WIP: Cisco: Reflexive ACL

Reflexive, ACL, ACL, Network-Security, Security, Networking, Cisco

Tasks

Topology Redistribute static route with tag ac6665a0-c406-4f46-8b30-b205290aedb7

network-security.acl.reflexive-acl.2rt.2sw.4node.1ext-conn.static.ac6665a0

- Topology Description: Redistribute static route with tag
- Topology ID: ''ac6665a0-c406-4f46-8b30-b205290aedb7''
- Design and Technology:
  - PBR
  - route-map
  - Routing Protocol
    - static
    - OSPF
  - 3 routers
  - 0 servers
- Remarks: N/A

### Links

WIP: Cisco: Reflexive ACL [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:reflexive-acl:reflexive-acl

Base Configuration

Common Configuration Snippet

trex-0

trex-0

# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1   inserthostname_here" >>/etc/hosts
echo "trex-0" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
 
auto eth0
iface eth0 inet dhcp
 
auto eth1
iface eth1 inet static
        hostname trex-0
        address 10.1.1.254
        netmask 255.255.255.0
        #gateway 10.1.1.1
        #dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 10.1.1.254/24 dev eth0
#ip route add 0.0.0.0/0 via 10.1.1.1
#ip link set eth0 up

trex-1

trex-1

# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1   inserthostname_here" >>/etc/hosts
echo "trex-1" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
 
auto eth0
iface eth0 inet dhcp
 
auto eth1
iface eth1 inet static
        hostname trex-1
        address 198.51.100.252
        netmask 255.255.255.0
        #gateway 198.51.100.2
        #dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 198.51.100.252/24 dev eth0
#ip route add 0.0.0.0/0 via 198.51.100.2
#ip link set eth0 up

ubuntu-0

ubuntu-0

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s2:
              dhcp4: true
              dhcp6: true
              match:
                 name: enp0s2
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 10.1.1.253/24
              routes:
                 - to: 198.51.100.0/24
                   via: 10.1.1.1
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 10.1.1.1
                   metric: 0
              #gateway4: 10.1.1.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-1

ubuntu-1

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 198.51.100.251/24
              routes:
                 - to: 10.1.1.0/24
                   via: 198.51.100.2
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 198.51.100.2
                   metric: 0
              #gateway4: 198.51.100.2
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

R1

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.2
!
end

R2

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 198.51.100.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.2 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1
!
end

Configure Reflexive ACL

configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit icmp any any
 permit tcp any any reflect REFLECT_TCP timeout 120
!
ip access-list extened ACL_INBOUND
 permit icmp any any
 evaluate REFLECT_TCP
!
interface GigabitEthernet 0/0
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end

References

PG1X WIKI

User Tools

Site Tools

Table of Contents

WIP: Cisco: Reflexive ACL

Tasks

Topology Redistribute static route with tag ac6665a0-c406-4f46-8b30-b205290aedb7

Base Configuration

Configure Reflexive ACL

References

Page Tools