Started at 06:20 this morning, so thats an hour and a half done already! Went through the IEWB Volume I OSPF Lab scenarios. Started from the filtering section as there are many ways to filter routes with OSPF. Biggest problem I had was actually putting the base config on all the routers in the lab, think this was due to me being tired!! Kept putting the wrong IP’s on interfaces, found that out. Then I found that I had put these wrong IP’s under the routing process. Found that out. Then realised I had put these into the wrong area!!! All school boy errors!! Went through the following ways of filtering routes:
Inter-Area filtering using prefix lists
Type 3 LSA filtering with network ranges (no-advertise)
Distribute lists (stops the routes entering the routing table, not the propagation of LSA’s)
Distribute lists with route-maps (so you can specify the route-source)
Filtering with AD using ACLs so the source can be matched – look in the ospf database for the source IP address. If it’s an external route, the source will be the IP of the ASBR. If the route comes from a router in a different area than the router you are configuring, the route-source will be the ABR(s) that have advertised the Network Summary LSA.
Done a quick lab with NSSA, simple one with being able to choose the NSSA 7 LSA to External Type 5 LSA – Highest RID wins!!
Off now to get ready for work.
Total Studying hours so far since starting this blog – 7hrs 15 mins
Entry @ 22:30
Just covered some more security subjects and some QinQ Tunneling.
With Dynamic ACLs I used the following on my lab:
ip access-list extended TELNET
permit tcp any host 155.1.23.3 eq 23
dynamic R2_LO0 permit tcp host 150.1.2.2 any eq 80
deny tcp any any eq 80
permit ip any any
deny tcp any any log
deny udp any any log
deny icmp any any log
!
line vty 0 4
autocommand access-enable host
!
interface e0/0
ip access-group TELNET in
!
Get “% Source 155.1.23.2 is not in mask(150.1.2.2, 0.0.0.0) in the ACL
[Connection to 155.1.23.3 closed by foreign host]”. Even when telnetting from the source of 150.1.2.2 I still couldn’t get this to work. The reason being that I had specified the “host” keyword after the “access-enable” keyword.
To rectify this is left this off:
ip access-list extended TELNET
permit tcp any host 155.1.23.3 eq 23
dynamic R2_LO0 permit tcp host 150.1.2.2 any eq 80
deny tcp any any eq 80
permit ip any any
deny tcp any any log
deny udp any any log
deny icmp any any log
!
line vty 0 4
autocommand access-enable host
!
interface e0/0
ip access-group TELNET in
!
After this I could telnet to 155.1.23.3 using an ip that wasn’t 150.1.2.2. This then activated the dynamic entry and threw me out. Telnetting to 150.1.3.3 (loopback on the router with the acl on it) I couldn’t do it. I then tried with the source of loopback 0 and still couldn’t do it. Under the ACL the entry was:
R3#show access-list
Extended IP access list TELNET
10 permit tcp any host 155.1.23.3 eq telnet (90 matches)
20 Dynamic R2_LO0 permit tcp host 150.1.2.2 any eq www
permit tcp host 155.1.23.2 any eq www
I telnetted to 155.1.23.3 with the source of 150.1.2.2. It added the following entry:
R3#show access-list
Extended IP access list TELNET
10 permit tcp any host 155.1.23.3 eq telnet (117 matches)
20 Dynamic R2_LO0 permit tcp host 150.1.2.2 any eq www
permit tcp host 150.1.2.2 any eq www
permit tcp host 155.1.23.2 any eq www
I could then telnet to 150.1.3.3 via port 80:
R2#telnet 150.1.3.3 80 /source-interface lo 0
Trying 150.1.3.3, 80 … Open
get
HTTP/1.1 400 Bad Request
Date: Thu, 08 Nov 2007 21:20:32 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
I then configured the “autocommand” command using the username command:
ip access-list extended TELNET
permit tcp any host 155.1.23.3 eq 23
dynamic R2_LO0 permit tcp any any eq 80
deny tcp any any eq 80
permit ip any any
deny tcp any any log
deny udp any any log
deny icmp any any log
!
username R2 password R2
username R2 autocommand access-enable
!
This worked straight away. Once it’s open, after the user enters the correct username and password, it’s now open for all ip addresses. I could telnet to any IP address from any IP address. To make sure there are no unauthorised entries, use the “host” keyword after the “autocommand access-enable” command. This will place the host’s source IP address under the “dynamic” line via the “show access-lists” output and only allow this source IP for the existing session.
QinQ Tunneling
Weird thing happened here. I configured trunking through all 4 of my switches (3750’s). The link was SW1->SW2->SW3->SW4. Before any tunnels were configured, I tested end2end connectivity using Layer 3 SVIs on SW1 and SW4. Vlan 14 & Vlan 41 had IP addresses 155.1.14.x and 155.1.41.x respectively. I could ping all the way through. I then configured the SP switches with dot1q tunnels. Weird thing happened here, SW1 and SW4 lost their config on the trunked links that connected to the SP switches. This happend on both SW1 and SW4. Strange!!! Anyway, I put the config back on and tested end2end connectivity. I could ping all the way through. I also allowed cdp and stp through the SP network. So even if SW1 and SW4 aren’t directly connected, they still participate in the same SPT domain and can see each other as CDP neighbours as well.
Total Studying hours so far since starting this blog – 9hrs 30 mins
Filed under: ACLs, Ospf, QinQ Tunneling |
Routereflector's Weblog 
Leave a comment