DO457 - ch06s18

Access Control Lists are extremely useful tools. They play an important role in permitting or denying traffic. They are also used to define interesting traffic for the purpose of policy routing, and much more.

In this lab, an Ansible play is used to enable logging of inbound SSH traffic on the management interface. In the real world, logging all inbound SSH traffic could be used to detect unauthorized access.

Outcomes

You should be able to:

Compose a playbook containing a play that:
- Creates an extended Access Control List (ACL) that logs TCP port 22 traffic from anywhere to anywhere.
- Applies the ACL to the management interface.
Perform the play that creates ACL 101 and applies it to the management interface.
Verify that the ACL is working

Open a terminal window on the workstation VM.

You already have a playbook named j2cfg.yml that applies changes to networking devices based on configuration statements generated by Jinja2 templates. Modify the j2/ios-config.j2 template to create ACL 101 and apply it to the management interface.
Create an extended Access Control List (ACL) that logs TCP port 22 traffic from anywhere to anywhere. To create an ACL that logs SSH traffic, append a single configuration statement that defines extended ACL 101, permitting TCP traffic for port 22 from anywhere to anywhere, logging the matches. The format of an extended ACL configuration statement that logs matches is access list number permit/deny protocol src dst eq port log. The IOS configuration statement that defines an ACL 101 that logs all SSH traffic from anywhere to anywhere is access list 101 permit tcp any any eq 22.
Apply the ACL to the management interface. The management interface of cs01 is GigabitEthernet1. To apply ACL 101 to the management interface, issue the interface level configuration statement ip access-group 101 in.
The resulting j2/ios-config.j2 file should have the following content:
hostname {{ inventory_hostname }} ip domain-name {{ domain_name }} {% for nameserver in nameservers %} ip name-server {{ nameserver }} {% endfor %} service timestamps log datetime service timestamps debug datetime logging {{ syslog_ipv4 }} logging trap {{ ios_loglevel }} access-list 1 permit {{ workstation_ipv4 | ipaddr('address') }} log access-list 1 permit {{ tower_ipv4 | ipaddr('address') }} log snmp-server community {{ ro_community }} RO 1 access-list 101 permit tcp any any eq 22 log interface GigabitEthernet1 ip access-group 101 in
Perform the play that creates ACL 101 and applies it to the management interface. Limit it to cs01.
[student@workstation proj]$ ansible-playbook -l cs01 j2cfg.yml

Verify that the ACL is working.

Monitor traffic on the syslog port of the workstation VM to confirm that log messages are arriving. Run tcpdump, listening on eth0 port 514.

[student@workstation proj]$ sudo tcpdump -Xni eth0 port 514
[sudo] password for student: student
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Open another terminal window on the workstation machine. Use SSH to connect to cs01 as admin using student as the password.
```
[student@workstation ~]$ ssh admin@cs01
Password: student
cs01#
```

In your tcpdump terminal window, you should see a hex dump of the log message caused by the SSH connection to cs01.

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:15:16.095546 IP 172.25.250.195.50767 > 172.25.250.254.syslog: SYSLOG
 local7.info, length: 147
        0x0000:  4500 00af 0005 0000 ff11 6d43 ac19 fac3  E.........mC....
        0x0010:  ac19 fafe c64f 0202 009b e6a6 3c31 3930  .....O......<190
        0x0020:  3e38 323a 202a 4175 6720 2035 2032 303a  >82:.*Aug..5.20:
        0x0030:  3135 3a31 343a 2025 464d 414e 4650 2d36  15:14:.%FMANFP-6
        0x0040:  2d49 5041 4343 4553 534c 4f47 503a 2046  -IPACCESSLOGP:.F
        0x0050:  303a 2066 6d61 6e5f 6670 5f69 6d61 6765  0:.fman_fp_image
        0x0060:  3a20 206c 6973 7420 3130 3120 7065 726d  :..list.101.perm
        0x0070:  6974 7465 6420 7463 7020 3137 322e 3235  itted.tcp.172.25
        0x0080:  2e32 3530 2e32 3534 2835 3238 3634 2920  .250.254(52864).
        0x0090:  2d3e 2031 3732 2e32 352e 3235 302e 3139  ->.172.25.250.19
        0x00a0:  3528 3232 292c 2031 2070 6163 6b65 74    5(22),.1.packet
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

Use Control+C to break out of the tcpdump session.

This concludes the lab.

Discuss Red Hat Ansible for Network Automation

Go to community

Welcome to the Red Hat Ansible for Network Automation (DO457) group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Ansible for Network Automation! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO457.Read more about Red Hat Ansible for Network Automation here.

3120

Revision: do457-2.5-4693601