Internetworks offers a comprehensive collection of articles and tutorials on computer networks, covering basic to advanced concepts such as data link layer, network layer, network security, and more. It’s a great starting point for beginners and a useful reference for advanced learners. A+ N+ CCNA CCNP CCIE
by Edgar C Francis
Time-based access-list is type of access-list which allows
network access on the basis of given time period. It is useful when you want to
place restrictions on outbound or inbound traffic on the basis of particular day
and time periods.
Sometimes it may be useful if you want to block particular
traffic on specific days or during business hours.
Time-based access-list
Time-based access-list is Easy to implement and Its provides good control over the network traffic to an admin as the traffic can be denied or permitted on the basis of time.
lets configure Time-based access-list
Topology:
configure the topology as per the diagram
configure IP addresses to their ports
configure EIGRP AS 65100 for routing
make sure PC communicate loopback 0 172.16.1.1 network before configure Time-based access-list .
configure Time-based access-list on router 1 and block PC ICMP msg for 172.16.1.1 network.
Network time protocol provides pretty much what its name says time. provide correct time to all network devices. in other words, NTP synchronizes the clock of the computer system over packet switch, variable-latency data networks. Correct network time within the network is important.
Correct time allows the tracking of the event in the network in
the correct order. Cock synchronize is critical for the correct interpretation
of events within the Syslog data.
Advantages of NTP :
It provides internet synchronization between the computer devices.
NTP provides enhanced security within the premises.
NTP is used in authentication systems.
NTP provides network
acceleration which helps in troubleshooting problems.
let's see the configuration on the router:
Topology:
Goal :
configure the topology as per the diagram above.
configure the IP addresses to their ports
configure routing with EIGRP AS 65100 and advertise all the ports
configure NTP on router 3, server address will loopback 0
make sure the rest of the routers get time which is provided by our NTP server.
*Feb 11 12:54:25.263: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
R3(config)#router eigrp 65100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.3.0
R3(config-router)#no au
R3(config-router)#no auto-summary
R3(config-router)#exit
R3(config)#end
*Feb 11 12:54:58.699: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 2.2.2.1 (Serial4/1) is up: new adjacency
*Feb 11 12:55:29.027: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.3 (Serial4/2) is up: new adjacency
R4(config)#router eigrp 65100
R4(config-router)#network 40.0.0.0
R4(config-router)#network 3.0.0.0
R4(config-router)#network 192.168.4.0
R4(config-router)#no auto-summary
R4(config-router)#exit
R4(config)#end
*Feb 11 12:55:08.211: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency
R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.1.1
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:02:52, Serial4/0
D 3.0.0.0/8 [90/3193856] via 1.1.1.2, 00:02:00, Serial4/0
D 20.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:19, Serial4/0
D 30.0.0.0/8 [90/2684416] via 1.1.1.2, 00:02:05, Serial4/0
D 40.0.0.0/8 [90/3196416] via 1.1.1.2, 00:01:36, Serial4/0
D 192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:02:47, Serial4/0
D 192.168.3.0/24 [90/2809856] via 1.1.1.2, 00:01:54, Serial4/0
D 192.168.4.0/24 [90/3321856] via 1.1.1.2, 00:01:31, Serial4/0
R2#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.2.2
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 3.0.0.0/8 [90/2681856] via 2.2.2.2, 00:01:48, Serial4/1
D 10.0.0.0/8 [90/2172416] via 1.1.1.1, 00:02:47, Serial4/0
D 30.0.0.0/8 [90/2172416] via 2.2.2.2, 00:01:53, Serial4/1
D 40.0.0.0/8 [90/2684416] via 2.2.2.2, 00:01:22, Serial4/1
D 192.168.1.0/24 [90/2297856] via 1.1.1.1, 00:02:47, Serial4/0
D 192.168.3.0/24 [90/2297856] via 2.2.2.2, 00:01:43, Serial4/1
D 192.168.4.0/24 [90/2809856] via 2.2.2.2, 00:01:17, Serial4/1
R3#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.3.3
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R3#show ip ei
R3#show ip eigrp route
^
% Invalid input detected at '^' marker.
R3#show ip route ei
R3#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 1.0.0.0/8 [90/2681856] via 2.2.2.1, 00:01:30, Serial4/1
D 10.0.0.0/8 [90/2684416] via 2.2.2.1, 00:01:30, Serial4/1
D 20.0.0.0/8 [90/2172416] via 2.2.2.1, 00:01:30, Serial4/1
D 40.0.0.0/8 [90/2172416] via 3.3.3.3, 00:01:00, Serial4/2
D 192.168.1.0/24 [90/2809856] via 2.2.2.1, 00:01:30, Serial4/1
D 192.168.2.0/24 [90/2297856] via 2.2.2.1, 00:01:30, Serial4/1
D 192.168.4.0/24 [90/2297856] via 3.3.3.3, 00:00:54, Serial4/2
R4#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.4.4
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R4#show ip route ei
R4#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 1.0.0.0/8 [90/3193856] via 3.3.3.2, 00:00:39, Serial4/2
D 2.0.0.0/8 [90/2681856] via 3.3.3.2, 00:00:39, Serial4/2
D 10.0.0.0/8 [90/3196416] via 3.3.3.2, 00:00:39, Serial4/2
D 20.0.0.0/8 [90/2684416] via 3.3.3.2, 00:00:39, Serial4/2
D 30.0.0.0/8 [90/2172416] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.1.0/24 [90/3321856] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.2.0/24 [90/2809856] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.3.0/24 [90/2297856] via 3.3.3.2, 00:00:39, Serial4/2
R3#show clock
*13:05:18.351 UTC Fri Feb 11 2022
R3#clock set 15:15:15 25 july 2020
*Jul 25 15:15:15.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:06:12 UTC Fri Feb 11 2022 to 15:15:15 UTC Sat Jul 25 2020, configured from console by console.
R3#show clock
15:15:23.199 UTC Sat Jul 25 2020
R3(config)#NTP master 8
R3(config)#exit
R3(config)#ntp source loopback 0
R3(config)#ntp server 192.168.3.3
R1#show clock
*13:14:36.687 UTC Fri Feb 11 2022
R1#show clock
*13:14:39.259 UTC Fri Feb 11 2022
R1(config)#ntp server 192.168.3.3
R1(config)#exit
R1#show clock
*15:23:34.069 UTC Sat Jul 25 2020
R2#show clock
*13:13:01.619 UTC Fri Feb 11 2022
R2(config)#ntp server 192.168.3.3
R2(config)#exit
R2#show clock
*15:24:01.200 UTC Sat Jul 25 2020
R4#show clock
*13:14:40.535 UTC Fri Feb 11 2022
R4(config)#ntp server 192.168.3.3
R4(config)#exit
R4#show clock
15:24:56.677 UTC Sat Jul 25 2020
R3#show ntp packets
Ntp In packets : 27
Ntp Out packets : 36
Ntp bad version packets : 0
Ntp protocol error packets : 0
R3#show ntp status
Clock is synchronized, stratum 8, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 55200 (1/100 of seconds), resolution is 4000
reference time is E2C6CD63.0A3E5987 (15:25:23.040 UTC Sat Jul 25 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.35 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 8 sec ago.
R3#show ntp associations
address ref clock st when poll reach delay offset disp
DHCP (Dynamic Host Configuration Protocol) servers are providing all the basic information that the client wants to operate on the network like DNS address, Default Gateway, IP addresses, and subnet. masks and many more.
Imagine a bad guy (attacker) comes up and brings a fake DHCP server machine and runs the exact same subnet as other PCs on the network. now what will happen? the PC broadcast for DHCP request and our attacker servers may send a DHCP reply from its fake DHCP machine with its own IP address to pretend as the default gateway.
Now when our client receives the reply from the attacker machine. client using the spoofed gateway address and our packets going through the attacker machine first. Yes, maybe the attacker forwards our packets to the correct destination but in the meantime, the attacker examines all our packets and now this scenario becomes a man-in-a-middle attack and our innocent client does not even realize it.
Cisco switches use the DHCP snooping feature to prevent these types of attacks. when the DHCP server is connected to the switch. switch ports our switch has the option of trusted or untrusted. the legally reliable DHCP server can be found on a trusted port and the rest of the ports are untrusted for the DHCP server. when the DHCP server request comes from the untrusted port our switch prevents all the DHCP requests before they flood the VLAN and discard the request and also puts that untrusted port into to err disable state automatically. DHCP snooping keeps track of the complete DHCP binding.
let's see the configuration of the DHCP snooping attack and how to prevent it from attacking.
Topology: -
cisco packet tracer
Goal:
configure the topology as per the diagram on the cisco packet tracer
configure an IP address on router 1
configure DHCP server on router 1
make sure all our clients get all the basic information IP addresses, subnet mask, default gateway, and DNS addresses.
configure attacker machine with DHCP server
Restart our client (PC) with STATIC to DHCP and verify whether the basic information has been changed or not (IP CONFIG /ALL)
now configure our switch to prevent attackers with DHCP SNOOPING
To prevent the attack, restart our PC with static to DHCP.
Instagram
.png)
