Saturday, 15 June 2013

Updateing Home Network 2

Updateing Home Network

 

Topology

 

 

Objectives

  • Enable passive interfaces
  • Create ACL to block VLAN 3 web traffic

Passive interfaces


I thought i'd try and be clever and used the no passive-interface command to stop my fa0/24 port from dropping my EIGRP adjacency, before issung the default command.  As the passive-interface default will make all ports on passive.



But no, this dropped my EIGRP adjacency. Luckly I can still SSH back to APHRODITE from HADES to fix this.



ACL to block VLAN 3 web traffic

I was going to create a whitelist and only allow specific pages.

20 permit tcp 172.16.3.0 0.0.0.255 host www.rightsignature.com eq 80
21 permit tcp 172.16.3.0 0.0.0.255 host www.gro.gov.uk eq 80
22 permit tcp 172.16.3.0 0.0.0.255 host www.pensionaid.com eq 80
23 permit tcp 172.16.3.0 0.0.0.255 host www.hopewiser.com eq 80
24 permit tcp 172.16.3.0 0.0.0.255 host buckley.bluetelecoms.com eq 80
25 permit tcp 172.16.3.0 0.0.0.255 host www.justice.gov.uk eq 80
26 permit tcp 172.16.3.0 0.0.0.255 host www.royalmail.com eq 80
27 permit tcp 172.16.3.0 0.0.0.255 host www.google.com eq 80
28 permit tcp 172.16.3.0 0.0.0.255 host www.buckleyandhenshaw.com eq 80
29 permit tcp 172.16.3.0 0.0.0.255 host www.ib-pay.net eq 80
30 permit tcp 172.16.3.0 0.0.0.255 host www.iaxtalk.com eq 80
31 permit tcp 172.16.3.0 0.0.0.255 host www.rightsignature.com eq 443
32 permit tcp 172.16.3.0 0.0.0.255 host www.gro.gov.uk eq 443
33 permit tcp 172.16.3.0 0.0.0.255 host www.pensionaid.com eq 443
34 permit tcp 172.16.3.0 0.0.0.255 host www.hopewiser.com eq 443
35 permit tcp 172.16.3.0 0.0.0.255 host buckley.bluetelecoms.com eq 443
36 permit tcp 172.16.3.0 0.0.0.255 host www.justice.gov.uk eq 443
37 permit tcp 172.16.3.0 0.0.0.255 host www.royalmail.com eq 443
38 permit tcp 172.16.3.0 0.0.0.255 host www.google.com eq 443
39 permit tcp 172.16.3.0 0.0.0.255 host www.buckleyandhenshaw.com eq 443
40 permit tcp 172.16.3.0 0.0.0.255 host www.ib-pay.net eq 443
41 permit tcp 172.16.3.0 0.0.0.255 host www.iaxtalk.com eq 443
50 deny tcp any any
51 permit ip any any


However, when the hostname was entered the router resolved them to IP addresses, which meant that VLAN 3 could still access the websites by using a different IP address.

For example google.com

 

After much googleing I found that i'd best change the ACL to just block all web traffic from VLAN 3. As much of the information on how to whitelist is out of the scope for the CCNA.

So i've ended up with the following;

 

 

Complete



 

No comments:

Post a Comment