:11:04	until the command access-enable
0:11:07	is run. Now whether this is run manually because someone
0:11:11	is telnetting into the router and issuing the exec command
0:11:15	access-enable or whether it's automatically run
0:11:18	when a particular user logs in or when someone
0:11:22	telnets to an individual VTY line
0:11:25	as long as the access-enable command is run
0:11:28	then the dynamic entry is going to be open.
0:11:33	So if we were to take our same example from before
0:11:36	where I want to permit telnet access through
0:11:40	Router 6
0:11:42	but instead of doing this based on a time range
0:11:46	I'm going to do this based on a dynamic access list.
0:11:49	So for people on the outside if they telnet into Router 6
0:11:53	and then issue the access-enable command, then we should be able
0:11:57	to open up the dynamic entry.
0:12:02	Now since we need to issue that exec command access-enable
0:12:05	it would means we would need to allow either telnet access to Router 6 itself
0:12:10	or SSH access for the user to actually be able to run that command.
0:12:16	So let's modify this access list here, we'll say we'll have a new
0:12:19	access list 105 that first is going to permit telnet traffic
0:12:25	that is going to Router 6 itself
0:12:28	Now I need to permit this because again, unless the user
0:12:33	can actually issue the access-enable command
0:12:36	then they're not going to be able to open up the dynamic
0:12:39	entry to begin with.
0:12:45	Next I'm going to say that access list 105 has a dynamic entry.
0:12:51	We give it a name, it doesn't really matter what the name is
0:12:54	I'll say dynamic 1
0:12:57	I want to permit TCP any any equal to 23
0:13:04	Let's also say we're going to permit icmp
0:13:11	Only one dynamic entry can be configured per ACL.
0:13:14	Let's try dynamic 2
0:13:16	No, it's not going to support it. Different versions would support
0:13:20	multiple entries, but again, really this feature is kind of
0:13:23	considered legacy. The preferred way would be to do this through
0:13:27	authentication proxy.
0:13:40	So we have our dynamic entry
0:13:41	it says that it's going to permit traffic that is
0:13:44	TCP that's going to port number 23
0:13:47	then after that, I'm going to deny everything.
0:13:52	Let's say access list 105 deny ip any any log
0:13:57	So I'm going to log the traffic just so we can see exactly what is
0:14:00	being permitted or what is being denied.
0:14:04	Then at the link level, I'll say ip access group
0:14:08	105 inbound.
0:14:11	Now I could likely likewise do this with a named access list
0:14:14	it's not really going to make a difference.
0:14:17	Now notice here for ACL 105, it says I have now denied
0:14:20	EIGRP which means that eventually I'm going to lose
0:14:25	my EIGRP adjacency.
0:14:27	So any time we're doing data plane filtering on the router
0:14:32	we need to make sure we do take into account
0:14:35	whatever the control plane protocols are
0:14:37	which in this case was EIGRP.
0:14:39	So now I need to go back to access list 105
0:14:43	and I need to edit a sequence for this
0:14:47	so if we show run include or actually let's just say
0:14:52	show access list 105
0:14:57	I now need to insert this entry before line number 30
0:15:04	so I'll say ip access list extended 105
0:15:08	because essentially the number 105 is the ACL's name
0:15:15	then I'll say sequence number 5 is going to permit
0:15:18	EIGRP any any
0:15:22	If we look at the show access list now
0:15:25	we should see that that first entry for EIGRP it is getting matches.
0:15:31	Now there's also a feature on the router that if you
0:15:34	edit the ACL too many times and you no longer have
0:15:37	enough line numbers to make new changes
0:15:40	you can say access list
0:15:46	or ip access list
0:15:49	ip access list resequence
0:15:53	and I want number 105 to be resequenced starting at
0:15:58	let's say 10 with increments of 20
0:16:06	If I now look at the show access list 105
0:16:11	notice that it changed the line numbers instead of
0:16:14	10, 20, 30, 40 it's now 10, 30, 50, 70
0:16:20	So it's not modifying what the actual entries are
0:16:23	it's just resequencing the number, so now I have more
0:16:26	room to make changes between line number 10 and line number 30
0:16:30	so now let's look at the end result of this. If we
0:16:32	were to go to switch 1
0:16:34	let's try to ping to Router 4
0:16:37	so ping 155.28.146.4
0:16:41	we should see we get icmp unreachable back
0:16:44	because Router 6 is denying this with the access list.
0:16:47	If we look at the log, we can see Router 6 denied the
0:16:51	ICMP that came from Switch 1 it was going to Router 4
0:16:58	Now to open up the dynamic entry, we need to telnet into
0:17:02	Router 6 or actually 67.6
0:17:11	it says destination unreachable gateway or host down
0:17:15	where Router 6 is denying this from the access list
0:17:20	because I put the wrong address in the ACL
0:17:23	so what this needs to say instead ip access list 105
0:17:28	or ip access list extended 105
0:17:30	no 30
0:17:32	30 should say permit tcp any host 155.28.67.6
0:17:41	that is equal to 23
0:17:44	so now I should be able to telnet into Router 6
0:17:53	on 6 let's show access list
0:17:57	permit tcp any host 155.28.67.6
0:18:01	equal to telnet
0:18:06	which should be fine
0:18:09	it's applied in on the interface
0:18:15	connection refused by remote host, this means Router 6
0:18:18	is filtering this out from the VTY line
0:18:21	so notice there was a change in the logs.
0:18:24	It says destination unreachable versus connection refused.
0:18:29	The first one means that we received ICMP unreachable
0:18:32	because the packet was dropped from an access list.
0:18:35	The second one is a TCP reset message we're getting from Router 6
0:18:40	This means that it is not allowing telnet from our
0:18:43	particular source.
0:18:44	So on Router 6 if we show run section line vty
0:18:51	I have that access class 1 applied inbound.
0:18:54	So on the line VTY, I'm just going to remove this.
0:19:15	So now we telnetted into Router 6
0:19:18	We get to the exec process and say access-enable.
0:19:25	Once I do this if we look at Router 6 and look at the
0:19:27	show access list
0:19:30	we should see now that dynamic entry number
0:19:33	50 is active.
0:19:36	So it should now allow us to log out
0:19:42	and then telnet through Router 6, so telnet to Router 4
0:19:46	Now in a real design though, you probably wouldn't want this
0:19:49	because we don't want the users telnetting to the
0:19:52	exec process and then running commands.
0:19:55	So while technically the access-enable command is
0:19:58	what we need to issue in order to get the dynamic entry to open
0:20:03	we probably want to do this automatically instead of having the
0:20:06	user having to manually enter it.
0:20:08	And this is what the auto command is going to be used for.
0:20:12	Now the issue with the auto command is that
0:20:15	it is not going to give you context sensitive help
0:20:18	for any exec command you're going to issue after it.
0:20:23	So if I say user name cisco password cisco
0:20:27	auto command question mark
0:20:29	it's not going to give me any context sensitive help.
0:20:31	The same thing under the VTY lines.
0:20:33	So I would need to know what is the exact syntax of access-enable
0:20:39	or access-enable host
0:20:42	where access-enable host is going to change Router 6's ACL
0:20:47	entry so that the source address is only the user
0:20:54	that did the authentication
0:20:59	because now at this point if we look at the topology
0:21:02	Router 6 is essentially allowed telnet from
0:21:06	all sources to come in that interface
0:21:09	regardless of it is from the device that did the authentication
0:21:12	or if it's from someone else behind there.
0:21:17	So now not only is Switch 1 allowed to do the telnetting, but
0:21:19	Switch 3 is as well.
0:21:23	So typically you would say instead of just access-enable
0:21:26	we would say access-enable host
0:21:30	Let's try this access-enable host
0:21:35	command allowed from VTY connections only, so from Switch 1
0:21:38	let's telnet back in to Router 6
0:21:43	access-enable host
0:21:46	Now on Router 6, if we look at the show access list
0:21:50	there's a new entry that is matching traffic that is
0:21:55	coming just from Switch 1
0:21:57	going to anywhere.
0:22:01	But notice it did not delete the previous entry.
0:22:05	So if we issue just access-enable or access-enable host
0:22:09	the entry is never going to time out
0:22:12	which is probably not good because if we're poking
0:22:16	a hole in the firewall, it probably means we want that to be a
0:22:18	temporary entry, not a permanent entry.
0:22:24	So in addition to access-enable host, I would probably want to say
0:22:28	on the device that's telnetting in is access-enable host
0:22:34	timeout and then the idle timeout, so let's say
0:22:37	30 seconds.
0:22:39	Now since my address is already in the access list
0:22:43	in a dynamic entry, I need to tell Router 6 to clear this out.
0:22:49	And this syntax is a little bit strange. It's clear
0:22:55	access template 105
0:23:00	then the specific dynamic entry
0:23:05	permit tcp any any equal to telnet.
0:23:08	So it's not really intuitive
0:23:10	as to how you need to match this. Let's say
0:23:15	any any
0:23:20	then show access list 105
0:23:24	so now it deleted the any any entry, but it did not delete
0:23:28	the host 155.28.67.7 entry
0:23:36	which now it did, so from Switch 1
0:23:40	if we look at the change if we try to telnet past Router 6
0:23:44	we can see now this is being denied.
0:23:48	So once I telnet into Router 6
0:23:51	I'm going to say access-enable host timeout 30
0:23:56	If we look at Router 6 in show access list
0:24:02	the entry is installed there
0:24:04	and there should be an idle timer that's counting
0:24:07	down. Now in some versions, you'll see that this feature
0:24:11	doesn't actually work.
0:24:13	And I believe it's simply a bug that it's gone unreported
0:24:18	because no one really uses the feature to begin with.
0:24:21	So in the versions that this works correctly
0:24:24	what you should see is that after this equal to telnet entry
0:24:28	there should be a timer that's counting down the
0:24:31	idle timeout.
0:24:33	But in this particular case, it's not actually working.
0:24:36	Another way we could try this would be to apply
0:24:39	it to the user
0:24:43	or to apply the timeout globally.
0:24:49	So if you look at the documentation
0:24:51	again, this is going to be under the 12.4 T configuration guide
0:24:59	down to securing the data plane
0:25:06	then configuring lock and key security for dynamic access lists.
0:25:09	If you search this document for the timeout
0:25:12	there should be two separate timeouts. There's an absolute
0:25:15	timeout and an idle timeout.
0:25:20	Where if we look for the syntax, it says
0:25:23	either define an idle timeout now with the timeout keyword
0:25:26	in access-enable or define an absolute timeout
0:25:29	value later in the access list.
0:25:32	You must define either of them, otherwise, the temporary
0:25:35	access list will remain configured indefinitely on the interface
0:25:38	even after the user has terminated the session.
0:25:42	So again generally, that's what you would want to
0:25:44	prevent is that once you open up the hole in the access list
0:25:46	that it stays there permanently
0:25:49	which is what the timeout is going to be for.
0:25:53	So let's do this. On Router 6 let's say show run include
0:25:57	access list
0:25:59	I'm going to remove access list 105
0:26:02	then reapply it
0:26:07	and see if it takes the timeout at the end.
0:26:12	So let's try dynamic timeout 30
0:26:18	then the entry is to match the TCP traffic
0:26:25	and then we're logging everything after that.
0:26:28	On the link level, I still want this applied inbound, so ip access group
0:26:31	105 in
0:26:38	So again, typically you wouldn't have the user actually telnet into the
0:26:42	router and manually enter the command. This is what the
0:26:46	other two options are going to be for, either the
0:26:48	auto command that's on the user name or the auto command that's
0:26:51	on the VTY line.
0:26:53	So first let's look at this on the user name.
0:26:58	On Router 6, we'll say username acl password cisco
0:27:05	For username acl, I want them to run the command
0:27:08	automatically. access-enable host
0:27:13	but again, when you look at the context sensitive help, it's
0:27:16	not going to tell you what the syntax should be
0:27:19	because after auto command, this is going to be any exec command
0:27:22	that we manually want to apply.
0:27:28	Now under the VTY, I need to tell it to log in locally
0:27:31	so check the local database.
0:27:33	If we show access list, we should see that the dynamic
0:27:37	entry is not currently active.
0:27:39	Next on switch 1, let's try telnetting to Router 4
0:27:42	We should see it's denied which it is.
0:27:47	If I telnet to Router 6,
0:27:49	I'll log in as acl password cisco
0:27:53	It should disconnect the session, but now on Router 6 if we look at
0:27:57	the show access lists
0:28:02	now the dynamic entry is active.
0:28:04	But in this case it didn't apply the timeout either, so both
0:28:09	the global absolute timeout and the user's idle timeout
0:28:14	it's not working in this particular version.
0:28:16	This should now mean if I go to Switch 1 and telnet to Router 4
0:28:20	this is going to be allowed.
0:28:23	But if I were to go to anyone else, let's say I go behind
0:28:28	Switch 1 and go to Switch 3
0:28:30	when I telnet to Router 4 now, this should be denied
0:28:33	because Router 6 is only allowing the telnet to come in
0:28:38	from the 67.7 address.
0:28:41	Again, the other option on the VTY line
0:28:45	instead of saying login local
0:28:48	we'll simply say login, so it's going to check the password on the line.
0:28:52	We could run the auto command directly here, so auto command
0:28:56	access-enable host and let's try the timeout again
0:29:01	let's say timeout 60
0:29:06	what should change now if Switch 3 telnets into Router 6
0:29:11	then simply issues the password cisco
0:29:14	it should now open the entry.
0:29:17	So if we show access list,
0:29:20	there's a new entry for 79.9
0:29:23	but again, it's not showing the timeout here.
0:29:26	So you may see some inconsistencies between the
0:29:28	versions with this.
0:29:31	I believe the last time that I saw that it was correctly
0:29:34	working was 12.1 T
0:29:37	or it may have been 12.2 T
0:29:43	Now when you log in, if it's not actually opening the access list
0:29:46	entry, it's possible that you have the auto command syntax
0:29:49	wrong because again, it has to be exact. If I were to say
0:29:54	on Router 6 that the user has access-enable host
0:30:02	but maybe one of the characters is wrong
0:30:04	like if I only put one 'c' if I said acess-enable host
0:30:12	so let's try this out here, let's say on Router 6
0:30:16	username wrong password cisco
0:30:20	username wrong auto command acess-enable host
0:30:29	then under line vty, 0 4
0:30:33	login local
0:30:41	Now I'm going to do an extended telnet because I need to source this
0:30:45	from a new address, so let's try telnet to 155.28.67.6
0:30:51	but the source is going to be my vlan 7
0:30:55	so if I login as wrong password cisco
0:31:00	now it tells me it has the invalid auto command.
0:31:02	So it shouldn't log you in directly to the exec process
0:31:09	but again, it may be version specific.
0:31:12	So if you were to be tested on this, you should be able to
0:31:16	take the example they have here and kind of change it around to
0:31:19	make it look like what you need, but when you look at their example
0:31:24	the issue is that their logic of the ACL is different than
0:31:34	well actually they did fix the document, so now it reads better.
0:31:36	They're saying for anything that comes in Ethernet 0
0:31:41	check it against access list 101
0:31:44	I want to allow telnet that goes to my own local address
0:31:48	which 21.2 must be some address that's assigned on this router.
0:31:56	Then if the user authenticates, they're allowed send any traffic into the network.
0:32:02	So this one is just making sure that they can login to issue the
0:32:04	access-enable command
0:32:07	then the second one is going to allow all traffic inbound.
0:32:12	The other example here where we're doing AAA
0:32:15	you probably shouldn't need to do this because again, there's
0:32:19	not going to be any actual AAA server that we have
0:32:23	access to in the exam.

Now Viewing

CCIE Routing & Switching Advanced Technologies Class
Title:	CCIE Routing & Switching Advanced Technologies Class
Duration:	81h 59m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

Time Based ACLs, Dynamic ACLs

Create Bookmark