To block SSH and Telnet using an access-list:
Router1 config:
configure terminal access-list 101 deny tcp host 10.0.0.2 eq 23 host 10.0.0.65 access-list 101 deny tcp host 10.0.0.2 eq 22 host 10.0.0.65 access-list 101 permit ip any any interface s0/1/0 ip access-group 101 out
I have created two access lists, one extended and one standard. The first is an extended access to stop PC1 (10.0.0.2) from FTPing to the FTP server 10.0.0.35.
On Router1 – the access-list has been placed on Fa0/0 as its the closest to the source.
configure terminal access-list 101 deny tcp any eq ftp host 10.0.0.35 access-list 101 permit ip any any interface fa0/0 ip access-group 101 in
When creating an access-list, if a match isn’t found then there is an explicit deny. As can see from above I have created a permit for any IP traffic Without these lines, OSPF wasn’t being advertised and I had no way of testing PC1 could ping the FTP server to verify connectivity and to ensure that FTP was indeed being blocked and not all traffic.
The next access list is an standard access list, the point of this one is to deny host 10.0.0.2 from communicating with the 10.0.0.33 network. However, host 10.0.0.3 can ping the 10.0.0.33 network.
On Router0 I have placed the access list on the Fa0/0 as this is the closest to the destination.
configure terminal access-list 1 deny host 10.0.0.2 access-list 1 permit any interface fa0/0 ip access-group 1 out
Describe the purpose and types of access control lists – Access lists are used to restrict or allow access to traffic via an interface. You may want to allow redirect port 25 (SMTP) to your Exchange server and allow traffic to flow in and out of the port. This is possible with access lists.
There are two types of access lists standard and extended.
Standard
Standard access lists filter based on source IP address. Telnet, Web, SMTP etc cannot be filtered by a standard access list. Standard access-lists can be created between 1-99 and 1300-1999. An example:
configure terminal access-list 1 permit 10.0.0.1 0.0.0.255
Extended
Extended access list can filter by source, destination and port. Extended access lists can be created byween 100-199 and 2000-2699.
configure terminal access-list 100 permit tcp any eq 25 host 10.0.0.1
Both standard and extended access lists can be placed either inbound or outbound on an interface allowing for greater control on what packets can be sent/received.
configure terminal interface s0/0 ip access-group 100 in ip access-group 100 out
Basic router security includes but not limited to:
configure terminal enable secret 'password'
configure terminal service password-encryption
configure terminal banner #motd# banner #login#
configure terminal line console 0 password 'password' login
configure terminal line vty 0 4 password 'password' login transport input telnet ssh (remove telnet for ssh only)
The following commands can be used to display information on hardware/software and to verify/debug:
Troubleshooting OSPF and EIGRP can be found in the two following links:
Listed below is a quick list of tools that can be used to troubleshoot connectivity issue.
Ping
Ping can be used to verify connectivity between end devices. Note – A device such as a firewall may block the ICMP packet.
Tracert
Shows routing paths from source to destination on a PC.
Telnet
Telnet can be used to connect to a router/switch although data is sent in plain text
SSH
Same as Telnet, but data is encrypted.
Ipconfig /all
Display IP information that can be verified against network documentation. IP/Subnet mask/Default gateway information can be seen. DNS/WINS is also provided.
arp -a
Shows the MAC address table from a PC.
show ip arp
Shows the MAC address table from a router/switch.