+ Reply to Thread
Results 1 to 8 of 8
  1. Senior Member
    Join Date
    May 2006
    Location
    Manchester, UK
    Posts
    201

    Certifications
    BSc (Hons) Computer Networks, ITIL v3, Prince2 Practitioner, CCENT, CCNA:S
    #1

    Default Testing Extended ACL's

    Hi all,

    Can anyone recommend a good method for testing extended ACL's? Testing standard ACL's is pretty straight forward, deny a source here, permit a source there etc.. However, permiting and denying protocols and ports with Extended ACL's would be far more beneficial for learning the technology.

    I'm trying to avoid bring an additional pc into the topology purely for hosting a ftp server or similar as it seems abit over kill. Is there anyway I could configure a router to reply to traffic sent of port 21 for example?

    Ideas welcome.

    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member mamono's Avatar
    Join Date
    May 2007
    Location
    Cerritos, CA
    Posts
    778

    Certifications
    A+, Net+, Security+, Server+, i-Net+, CCNA Security, CCENT, MCITP:EST, MCDST, MCTS:Vista, HDI/CSR, HDI/SCA, HDI/DST, Apple, Dell
    #2
    You could just block ICMP on an extended ACL, that should be pretty easy to test. You won't accidentally be disconnected if you were remotely connected to the router and happened to enact a misconfiguration.

    Happily ping away. No need to add another PC, just ping the interfaces and deny/permit to your heart's content.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    958

    Certifications
    MCSE, MCP+I, MCP, A+, CCNA certified, Cisco Networking Academy Semester 4 graduate
    #3

    Default Re: Testing Extended ACL's

    Quote Originally Posted by mattrgee
    Hi all,

    Can anyone recommend a good method for testing extended ACL's? Testing standard ACL's is pretty straight forward, deny a source here, permit a source there etc.. However, permiting and denying protocols and ports with Extended ACL's would be far more beneficial for learning the technology.

    I'm trying to avoid bring an additional pc into the topology purely for hosting a ftp server or similar as it seems abit over kill. Is there anyway I could configure a router to reply to traffic sent of port 21 for example?

    Ideas welcome.

    Thanks.
    mattrgee,

    At the Windows Command Prompt, you can type the following....
    Code:
    >telnet [destination IP address] [destination port]
    For example...
    Code:
    >telnet 192.168.1.15 80
    In the case of the abovementioned example, you're going to need a host on the other end of the network with an IP address of 192.168.1.15 and running a web server. So unfortunately, you can't "...avoid bring[ing] an additional pc into the topology..."

    Your question of "Is there anyway I could configure a router to reply to traffic sent of port 21 for example?" has a problem. Port 21 is used by FTP for connection control. Usually port 20 is used by FTP for the data flow. I know that a Cisco router can be an FTP client but not a FTP server. So even if a Cisco router is used as an FTP client, it won't help you understand and practice extended ACL usage because any traffic that comes FROM the router is NOT affected by ANY ACL.

    Since you mention "...would be far more beneficial for learning the technology..." how about taking your own advice and understand each technology, such as how FTP works, how web access works, how e-mail works, and so on. Then it'll help you understand why you're creating and applying an access control list at all. Does this make sense?
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    May 2006
    Location
    Manchester, UK
    Posts
    201

    Certifications
    BSc (Hons) Computer Networks, ITIL v3, Prince2 Practitioner, CCENT, CCNA:S
    #4
    I totally understand the technology, my thoughts are focused towards simulating common services in a lab environment. Bringing additional pc's into a topology can be a real pain when your short on space, so being able to simulate services running on their designated ports with minimal equipment can be a real benefit. i.e. simulating an ftp server on port 21 without a physical server.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    958

    Certifications
    MCSE, MCP+I, MCP, A+, CCNA certified, Cisco Networking Academy Semester 4 graduate
    #5
    mattrgee,

    Quote Originally Posted by mattrgee
    I totally understand the technology, my thoughts are focused towards simulating common services in a lab environment. Bringing additional pc's into a topology can be a real pain when your short on space, so being able to simulate services running on their designated ports with minimal equipment can be a real benefit. i.e. simulating an ftp server on port 21 without a physical server.
    The above bolded sections of what you just said conflict with each other. If you "...totally understand the technology..." then you'll know that: 1) FTP is the communications between a client host and a server host at the Application Layer 2) Routers operate at the Network Layer. So since you "..totally understand the technology..." explain how the Data Link Layer Frame is supposed to be encapsulated by the last router or switch then decapsulated by the NIC of an FTP server that doesn't physically exist?
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    May 2006
    Location
    Manchester, UK
    Posts
    201

    Certifications
    BSc (Hons) Computer Networks, ITIL v3, Prince2 Practitioner, CCENT, CCNA:S
    #6
    Your missing the point here.

    The question is about exploring other possiblities. Do I need physical routers to create a topology? No. Do I need a physical PC to serve as a DHCP server? No I boot up VMWare and load a virtual instance. We all know what port FTP uses, we all understand the OSI model.

    I suggest you do some Googling on VMWare, GNS3 and Dynamips.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Mar 2007
    Posts
    958

    Certifications
    MCSE, MCP+I, MCP, A+, CCNA certified, Cisco Networking Academy Semester 4 graduate
    #7
    mattrgee,

    Quote Originally Posted by mattrgee
    Your missing the point here.

    The question is about exploring other possiblities. Do I need physical routers to create a topology? No.
    Actually yes. Cisco is testing if you understand their networking devices all the way down to the Physical Layer.

    Quote Originally Posted by mattrgee
    Do I need a physical PC to serve as a DHCP server? No I boot up VMWare and load a virtual instance.
    Yes, you will need a physical PC for your VMWare to run on.

    Quote Originally Posted by mattrgee
    We all know what port FTP uses, we all understand the OSI model.
    What port does FTP use? You still haven't explained how you're going to encapsulate the FTP packet into an FTP frame to travel down the patch cable to the NIC of the FTP server then decapsulate the frame up to the FTP application server?

    Quote Originally Posted by mattrgee
    I suggest you do some Googling on VMWare, GNS3 and Dynamips.
    You are being notified that you are not authorized to use Cisco IOS on a GNS3 and/or Dynamips computer because it is a violation of the Cisco End User License Agreement.

    Source:
    1. End User License Agreement [Products & Services] - Cisco Systems - http://www.cisco.com/en/US/docs/gene...h/EU1KEN_.html
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2006
    Location
    Manchester, UK
    Posts
    201

    Certifications
    BSc (Hons) Computer Networks, ITIL v3, Prince2 Practitioner, CCENT, CCNA:S
    #8
    I don't know what question you are trying to answer tech-airman but it certainly isn't mine.

    Thanks for the reply Mamono, I'll look into it.

    Question Answered.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks