This VPN lab will test intranet and extranet MPLS VPN’s.
The diagram is the same as my last VPN Lab. Also it uses my MPLs topology found over here: http://mellowd.co.uk/ccie/?p=522
This is the lab topology again:
- CPE1 and CPE5 belong to Customer1
- CPE2 and CPE6 belong to Customer2
- Both customers are running OSPF as their IGP’s
- The loopbacks as shown in the topology must be advertised into OSPF. Cutomer1 should be able to ping all loopbacks in their networks and Customer2 should be able to ping everything in theirs.
- Both customers are now running a project together, and need 2 of their offices connected. CPE1 from Customer1 should be able to communicate with CPE6 from Customer2 and vice-versa
- It’s essential that CPE2 and CPE5 are NOT able to get to all loopbacks. ONLY CPE1 and CPE6 should be able to communicate with each other. This new configuration should not break the previous VPN’s in place
- Do this without using any ACL’s, Prefix-lists, Route-maps or the like
Hopefully this will be my final tweak. This time I’ve added base configs to the CPE devices. It just gives them a hostname and ensures there is no timeout. This prevents you from having to keep logging back in.
Image-wise, it’s the same. Click for the larger image:
This is the .net file contents:
#MPLS 1.0 Topology created by Darren O'Connor 22/02/10 #MPLS 1.1 created 23/02/10 #MPLS 1.2 created 24/02/10 #www.mellowd.co.uk/ccie #Feel free to use and change as you see fit. However if you do use please leave my details here at the top [localhost:7200] workingdir = /data/dynamips/working [[3640]] image = /data/dynamips/IOS_Images/3640/c3640-js-mz.124-25c.UNCOMPRESSED.bin ram = 128 disk0 = 0 disk1 = 0 mmap = true ghostios = true ########################### # # # Mpls Topology 1.2 # # # ########################### [[Router CR1]] model = 3640 console = 2001 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR1 s1/0 s1/2 = AR3 s1/2 Fa0/0 = CR3 Fa0/0 Fa2/0 = CR2 Fa2/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR1.cfg [[Router CR2]] model = 3640 console = 2002 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR2 s1/0 s1/2 = AR1 s1/2 Fa0/0 = CR4 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR2.cfg [[Router CR3]] model = 3640 console = 2003 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa2/0 = CR4 Fa2/0 s1/0 = AR3 s1/0 s1/1 = GR1 s1/1 s1/2 = AR4 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR3.cfg [[Router CR4]] model = 3640 console = 2004 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR4 s1/0 s1/2 = AR2 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR4.cfg [[Router AR1]] model = 3640 console = 2005 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE1 Fa0/0 Fa2/0 = CPE2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR1.cfg [[Router AR2]] model = 3640 console = 2006 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE4 Fa0/0 Fa2/0 = CPE3 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR2.cfg [[Router AR3]] model = 3640 console = 2007 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE5 Fa0/0 Fa2/0 = CPE6 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR3.cfg [[Router AR4]] model = 3640 console = 2008 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE8 Fa0/0 Fa2/0 = CPE7 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR4.cfg [[Router CPE1]] model = 3640 console = 2009 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE1.cfg [[Router CPE2]] model = 3640 console = 2010 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE2.cfg [[Router CPE3]] model = 3640 console = 2011 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE3.cfg [[Router CPE4]] model = 3640 console = 2012 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE4.cfg [[Router CPE5]] model = 3640 console = 2013 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE5.cfg [[Router CPE6]] model = 3640 console = 2014 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE6.cfg [[Router CPE7]] model = 3640 console = 2021 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE7.cfg [[Router CPE8]] model = 3640 console = 2022 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE8.cfg [[Router GR1]] model = 3640 console = 2023 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T Fa0/0 = ISP2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/GR1.cfg [[Router ISP2]] model = 3640 console = 2024 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/ISP2.cfg
And here are the updated config files: http://mellowd.co.uk/ccie/wp-content/uploads/2010/02/mpls.tar2.gz
This is my first lab to use my MPLS topology found over here: http://mellowd.co.uk/ccie/?p=522 (Click the link as you’ll need the core ISP set up to run this lab)
This is the lab topology – click for a larger image:
- Use RIP as the routing protocol on CPE devices
- CPE1 and CPE5 belong to Company_A
- CPE2 and CPE6 belong to Company_B
- Each site has a /24 that is advertised via the loopback
- CPE1 should be able to ping CPE5′s loopback and vice-versa
- CPE2 should be able to ping CPE6′s loopback and vice-versa
- Different companies should NOT be able to ping each other. They must stay completely separate
- Now remove RIP and configure it so that both companies are using OSPF
- Once complete, remove the OSPF config and use EIGRP
Solution is now here: http://mellowd.co.uk/ccie/?p=570
There was a big error in the topology I put up yesterday. Even though it looked like ldp was running, the actual ldp neighbour relationships were not up. This is why when I later tested, no customer traffic went across the core.
I’ve now given each of the core routers and the access routers a loopback address in the 10.255.255.0/24 range (Each has a /32 in this range) This is advertised into OSPF. This ensures all routers have a route to all loopbacks. I then forced MPLS to use the loopback address for the ldp neighbour relationship.
Image-wise, it’s the same. Click for the larger image:
This is the.net file contents:
#MPLS 1.0 Topology created by Darren O'Connor 22/02/10 #MPLS 1.1 Topology created by Darren O'Connor 23/02/10 #www.mellowd.co.uk/ccie #Feel free to use and change as you see fit. However if you do use please leave my details here at the top [localhost:7200] workingdir = /data/dynamips/working [[3640]] image = /data/dynamips/IOS_Images/3640/c3640-jk9o3s-mz.124-5a.UNCOMPRESSED.bin ram = 128 disk0 = 0 disk1 = 0 mmap = true ghostios = true ########################### # # # Mpls Topology # # # ########################### [[Router CR1]] model = 3640 console = 2001 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR1 s1/0 s1/2 = AR3 s1/2 Fa0/0 = CR3 Fa0/0 Fa2/0 = CR2 Fa2/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR1.cfg [[Router CR2]] model = 3640 console = 2002 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR2 s1/0 s1/2 = AR1 s1/2 Fa0/0 = CR4 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR2.cfg [[Router CR3]] model = 3640 console = 2003 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa2/0 = CR4 Fa2/0 s1/0 = AR3 s1/0 s1/1 = GR1 s1/1 s1/2 = AR4 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR3.cfg [[Router CR4]] model = 3640 console = 2004 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR4 s1/0 s1/2 = AR2 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR4.cfg [[Router AR1]] model = 3640 console = 2005 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE1 Fa0/0 Fa2/0 = CPE2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR1.cfg [[Router AR2]] model = 3640 console = 2006 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE4 Fa0/0 Fa2/0 = CPE3 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR2.cfg [[Router AR3]] model = 3640 console = 2007 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE5 Fa0/0 Fa2/0 = CPE6 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR3.cfg [[Router AR4]] model = 3640 console = 2008 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE8 Fa0/0 Fa2/0 = CPE7 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR4.cfg [[Router CPE1]] model = 3640 console = 2009 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE2]] model = 3640 console = 2010 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE3]] model = 3640 console = 2011 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE4]] model = 3640 console = 2012 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE5]] model = 3640 console = 2013 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE6]] model = 3640 console = 2014 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE7]] model = 3640 console = 2021 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE8]] model = 3640 console = 2022 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router GR1]] model = 3640 console = 2023 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T Fa0/0 = ISP2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/GR1.cfg [[Router ISP2]] model = 3640 console = 2024 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/ISP2.cfg
I’m writing my MPLs exam soon and so I wanted to create lots of labs which run over an MPLS core. I was going to using my original ‘mad’ topology but it’s going to be a hassle to have to create the core each. I’ve instead decided to create a separate MPLS core that contains everything I’ll need.
There are 4 core routers, and 2 access routers. Customer routers are connected to the access routers. There is also a gateway router running BGP with ISP2 that will be for BGP and internet access testing. Note that although there is currently a BGP session between ISP2 and GR1, there are no other sessions yet.
The topology is designed so that when you start running it in dynamips, the core is already set up. i.e. MPLS and OSPF are already running. This is because it’s very easy to configure an MPLS core and 90% of your MPLS configuration work will be done on the access routers themselves. The core routers are just switching packets, that’s it.
This is the topology (click for the larger image):
This is the .net file contents:
#MPLS 1.0 Topology created by Darren O'Connor 22/02/10 #www.mellowd.co.uk/ccie #Feel free to use and change as you see fit. However if you do use please leave my details here at the top [localhost:7200] workingdir = /data/dynamips/working [[3640]] image = /data/dynamips/IOS_Images/3640/c3640-jk9o3s-mz.124-5a.UNCOMPRESSED.bin ram = 128 disk0 = 0 disk1 = 0 mmap = true ghostios = true ########################### # # # Mpls Topology # # # ########################### [[Router CR1]] model = 3640 console = 2001 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR1 s1/0 s1/2 = AR3 s1/2 Fa0/0 = CR3 Fa0/0 Fa2/0 = CR2 Fa2/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR1.cfg [[Router CR2]] model = 3640 console = 2002 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR2 s1/0 s1/2 = AR1 s1/2 Fa0/0 = CR4 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR2.cfg [[Router CR3]] model = 3640 console = 2003 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa2/0 = CR4 Fa2/0 s1/0 = AR3 s1/0 s1/1 = GR1 s1/1 s1/2 = AR4 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR3.cfg [[Router CR4]] model = 3640 console = 2004 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR4 s1/0 s1/2 = AR2 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR4.cfg [[Router AR1]] model = 3640 console = 2005 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE1 Fa0/0 Fa2/0 = CPE2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR1.cfg [[Router AR2]] model = 3640 console = 2006 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE4 Fa0/0 Fa2/0 = CPE3 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR2.cfg [[Router AR3]] model = 3640 console = 2007 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE5 Fa0/0 Fa2/0 = CPE6 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR3.cfg [[Router AR4]] model = 3640 console = 2008 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE8 Fa0/0 Fa2/0 = CPE7 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR4.cfg [[Router CPE1]] model = 3640 console = 2009 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE2]] model = 3640 console = 2010 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE3]] model = 3640 console = 2011 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE4]] model = 3640 console = 2012 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE5]] model = 3640 console = 2013 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE6]] model = 3640 console = 2014 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE7]] model = 3640 console = 2021 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router CPE8]] model = 3640 console = 2022 autostart = false idlepc = 0x60610428 slot0 = NM-1FE-TX [[Router GR1]] model = 3640 console = 2023 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX slot1 = NM-4T Fa0/0 = ISP2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/GR1.cfg [[Router ISP2]] model = 3640 console = 2024 autostart = true idlepc = 0x60610428 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/ISP2.cfg
You can pick up the config files I’ve done over here: http://mellowd.co.uk/ccie/wp-content/uploads/2010/02/mpls.tar.gz
All my future MPLS labs will be done using this topology. Most config will be done on the access routers and the customer routers themselves.
I recently bought an Acer Revo 3600 to replace my ageing PopcornHour A100. I’ve installed a minimal version of Ubuntu Linux on it as well as xbmc. As this is in my bedroom far away from my router, I only wanted to use the wireless chip.
As I have no gui, I have to manually set this up. If you do happen to be in some sort of gui and want to get out of it quickly, just press ctrl+alt+f1 or ctrl+alt+f2 and so on. This will just open up another terminal session for you.
You’ll need to know the name of your SSID as well as your password of course. In my case here I’m using WPA2. You’ll need to have wpasupplicant installed. If you have a wired connection it’ll be easy to install. If not you’ll need to get it elsewhere and copy it on your box. I am using Ubuntu, so the same method should work with Debian. Just use your distro’s packet manager to get it installed.
sudo apt-get install wpasupplicant
If not already root, you’ll now need to log in as root
sudo su -
Now you need to type wpa_passphrase ssid password > /etc/wpa_supplicant.conf. This is my example:
wpa_passphrase Cisco Thisisyourpassk\$y > /etc/wpa_supplicant.conf
As this is Linux, you need to remember to use break characters when using special characters. My ssid is named Cisco and my password is Thisisyourpassk$y. I’ve used the break character just before the $ sign. You will see if you have this correct by opening up the /etc/wpa_supplicant.conf file like so:
vi /etc/wpa_supplicant.conf
network={
ssid="Cisco"
#psk="Thisisyourpassk$y"
psk=357b62bf79a0d096901fe32d3138b6d962b95675976f08d044d117970b04d0fa
}
You should see that the break character worked as the psk over here shows the correct password in full.
Copy the psk value as you’ll need it in the next step.
Open your interface config file (in Ubuntu/Debian it’s over here):
vi /etc/network/interfaces
Add the following to this file:
#The wireless interface auto wlan0 iface wlan0 inet dhcp wpa-ssid "Cisco" wpa-ap-scan 1 wpa-key-mgmt WPA-PSK wpa-psk "357b62bf79a0d096901fe32d3138b6d962b95675976f08d044d117970b04d0fa"
Save and exit. Now restart your network:
/etc/init.d/networking restart
You should now be connected, and can monitor it via ifconfig and iwconfig:
root@XBMCLive:~# iwconfig
wlan0 IEEE 802.11bg ESSID:"Cisco"
Mode:Managed Frequency:2.472 GHz Access Point: 00:1D:A2:E7:56:30
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:7B16-2A4A-9A61-158A-9537-84FE-3F90-E275 [3]
Power Management:off
Link Quality=36/70 Signal level=-74 dBm Noise level=-94 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
root@XBMCLive:~# ifconfig
wlan0 Link encap:Ethernet HWaddr 0c:60:76:68:60:25
inet addr:10.20.31.10 Bcast:10.20.31.255 Mask:255.255.255.0
inet6 addr: fe80::e60:76ff:fe68:6025/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:649 errors:0 dropped:0 overruns:0 frame:0
TX packets:677 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:94586 (94.5 KB) TX bytes:123349 (123.3 KB)
This only works if your kernel actually has the driver of course. If not, you may need to download the windows driver and use ndiswrapper. I’ve got an exmple of doing this in my post over here: http://mellowd.co.uk/ccie/?p=114
I would also suggest deleting your /etc/wpa_supplicant.conf file to prevent anyone in future getting your password.
Timed access-lists can be handy for all sorts of things. Let’s say you have a few contractor PC’s in your office that are only allowed internet access from 17:00 to 19:00 each day. The rest of the day those PC’s are allowed to speak internally in the lan only.
I’ve got a very simple diagram here. PC’s 1-3 are allowed full access all the time. PC’s 4 and 5 are our contractor PC’s. Let’s say that DHCP is being used, but we are matching IP’s to MAC addresses (We’ll go over this in a new post sometime) – This is the topology (Click for larger image):
On the router I’m going to create 2 access-lists. The first will be a timed access list that will prevent any traffic from 192.168.1.4 and .5 from leaving the Fa0/0 interface. The second access-list will only allow traffic with a source address of 192.168.1.1-5 to pass through interface Fa0/1. This will prevent the contractors changing their IP to 192.168.1.10 and so on to gain internet access. It might be better to just not give them admin rights to their PC’s, but sometimes they may be using their own computers.
First up is the time range in which I want the block to be active:
time-range CONTRACTOR_NO_INTERNET periodic daily 0:00 to 16:59 periodic daily 19:00 to 23:59
Next I have to create an access-list, and I need to ensure the access-list is only active during my time range:
ip access-list extended CONTRACTORS deny ip host 192.168.1.4 any time-range CONTRACTOR_NO_INTERNET deny ip host 192.168.1.5 any time-range CONTRACTOR_NO_INTERNET permit ip any any
Always remember that ACL’s have an implicit deny at the end, so in this case I need to ensure I have an implicit permit any at the end. Also note that although I’ve blocked those hosts to any destination, they’ll still be able to traverse the local lan as it’ll only go through the switch. If you had a SOHO router with a switch-plane built into the router, you may need to create another entry allowing all local subnet traffic at the top of this access-list.
Now we need to apply this access-list to the Fa0/0 interface:
interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group CONTRACTORS out duplex auto speed auto end
The last part I wanted to do was to ensure that only the IP’s in use on the network right now are allowed. This prevents the contractors from changing their IP’s to get around our access-list.
ACL:
access-list 1 permit 192.168.1.1 access-list 1 permit 192.168.1.3 access-list 1 permit 192.168.1.2 access-list 1 permit 192.168.1.5 access-list 1 permit 192.168.1.4 access-list 1 deny any
On the interface:
interface FastEthernet0/1 ip address 192.168.1.254 255.255.255.0 ip access-group 1 in duplex auto speed auto end
Very handy!
Edit: Just be sure that you’ve actually correctly set the clock on the router beforehand!
Comments