Cisco CCNA: Network Security and Control
Unit 1. Introduction to Network Security
Because of our reliance on networks in our personal and professional lives, network security has become an important issue. Although total security is impossible, you can do many things to safeguard your network.
This first unit points out the hazards to network security, then offers countermeasures to protect your network. One important countermeasure is access lists. The remaining units in this course describe the theory of access lists, and the configuration commands to place them on your router.
After completing this unit, you should be able to:
- Differentiate between trusted, untrusted, and unknown networks
- Define firewalls
- List the types of attacks that threaten network security
- List the results of a network attack
- Describe the role of routers in increasing network security
This unit does not address any specific Cisco objectives. However, it does provide background information that is essential for the CCNA exam.
In the course index, questions about background information are indicated with the abbreviation BCK and a short description of the question subject matter.
Topic 1.1: Categories of Networks
*Levels of Network SecurityTo understand network security issues, you need to differentiate between secure and less secure networks. Networks can be divided into the following three categories:
- Trusted networks
- Untrusted networks
- Unknown networks
*Trusted Networks
The networks that you control are your trusted networks. If you are a network administrator, one of your primary obligations is to safeguard your trusted network.
In order to maintain a trusted network, you probably have a server that guards access to and from outside resources. Such a server is called a gateway, proxy, or firewall server. These server names are sometimes interchanged incorrectly.
*Entry Point to a Network
A gateway server is the entry to a network. Incidentally, the Internet — most notably the ISP portion — includes many gateway servers, which are also called gateway nodes.
A gateway server can function as a proxy server. A proxy server acts as a middleman between a user and the Internet. When a user on your network requests an Internet page, the proxy server returns it. Proxy servers maintain a cache of requested Web pages, which can speed up Internet interactivity.
*The Gateway as a Firewall
A gateway can also function as a firewall. Generally, a firewall is software that protects a network from activity occurring outside of the network. When you install a firewall server, you use the network interface cards to define the trusted network or networks which fall under the responsibility of the firewall.
A firewall can also include routers that filter unwanted external packets and forward acceptable packets inside the network. This filtering process uses access lists, which we will discuss later in this course. Another router firewall tool is router passwords, which we discussed in an earlier course.
As is often the case, there is an exception to our definition of a trusted network.
You can have a virtual private network, which you treat as a trusted network, despite the fact that it communicates over an untrusted network. In these instances, the firewall still protects the trusted network by authenticating data origin and integrity.
*Untrusted Networks
An untrusted network is any network for which you have no control. Naturally, though, what you consider an untrusted network is another administrator's trusted network.
As administrator for your trusted network, you can define specific untrusted networks with which your firewall can communicate.
*Unknown Networks
If you cannot identify a network as trusted or untrusted, then it is unknown. Obviously, an unknown network is not under your control.
Topic 1.2: Threats to Trusted Networks
*Network VulnerabilitiesEven though you may have installed a firewall, your trusted network may be vulnerable to outside attacks, especially the following:
- Password attacks
- Packet sniffers
- IP spoofing
- Man-in-the-middle attacks
- Leaking of internal information to external locations
Topic 1.2.1: Password Attacks
*Password VulnerabilityNeither network nor router passwords are invulnerable. If your network or an individual node requires a password, another person could try random passwords to enter your network. The same is true for router passwords.
*Console and Router Passwords
Routers without console passwords are especially vulnerable. Typically, consoles are protected behind locked doors. However, sometimes doors are left unlocked. This leaves the network and routing tables open for passive monitoring or active re-routing of packets.
The passwords for a router can also be reconfigured. This feature, which is offered as insurance against human forgetfulness, offers the undesirable feature of possible corruption by anyone knowledgeable about routers.
Topic 1.2.2: Packet Sniffers
*Stealing PacketsPacket sniffers are software applications that steal packets by redirecting them to a destination specified by the attacker. Packet sniffers work for these reasons:
- Packets can be captured through the network adapter card for a physical connection in a LAN.
- Packets are usually sent in clear text, which means most applications can process them.
- A lot of administrators are familiar with the use of packet sniffers because they are used to troubleshoot network problems.
*Accessing Confidential Information
Once packets are captured by an outside attacker, confidential information such as account numbers and passwords can be accessed.
Topic 1.2.3: IP Spoofing
*Destructive InformationIn a spoofing attack, an attacker inserts destructive information from a trusted IP address, or from an IP address that falls within the range of trusted IP addresses.
Spoofing is possible in either a client-server or peer-to-peer network communication. It doesn't immediately involve funneling information back to the attacker because, initially, the attacker can just add to the data stream. Indirectly, however, the attacker can introduce commands to redirect data or return confidential information.
Question 1
Topic 1.2.4: Man-in-the-Middle Attacks
*Relying On Packet SniffersMan-in-the-middle attacks occur at some point in the intended flow of packets passing to and from your network. This type of attack relies on network packet sniffers and routing and transport protocols to intercept and exchange public keys.
For example, someone at your ISP (Internet service provider) could be stealing or corrupting information to and from you, analyzing the data flow with the intent to gain additional information about your users and resources, or preventing you from communicating outside your network.
Topic 1.2.5: Leaking Internal Information
*Disgruntled EmployeesAlthough leaking sensitive, internal information may be the result of an attack, it is in itself a form of attack.
This kind of attack is often committed by an ex-employee seeking revenge, or even a current but unhappy employee who has local access to your network.
*Confidential Information
Confidential information includes passwords, account numbers, and information that would be destructive in an outsider's hands.
Leaking information involves sending confidential information, or sending the means to access confidential information, to others who will use it against your users or your network.
As you've probably noticed, not all attacks are external.
Some attacks, such as password attacks, dispersal of confidential information, and IP spoofing, can occur within your trusted network.
Other attacks can occur within an internetwork, like the man-in-the-middle attack from your ISP, that you expect to be trustworthy.
Topic 1.3: Effects of Compromised Network Security
*Destruction...There are several things that can happen if your network is not secure.
As you've seen previously, confidential information can be passed to others for destructive purposes.
Nodes on your network may also unknowingly be the source of destructive messages to external nodes, such as those of business competitors.
*....Malicious Reconfiguration...
Also, information about your network and users can be assessed and maliciously re-configured without your knowledge.
*...and Poor Communication
Insufficient network security may also cause your network to stop functioning properly.
- Your network may not receive information sent to it.
- Your network may not be able to perform certain operations because of flooding by packets to the point of incapacitation, or locking users out of expected services. This is called denial-of-service.
Topic 1.4: Securing Your Network
*The Best DefenseThe best defense for network security is a good offense. This means you assume you are going to be attacked, study your network's weaknesses with the hope of minimizing them, and have a plan in place for counteracting attacks when they happen.
*Layer Your Networks
Your defense should include layering your networks with respect to security. Shown here are three layers. The first layer is the outer layer, which is the least secure. Here you would consider placing a firewall server or firewall router. In the middle layer, you might have Intranet firewalls and routers to filter dangerous or unwanted packets of information. In the innermost layer, you would place devices that can reach your most confidential information.
Topic 1.5: Routers and Network Security
*Let Your Router HelpYou can maximize routers' roles in safeguarding network security by controlling
- Passwords
- SNMP access
- Internal network access
*Protecting Router Passwords
First of all, you can protect router passwords. Here are some ways:
- Configure a password for your console that is different from the passwords for the vty lines on which you Telnet to make a router connection from a remote location.
- Encrypt the passwords for your console and vty lines.
- Configure encrypted passwords for the privileged EXEC mode.
- Configure an authentication server, such as a TACACS server, that requires individual usernames and passwords.
*Log Off Automatically
Configure timeouts so that unattended console and virtual terminals log off after a minimal amount of time.
By doing this, potential attackers are foiled, unless by chance they figure out the login passwords.
*SNMP Community Strings
By default, SNMP (Simple Network Management Protocol) community strings appear in clear text in network packets and in certain show commands. SNMP community strings can be learned by capturing network packets sent from a SNMP manager and SNMP agent. A router-savvy outsider who knows your SNMP community string possesses the power to gain router statistics or even modify some router configurations.
*Configure Public and Private Strings
You can configure public and private SNMP community strings. The public strings will only be used in SNMP get-request or get-next-request messages. The private string will only be used in SNMP set-request messages.
*Configure Access Lists
You can control what information flows into and out of your network by configuring access lists. Routers use access lists to filter incoming and outgoing packets.
The remaining units of this course discuss access lists.
Question 2
* Exercise 1
Try configuring and locating your router to prevent outside attacks to your network security.
| Step | Action |
|---|---|
| 1 | In order to safeguard a network, you must know the types of attacks that can occur. List the types of attacks that can compromise a trusted network, then list the ones that apply to your network. |
| 2 | Write down the router configurations that increase network security. Be sure to include passwords, SNMP community strings, and access lists. |
| 3 | Sketch the layers of network security. Add network devices at the appropriate layers. Assume the local network makes Internet connections and uses firewall routers and servers. |
Topic 1.6: Unit 1 Summary
Everyone knows that network security is an important issue, but not everyone knows the details of how attacks happen or how to prevent attacks.In this unit, you studied ways that someone can attack your trusted network. You investigated how to set up your network and to configure your routers to enhance network security.
In the next unit, you'll examine the role that access lists play in enhancing network security.
Unit 2. Introduction to Access Lists
Access lists perform many duties, one of which is enhancing network security.
In this unit, you'll learn the concepts behind access lists, beginning with the definition. From there, you'll examine the differences between the two types of access lists: standard and extended. You'll study the numbering system, which differentiates access lists by type and by protocol, and the theory of access-list operation.
After that, you'll learn how to disable access lists. This is an important aspect in configuration, as you'll soon discover.
After completing this unit, you should be able to:
- Define access lists
- Differentiate between standard and extended access lists
- Recognize the numbering system used to identify access lists
- Know how to remove access lists from your router configuration
This unit provides information that is relevant to the following CCNA exam objective:
- Configure standard access lists to figure IP traffic
Topic 2.1: Access Lists Defined
*Determining PermissionAccess lists are lists stored on a router, and they are used to determine which packets are permitted or denied passage through a router interface. A set of access lists on one router works only on packets coming from another source. Access lists are extremely useful in filtering incoming and outgoing packets for network security, which is why we're discussing them in this course. They can filter by source, destination address, protocol, service (e.g., Telnet or ftp), console, or vty line.
*Access-List Functions
Access lists also perform the following functions:
- Reduce traffic across a network, including routing updates.
- Prioritize certain packets to be processed before others.
- Specify dynamic lock-and-key access lists. These access lists temporarily open routers to transmission of IP packets that are normally blocked. This option requires an authentication username and password.
- Specify packets for encrypting.
- Set up WAN links. For example, access lists can designate certain packets to initiate dial-on-demand routing connections.
*Access Lists and Groups
When we speak of access lists, we are really speaking of access lists and access groups. An access list identifies the packets to be permitted or denied, and an access group carries out the actions specified by the access list. This can be represented by these two steps used in configuration:
- Creating an access list. Obviously, access lists are involved here.
- Applying an access list to an interface. Access groups are involved here.
Question 3
Topic 2.2: Types of Access Lists
*Two TypesThere are two types of access lists:
- Standard
- Extended
*Standard Access Lists
Generally, standard access lists filter by source and destination addresses. Specifically, standard IP access lists filter by source only. Standard Novell IPX access lists filter by source, or by both source and destination.
For incoming packets that are filtered by the source address, the router uses the access list to determine whether to process the packet. For outgoing packets that are filtered by destination address, the router determines whether to pass the packet towards its destination.
*IP Access List
An IP access list can tell a router not to accept packets from network 103.220.0.0. But the IP access list cannot tell the router not to send them to the destination address 193.333.0.0.
*IPX Access List
An IPX access list can tell a router not to accept packets from source network 3db, and not to forward any packets to destination network 54d.
*Extended Access Lists
Extended access lists are more powerful. Extended access lists can filter by the following means:
- Source or destination address
- Protocol
- Port
- Socket
Question 4
Topic 2.3: Access Lists in Operation
*How It WorksLet's look next at a simplified three-step procedure that explains how an access list works.
*Step 1: Entering the Interface
A packet enters a router's interface.
*Step 2: Router Processing
Now, the router has to determine the processing options for the incoming packet. First, the router checks the routing table to see if the packet is routable or bridgeable. Then the router looks for access lists, and determines whether the packet is included in any access list. Depending on the access lists configured, the router either routes the packet, or tests it against the permit or deny criteria.
*Step 3: Router Testing
The access list determines whether to permit or deny the packet to pass through the router interface. If the packet is permitted to pass through, the router sends it on its way. If the packet is denied, the router discards the packet.
If a packet is denied and dropped, sometimes the router will return another packet notifying the sender that the destination was unreachable. This procedure is protocol-dependent. Senders of ICMP packets, for example, will receive a "destination unreachable" message.
*First Configured, First Processed
By default, access lists are not defined or enabled. As network administrator, you have the option to configure access lists. Configuration is rather tricky because not only is the content of each access list an important consideration, but so is the sequence in which the access lists are configured.
There are two basic considerations to remember about access-list operation. The first is that a router processes access-list statements in the order they were configured.
*True-False Matching
The second consideration is how the router tests each packet against its access lists. The router tests each packet in a sequential pattern of true-false matching.
If a packet matches the criteria for the first access-list statement, the router processes it in the manner indicated by the statement. If the packet does not match the first statement's criteria, it is tested against the second statement's criteria. Whenever a packet fails, it is passed on to the next access-list statement. Whenever it passes, it is processed appropriately.
*Implicit Deny
At this point, you may be wondering what happens if the packet continually fails to match the criteria presented by the access lists.
In this case, you could configure a final, catchall access-list statement. Any packet reaching this final statement would match the criterion and test true. However, you don't have to add an all-inclusive end statement. Access lists operate on an implicit deny basis. This means that any packet that fails to match any of the statements is implicitly denied passage through the router. Therefore, the packet is dropped.
Question 5
Question 6
Topic 2.4: Access-List Numbers
*Keeping OrderYou must keep access lists ordered and easy to identify. Otherwise, your router may deny the passage of essential information to its destination.
To identify and classify access lists, each protocol is assigned a range of access lists numbers. These numbers are used in access-list commands.
*Access-List Numbers
Here is the range of access-list numbers for each protocol.
| Protocol (Access-List Type) | Range |
|---|---|
| IP (Standard) | 1–99 |
| IP (Extended) | 100–199 |
| Ethernet type code | 200–299 |
| DECnet | 300–399 |
| XNS (Standard) | 400–499 |
| XNS (Extended) | 500–599 |
| AppleTalk | 600–699 |
| Ethernet address | 700–799 |
| Novell IPX (Standard) | 800–899 |
| Novell IPX (Extended) | 900–999 |
| Novell SAP | 1000–1099 |
*IP Standard Access Lists
For example, the range for standard access lists using the IP protocol is 1–99. In the command syntax shown here, the access-list-number must range from 1–99:
Router(config)#access-list access-list-number {permit|deny} address mask
Shown here are examples of suitable IP ranges. Notice the range of access-list numbers.
Router(config)#access-list 1 permit 198.2.45.0 0.0.0.255
Router(config)#access-list 50 permit 198.2.45.0 0.0.0.255
Router(config)#access-list 99 permit 198.2.45.0 0.0.0.255
*IP Extended Access Lists
The allowable ranges for IP extended access lists are shown in these commands.
Router(config)#access-list 100 permit tcp 0.0.0.0 255.255.255.255 133.27.0.0 0.0.255.255
Router(config)#access-list 151 permit tcp 0.0.0.0 255.255.255.255 133.27.0.0 0.0.255.255
Router(config)#access-list 199 permit tcp 0.0.0.0 255.255.255.255 133.27.0.0 0.0.255.255
You can have multiple access lists per interface (theoretically, 100 standard or 100 extended access lists, according to the access-list numbers), but you can only have one access list per protocol for an interface.
Question 7
Question 8
Topic 2.5: Placement of Access Lists
*Two Guidelines for IP Access ListsThere are two general guidelines for placing standard and extended IP access lists.
Standard access lists, because they do not include destination addresses, should be placed as close as possible to the destination.
Extended access lists should be configured on the router closest to the source of denied packets. By doing this, security will be set, and the side benefit will be reduced unnecessary network traffic.
Topic 2.6: Removal of Access Lists
*Removing Access ListsBecause access lists are so powerful, you need to know how to remove them, especially when you're testing new configurations.
It is also important to know how to remove access lists because the sequence of access-list configuration is so important.
Router(config)#access-list 1 permit 198.2.45.0 0.0.0.255
...
Router(config)#no access-list 1 permit 198.2.45.0 0.0.0.255
*The no Keyword
Remove access lists with the no keyword, which is placed in front of the command used to enable an access list.
Shown here are two commands; the first shows the access list being enabled, and the second shows it being disabled.
Router(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 133.27.0.0 0.0.255.255
...
Router(config)#no access-list 102 permit tcp 0.0.0.0 255.255.255.255 133.27.0.0 0.0.255.255
Question 9
* Exercise 1
Try defining access lists and describing their use and configuration.
| Step | Action |
|---|---|
| 1 | Define access lists. List reasons to use them. |
| 2 | Describe the differences between standard and extended access lists. |
| 3 | Sketch a flow chart showing the flow of a packet heading toward a router that contains 3 access-list statements. Describe the packet flow for failing and passing the criteria of each of the three access lists. Include the effect of the implicit deny. |
| 4 | List the ranges of numbers that identify IP standard, IP extended, Novell IPX standard, Novell IPX extended, and SAP access lists. |
Topic 2.7: Unit 2 Summary
In this unit, you studied the definition and types of access lists, the access-list numbering system, and access-list operation.You looked briefly at a few access-list commands. You learned that it is important to know how to remove access lists with the no keyword.
Even though we didn't over-emphasize the fact that IP and Novell IPX access lists are different, you probably realized it. IP and IPX access lists differ in filtering method and in command syntax. In the next unit, you'll learn how to configure IP access lists.
Unit 3. Configuring IP Access Lists
In the previous units, we couldn't explain the theory of access lists without touching upon commands. Now, we're ready to turn the tables. In this unit you'll examine the configuration commands and periodically glance back at the theory.
You'll configure both standard and extended IP access lists. As part of this, you'll learn about wildcard masking, and then look at some example configurations.
After completing this unit, you should be able to:
- Configure standard and extended IP access lists
- Configure extended access lists using specific ports
- Configure named access lists
- Configure access classes
- Apply access lists and access classes to an interface
This unit provides information that is relevant to the following CCNA exam objective:
- Configure standard access lists to figure IP traffic
- Configure extended access lists to filter IP traffic
Topic 3.1: Standard Access Lists
*The First StepWe are now ready to configure access lists. As we discussed previously, the first step is creating access lists. We'll start by configuring standard IP access lists.
Topic 3.1.1: Creating Access Lists
*Denying or Permitting AccessYou learned in the previous unit that you can use standard IP access lists to permit or deny by the source address. This is the command syntax:
Router(config)#access-list access-list-number {deny|permit} source [source-wildcard]
Router(config)#access-list 25 deny 192.168.3.123
*Two Keywords and an Argument
The argument access-list-number ranges from 1–99, as discussed previously. The keyword deny denies access if the packet tests true with any of the criteria specified in the access list, and the keyword permit permits access if the packet tests true with any of the criteria specified by the access list.
*The source
source is the address of the network or host sending the packet. You can express the source as either a four-byte dotted-decimal address or the keyword any. The source-wildcard masks the portion of the four-byte dotted-decimal source address that should be overlooked. We will discuss source-wildcard in a later section. The source-wildcard can also be represented by the keyword any.
*Access Denied
In the example shown, access-list number 25 indicates an IP list. IP packets coming from the address 192.168.3.123 are denied access to this router because it is explicitly stated in the access list.
Note: Remember that only IP packets are filtered with IP standard access lists!
Router(config)#access-list 25 deny 192.168.3.123
*Two Lists Required
However, if this is the only access-list command configured on this router, any packets would be denied. For instance, even an IP packet from the address 192.172.0.2 would be denied. This is because of the implicit deny condition; a deny list really needs some kind of permit list as well.
Router(config)#access-list 25 permit 192.168.3.0
*A deny and permit Example
This combination of deny and permit lists allows IP packets from 192.168.3.0 to travel across the network, while denying IP packets from 192.168.3.123 because it is explicitly stated in the access list. Packets from any other address would be dropped as well.
Router(config)#access-list 25 deny 192.168.3.123
Router(config)#access-list 25 permit 192.168.3.0
Access-list commands are backward compatible to a degree. For example, a standard access list from IOS versions 10.3 and later can be loaded onto an earlier IOS version. For extended access lists, the critical version split is IOS 11.1.
However, if you load a standard access-list configuration from IOS release 10.3 and later onto an earlier IOS software version, or if you load an extended access-list configuration from 11.1 and later onto an earlier version, you may not see the results you expect.
Therefore, you must be very careful when loading access-list configurations on earlier IOS software. As an extra safeguard for network security, always save backup copies of your configuration files.
Question 10
Topic 3.1.2: Wildcard Masking
0s and 1sWildcard masking is yet another way you can specify the source addresses that you want to filter in an access list. Wildcard masks can be applied to permit and deny lists.
Wildcard masks work somewhat like subnet masks, which is covered in depth in an earlier course. But in wildcard masking, bit combinations of 0s and 1s indicate whether an address bit should be tested in an access list, not whether the address bits indicate networks or hosts. Also, wildcard masking uses 0s — not 1s — to specify the address bits to be tested in the access list.
An example of a wildcard mask is shown here. It is 0.0.255.255. The mask 0.0.255.255 indicates that only the first two octets of the address — 192.168 — should be tested.
Router(config)#access-list 25 deny 192.168.3.123 0.0.255.255
*Test or Ignore?
A 0 masking bit indicates that the source address bit should be tested, or checked. A 1 indicates that an address bit should be ignored.
*Building a Wildcard Mask
Suppose you want to apply a wildcard mask to the Class B subnets for addresses 183.28.16.0 and 183.28.31.0.
For both addresses, the access list needs to check the first two octets; therefore, the wildcard mask for the first two octets — 183.28 — is 0.0. The last octet — 0 in both addresses — can be ignored because it is the host portion of each address. Therefore, the wildcard mask for the last octet is 255.
So far, you know this much of the wildcard mask: 0.0.?.255. The wildcard mask for the third octet still needs to be determined.
*The Third Octet
Shown here are the bits for the third octet of both addresses. To obtain the wildcard mask for the third octet of 183.28.16.0, place 0s for the last four bits.
For the third octet of 183.28.31.0, place 0s for the last five bits (you want to check bits for third-octet addresses in the range 1–16 because bits 1+2+4+8+16=31). Notice that the last four bits, all 0s, are the bits in common for both. Since 8+4+2+1=15, the third octet is 15, and the wildcard mask is 0.0.15.255.
*Testing All Bits
If all the address bits are to be tested by an access list, then the mask is 0.0.0.0.
Router(config)#access-list 25 deny 192.168.3.123 0.0.0.0
*No Additional Information
In this case, you can omit the mask because it isn't adding more filtering information.
Router(config)#access-list 25 deny 192.168.3.123
*Two Options for Including All Sources
In situations where you want to include all source addresses, you have two options.
First, you can use the following address and wildcard mask.
Router(config)#access-list 25 permit 0.0.0.0 255.255.255.255
*The any Keyword
The second option for including all source addresses is the keyword any. You can substitute any for the address and wildcard mask in permit and deny lists.
Router(config)#access-list 26 deny any
Question 11
Question 12
Question 13
Topic 3.1.3: Applying Access Lists
*The Second StepIn the previous unit we introduced two steps necessary for using access lists. We just looked at the first step — creating standard access lists.
Now, we need to apply the standard access lists. This is the second step.
*The Command
This is the command syntax for applying an access list:
Router(config-if)#ip access-group {access-list-number|name}{in|out}
Notice that this command is executed in the global interface mode.
*The access-list-number
The access-list-number must match one of the numbers given in the access-list command. It can range from 1–99 for IP standard access lists, and 100–199 for IP extended access lists. Instead of a number, you can use a name, which we will discuss later in this unit. The keyword in filters packets coming into the router, and out filters packets leaving the router.
*An Example
In the example shown, access list 20 is filtered on packets leaving the Ethernet 0 interface. Because of the keyword permit, outgoing packets are sent on toward their destination.
Router(config)#access-list 20 permit 192.168.3.0
Router(config)#interface ethernet 0
Router(config-if)# ip access-group 20 out
Notice that the keywords in and out are optional on the access-group command:
Router(config-if)#ip access-group {access-list-number|name}{in|out}
Topic 3.2: Extended Access Lists
*Customize FilteringStandard access lists provide the basics of access-list configuration. Now, it's time to see how extended access lists can customize your filtering.
Extended IP access lists filter on the following three routing components:
- Protocol
- Source address
- Destination address
Topic 3.2.1: Creating Extended Access Lists
*Syntax for Creating Extended Access ListsThis is the basic command syntax:
Router(config)#access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log]
There are minor variations of this syntax for ICMP, IGMP (Internet Group Management Protocol), TCP, and UDP.
Router(config)#access-list 185 permit ip 123.456.789.0 0.255.255.255
*The dynamic dynamic-name Option
The dynamic dynamic-name option reverses the deny state of the specified access list and allows temporary access. The timeout is the length of time that an access list remains dynamic.
Dynamic access lists are also referred to as lock-and-key access, and will not be covered in this series.
*The IP Protocol
The required protocol is the name or number of an IP protocol. Other possible names include EIGRP, GRE (Generic Routing Encapsulation), ICMP, IGRP, IP, OSPF, TCP and UDP. If the name IP is used, any Internet protocol is considered a match. Possible numbers range from 0–255.
*The source and destination
The source, source-wildcard, destination, and destination-wildcard follow the same principles described for standard IP access lists:
- The addresses can be presented as dotted-decimals
- The addresses can be presented as 0.0.0.0 255.255.255.255 to include any network
*The host Keyword
Unlike standard access lists, you can also list the source or destination as the keyword host, followed by the wildcard 0.0.0.0. Therefore the number
172.30.16.29 0.0.0.0
is the same as saying
host 172.30.16.29
Router(config)#access-list 101 deny udp host 172.30.16.29 193.168.4.4 0.0.255.255 201 254 14
*A Few Options
The optional precedence ranks packets on a precedence level ranging from 0–7 or by name. Names include critical, immediate, and routine.
The optional tos classifies the packets by the name or number for the type of service, or service level. The tos numbers range from 0–15, and names include max-reliability and normal.
*The log Option
The optional log tells the router to send an informational message about a packet to the console. The informational message contains the access-list number, the permit or deny result, protocol, and source and destination ports (if configured as part of the access list). This message is sent for the first matching packet, but only summaries of the quantity of permits and denies are sent every 5 minutes thereafter.
*The ICMP Variation
This is the syntax for the ICMP variation:
Router(config)#access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code]|icmp-message] [precedence precedence] [tos tos] [log]
icmp-type is a number from 0–255, which represents the ICMP message type. icmp-code is also a number from 0–255, which represents ICMP message code. icmp-message is a message type name or number in the range 0–15.
Router(config)#access-list 101 deny udp 192.168.4.4 0.0.255.255 193.168.4.4 0.0.255.255 201 254 14
*The UDP Variations
This is the syntax for UDP variations:
Router(config)#access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} {tcp|udp} source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence][tos tos] [log]
The optional operator compares source or destination ports using lt, gt, eq, or neq. If the operator is listed after the source wildcard, then the operator refers to the source port. Likewise, if the operator is listed after the destination wildcard, then the operator refers to the destination port. port is the name or number of a UDP port. UDP names include dns, echo, and syslog. UDP port names can only filter UDP packets.
Router(config)#access-list 101 deny udp 192.168.4.4 0.0.255.255 193.168.4.4 0.0.255.255 eq 53
*The TCP Variation
The syntax and logic for TCP is the same for UDP with one exception. Here is the syntax:
Router(config)#access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} {tcp|udp} source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence][tos tos] [log]
The optional keyword established signifies an established connection.
Router(config)#access-list 101 deny tcp 192.168.4.4 0.0.255.255 eq 20 193.168.4.4 0.0.255.255 established
*TCP Port Numbers
Shown here are the most common TCP port numbers. There are more defined port numbers, such as BGP (179), finger (79), and FTP data (20).
Also, UDP and TCP only share these port numbers: DNS (53), Network Time Protocol (NTP) (123), talk (517), ntalk (518), Open Windows (2000), NFS (2049), and X11
(6000).
Question 14
Question 15
Topic 3.2.2: Applying Extended Access Lists
*Similar to Applying Standard Access ListsThe command for applying extended access lists is the same as the command for applying standard access lists.
*Applying an Access List
As you remember, this is the command syntax for applying an access list:
Router(config-if)#ip access-group {access-list-number|name}{in|out}
*The access-list-number
The access-list-number must match one of the numbers given in the access-list command. The keyword in filters packets coming into the router, and out filters packets leaving the router.
*For Example
Here, access list 120 is filtered on SMTP packets leaving the Ethernet 0 interface.
Router(config)#access-list 120 permit 192.168.3.0 0.0.0.0 eq 25
Router(config)#interface ethernet 0
Router(config-if)# ip access-group 120 out
Topic 3.2.3: Examples
*FTP Data Not AllowedIn this example, all IP traffic except FTP commands and FTP data are permitted into network 123.456.1.0. Notice that all IP traffic is accounted for in the last two access-list commands. The last access-list command is an explicit deny that functions like the implicit deny.
Router(config)#access-list 101 deny tcp 168.42.4.0 0.0.0.255 168.42.3.0 0.0.0.255 eq 20
Router(config)#access-list 101 deny tcp 168.42.4.0 0.0.0.255 168.42.3.0 0.0.0.255 eq 21
Router(config)#access-list 101 permit ip 168.42.4.0 0.0.0.255 0.0.0.0 255.255.255.255
Router(config)#access-list 121 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Router(config)#interface ethernet 1
Router(config-if)#ip access-group 121 in
*TCP Connections
Here, only packets from established TCP connections are permitted.
Router(config)#access-list 122 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established
*NFS Packets
In this last example, NFS (Network File System) packets using UDP are denied access.
Router(config)#access-list 123 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049
Topic 3.3: Special Features
*Two More FeaturesThere are more access-list features that we need to discuss:
- Named access lists, which were added in IOS version 11.2
- Access classes, which allow filtering of virtual terminal lines
Topic 3.3.1: Named Access Lists
*Named Access ListsIn named access lists, a name replaces the access list number. This has several advantages:
- Network administrators generally can identify a name more easily than a number.
- Because each access list must have a unique name, it is sometimes easier to delete a named access list.
- More than 200 lists are possible because you aren't limited to the 1–99 and 100–199 numbering conventions.
*The Command
Here is the command syntax for named access lists:
Router(config)#ip access-list {standard|extended} name
The name must begin with a letter, and must not contain spaces or quotations.
Router(config)#ip access-list extended test_list
permit and deny commands
Unlike numbered access lists, you must then add a permit or deny command. Applying the access list to the interface with the ip access-group command remains the same. The syntax for these commands are:
Router(config)#deny source [source-wildcard]
Router(config)#permit source [source-wildcard]
You can still use the ICMP, IGMP, TCP, and UDP keywords and arguments that you examined earlier in this unit.
*Permission to Receive Only
In this example, accounting can receive incoming packets, but no accounting packets are allowed to leave.
Router(config)#ip access-list standard accounting_out
Router(config)#deny any
Router(config)#ip access-list standard accounting_in
Router(config)#permit any
Router(config)#interface ethernet 0
Router(config-if)#ip access-group accounting_out out
Router(config-if)#ip access-group accounting_in in
Topic 3.3.2: Access Classes
*Access-Class SyntaxYou can filter packets between a virtual terminal line and the addresses included in an access list. The command to do this is called an access class. Here is the syntax:
Router(config-line)#access-class access-list-number {in|out}
Notice that this command is executed in the line configuration mode.
*Example of an Access Class
Here is an example. Standard access list 12 permits only 192.168.3.0 to connect to a vty port.
Router(config)#access-list 12 permit 192.168.3.0 0.0.0.255
Router(config)# line vty 1 5
Router(config-line)# access-class 12 in
*VTY Connections Denied
In this example, access list 13 denies vty connections to all destinations except 192.168.3.0.
Router(config)#access-list 13 permit 192.168.3.0 0.0.0.255
Router(config)# line vty 1 5
Router(config-line)# access-class 13 out
You should include all vty lines in access-class commands to ensure that any user can connect to any vty line.
Also, to verify your configuration use this command:
Router#show line line-number
Question 16
* Exercise 1
Try configuring the same values using standard and extended IP access lists.
| Step | Action |
|---|---|
| 1 | Assume you have a firewall router that connects to your corporate headquarters across a serial WAN network. Your IP address is 192.168.3.1. The address for corporate headquarters is 132.24.0.0. |
| 2 | Create a standard access list that allows your router to accept packets only from corporate headquarters. Therefore, corporate headquarters is the source address, and your local network is the destination. |
| 3 | Re-write this command using a named access-list command. |
| 4 | Configure the vty lines to accept commands from just one node inside corporate headquarters. The node is 132.24.232.22. |
| 5 | Apply all the access-list and access-class commands to the Ethernet 1 interface of your local network. |
| 6 | Assume you are now configuring the router at corporate headquarters. Corporate headquarters is the destination and your local network is the source. |
| 7 | Write an extended access list that accepts FTP data but denies FTP commands. Assume the protocol you are using is IP. |
| 8 | Write another extended access-list command that permits all other IP traffic. |
| 9 | Apply these access-list commands to the Serial 0 interface at corporate headquarters. |
Topic 3.4: Unit 3 Summary
You have just examined the configuration of IP access lists. To configure IP access lists, you discovered you need knowledge of wildcard masking, and keywords such as any and host.You also discovered that you can use named access lists and access-classes to further customize filtering for your environment.
In the next unit, you'll study Novell IPX access lists.
Unit 4. Configuring IPX Access Lists
Novell IPX access lists are very much like IP access lists in practice. Just like IP, IPX access lists are configured and applied to an interface. However, there are more types of access lists, and more filtering criteria.
In this unit, you'll examine the types of Novell IPX access lists, then learn the commands for configuring standard access lists, extended access lists, and SAP filters.
After completing this unit, you should be able to:
- Identify the types of Novell IPX access lists
- Configure standard and extended IPX access lists
- Configure SAP access lists and SAP filters
This unit does not address any specific Cisco objectives. However, it does provide background information that is essential for the CCNA exam.
In the course index, questions about background information are indicated with the abbreviation BCK and a short description of the question subject matter.
Topic 4.1: Introduction to IPX Address Lists
*IPX Access ListsTo introduce IPX access lists, we'll compare them to IP access lists.
Configuring IPX access lists is a two-step process, just like configuring IP access lists. And, just like IP, you must enter your configurations in the proper sequence.
*Wildcard Masking
Wildcard masking is also used in IPX. The theory is the same for both IPX and IP wildcard masking in that 0s represent bits you want to check. IPX masking looks different because IPX addressing is different, and because network nodes alone can be masked.
As you remember, the format for an IPX address is network.node, or network.node.socket. In the address example shown, the mask indicates that the access list should check all nodes beginning with 5678 on network 1234.
1234.5678.9ABC.DEFF 0000.FFFF.FFFF
*More Access Lists
IPX offers more types of access lists, which are listed below:
- Standard access lists
- Extended access lists
- SAP access lists
- IPX NetBIOS access lists
- NLSP route aggregation access lists
*Access-List Filters
Each of the access lists filters on different criteria. Standard access lists filter on the basis of the source network number, or the source and destination addresses. Extended access lists filter on the basis of IPX protocol type, source and destination addresses, and source and destination sockets.
SAP access lists filter on the basis of the type of IPX SAP packet and what servers receive GNS responses. IPX NetBIOS access lists filter on the basis of NetBIOS names. NLSP route aggregation access lists filter on the basis of route aggregation and redistribution.
*Names or Numbers?
Standard, extended, SAP, and NLSP route aggregation lists can use either names or numbers in the access-list commands.
NetBIOS is restricted to names, and cannot use numbers.
*Six Types of Filtering
IPX filtering can be classified into six different types of filtering.
The filters, descriptions, and the access lists used with each type are shown on the next page.
*Types of IPX Filters and Access Lists
Here are the IPX filters, their descriptions and the type of access list that is used with each type.
| Type of Filter | Description | Type of Access List Used |
|---|---|---|
| Generic filters | Filtering is applied to a packet's source and destination addresses, and the type of IPX protocol. | Standard and Extended |
| Routing table filters | Filtering is applied to RIP updates and the devices sending the RIP updates. | Standard and Extended |
| SAP filters | Filtering is applied to incoming SAP services and outgoing GNS response messages. | SAP |
| IPX NetBIOS filters | Filtering is applied to incoming and outgoing NetBIOS packets. | IPX NetBIOS |
| Broadcast filters | Filtering is applied to outgoing broadcast packets. | Standard and Extended |
| NLSP route aggregation filters | Filtering is applied to the redistribution of incoming and outgoing routes and services in an NLSP area. | NLSP Route Aggregation |
*IPX Access-List Numbers
In this course we will discuss only the standard, extended, and the SAP access lists. The numbering convention for these IPX access lists is as follows:
- 800–899 for standard access lists
- 900–999 for extended access lists
- 1000–1099 for SAP filters
Question 17
Question 18
Question 19
Topic 4.2: Standard Access Lists
*IPX Packet FilteringWith standard access lists, IPX packets can be filtered on the basis of
- Source address
- Both source and destination addresses
*Command for Standard IPX Access Lists
This is the command syntax for standard IPX access lists:
Router(config)#access-list access-list-number {deny|permit} source-network[.source-node [source-node-mask]] [destination-network[.destination-node [destination-node-mask]]]
*The Sending Network
The source-network is an eight-digit hexadecimal number for the network cable segment that is sending the packet. The range is 1–FFFFFFFE. The number 0 indicates a local network, and -1 indicates all networks. The optional source-node is a 48-bit, dotted triplet of four-digit hexadecimals; this number represents a node on the source-network. The optional source-node-mask is also a 48-bit, dotted triplet of four-digit hexadecimals, in which 0s represent the bits to be checked.
*The Receiving Network
The destination-network, destination-node and destination-node-mask follow the same format as for the source addresses, except they represent the receiving network.
*The First Example
Now we'll look at some examples of standard IPX access-list configurations.
In this first example, traffic from all networks is denied access to the destination network 4. "All networks" is indicated by the -1 in the source network position.
Router(config)#access-list 800 deny -1 4
*The Second Example
Network 3 is the source network. All nodes on network 3 that have a node address beginning with 0000.0c, are permitted to access destination network 4.
Router(config)#access-list 801 permit 3.0000.0c00.0000 0000.00ff.ffff 4
*The Third Example
Access list 802 is applied to interface Ethernet 0. Outgoing packets from network a1 can be forwarded to network b2.
Notice that the access-group command follows the same format as for IP — the only difference is that the command begins with ipx instead of ip.
Router(config)#access-list 802 permit a1 b2
Router(config)#interface ethernet 0
Router(config-if)#ipx access-group 802 out
Question 20
Question 21
Topic 4.3: Extended Access Lists
*Extended IPX Access ListsIPX packets in extended access lists can be filtered on the basis of:
- Source or destination addresses
- Source or destination sockets
- IPX protocol type
*Configuring Extended Access Lists
This is the command syntax for configuring extended access lists:
Router(config)#access-list access-list-number {deny|permit} protocol [source-network][[[.source-node] source-node-mask] | [.source-node source-network-mask.source-node-mask]] [source-socket] [destination.network][[[.destination-node] destination-node-mask] | [.destination-node destination-network-mask.destination-nodemask]] [destination-socket] [log]
Router(config)#access-list 901 permit -1 -1 0 1234.5678.9ABC.DEFF 0000.FFFF.FFFF 0
*The Range
The access-list-number range for extended access lists is 900–999. The network and node addresses follow the same format described for standard IPX access lists.
The required argument protocol is a name or number for the type of protocol. Example protocol numbers and matching names include -1 (any) and 4 (sap).
*Wildcard Masking
Wildcard masking is optional for either the combination source-network-mask.source-node-mask or the single source-node-mask. If using the combination source-network-mask.source-node-mask, then you must end the network mask with a period, and immediately follow with the node mask. The same format applies to destination masking.
*Some Options
The optional source-socket and destination-socket are the hexadecimal numbers or names for the socket sending or receiving the packet. Example socket numbers and matching names include -1 (any), 452 (sap), and 9001 (nlsp).
*The log Keyword
The optional keyword log is used to compile a list of source and destination addresses, source and destination sockets, and protocol types for all permitted or denied packets.
*The First Example
Here are several examples of extended IPX access lists.
All protocol types (first -1) from all source networks (second -1) and all source sockets (first 0) are permitted access to all destination sockets (final 0) on destination network and node 1234.5678 (as determined by the mask 0000.FFFF.FFFF).
Router(config)#access-list 900 permit -1 -1 0 1234.5678.9ABC.DEFF 0000.FFFF.FFFF 0
*The Second Example
RIP (protocol number 1) packets from any socket (socket number 0 on the source) on 22.0000.0D98.1234 have permission to access any sockets (socket number 0 on the destination) on any node on networks 1000 through 100F.
Router(config)#access-list 901 permit 1 22.0000.0D98.1234 0000.0000.0000 0 1000.0000.0000.0000 F.FFFF.FFFF.FFFF 0
*The Third Example
In the first command, all source RIP packets from the RIP process socket are denied access to the RIP process on network c3. The second command permits all other packets. These access lists are applied to the interface with the access-group command.
Router(config)#access-list 902 deny -1 1 rip c3 rip
Router(config)#access-list 902 permit -1
Router(config)#interface ethernet 2
Router(config-if)#ipx access-group 902 out
Question 22
Question 23
Topic 4.4: SAP Access Lists
*SAP Access-List FilteringIPX packets in SAP access lists can be filtered on the basis of
- Type of SAP packet
- GNS responses
*Configuring SAP Access Lists
This is the command syntax for SAP access lists:
Router(config)#access-list access-list-number {deny|permit} network[.node] [network-mask.node-mask] [service-type [server-name]]
Router(config)#access-list 1001 deny -1 7
*The service-type Argument
The access-list-number range for SAP access lists is 1000–1099. The only new arguments for SAP access lists are service-type and server-name.
The service-type is a hexadecimal number that represents the service type used for filtering. Service type numbers include 1 for user, 4 for file server, and 7 for print server.
*The server-name Argument
The server-name is the name of the server that is providing the service-type. The name consists of printable ASCII characters. If the name has a space, double quotation marks must enclose it. An asterisk (*) is a wildcard character that can be added at the end to signify one or more characters.
SAP access lists work differently on servers loaded with NetWare 3.11 and later. For NetWare 3.11 and later, use the server's internal network and node number in place of the network.node address of the interface board.
The server's internal node number is always 0000.0000.0001.
*A SAP Access-List Configuration
Here is an example of a SAP access-list configuration. In the first command, the SAP access list denies all access from other Novell networks to the print server on the directly connected network.
In the second command, all other services on the interface can be accessed.
Router(config)#access-list 1001 deny -1 7
Router(config)#access-list 1001 permit -1
Question 24
Topic 4.5: Named SAP Access Lists
*Configuring Named SAP Access ListsThe commands differ for named SAP access lists. The syntax for named SAP access lists is as follows:
Router(config)ipx access-list {standard|extended|sap|summary} name
The summary argument summarizes routes using NLSP route aggregation filtering. The name of the access list must begin with a letter and cannot contain spaces or quotation marks.
Router(config)#ipx access-list sap Server1
deny and permit Commands
This command uses separate deny and permit commands. The syntax for deny and permit commands is as follows:
Router(config-if)#deny network[.node] [network-mask.node-mask] [service-type [server-name]]
Router(config-if)#permit network[.node] [network-mask.node-mask] [service-type [server-name]]
Router(config-if)#permit 4321 4 Server1
*Permission to Receive
Let's look at a couple of examples.
In this example, the SAP access list permits network 4321 to receive advertisements about Server1's file server.
Router(config)#ipx access-list sap Server1
Router(config-if)#permit 4321 4 Server1
*No Advertising
Here, the SAP access list denies advertisements about Server1's file server to be advertised to network 4321.
Router(config)#ipx access-list sap Server1
Router(config-if)# deny 4321 4 Server1
Question 25
Topic 4.6: SAP Filters
*Input and Output FiltersSAP input filters specify what services are added to the Cisco IOS software's SAP table. SAP output filters specify what services are sent with SAP updates.
Because the command syntax for these are similar, we will examine input and output filters together.
*Configuring Input and Output Filters
This is the command syntax for input and output filters:
Router(config-if)#ipx input-sap-filter {access-list-number|name}
Router(config-if)#ipx output-sap-filter {access-list-number|name}
The SAP access list can be identified by number or name. The access-list-number is the number of the SAP access list. This number ranges from 1000–1099. The name is the name of the access list. The name must begin with a letter and not contain spaces or quotation marks.
Router(config-if)# ipx input-sap-filter 1000
Router(config-if)# ipx output-sap-filter 1000
*Input Filter for a Numbered Access List
For input filters, the access list is used to filter incoming service advertisements.
Here is an input filter example for a numbered access list.
Router(config)#access-list 1000 deny 3c.0800.89a1.1527
Router(config)#access-list 1000 permit -1
Router(config)#interface ethernet 0
Router(config-if)# ipx input-sap-filter 1000
*What It Says
The first command denies service advertisements about the server at address 3c.0800.89a1.1527. The second command permits access to all other services on all other networks. The access list is applied at the Ethernet 0 interface, and is tested against incoming SAP advertisements.
Router(config)#access-list 1000 deny 3c.0800.89a1.1527
Router(config)#access-list 1000 permit -1
Router(config)#interface ethernet 0
Router(config-if)# ipx input-sap-filter 1000
*Now, an Output Filter Example
For output filters, the access list is used to filter outgoing service advertisements.
Here is an output filter example for a numbered access list.
Router(config)#access-list 1000 deny aa.0000.0000.0001
Router(config)#access-list 1000 permit -1
Router(config)#interface ethernet 0
Router(config-if)# ipx network 3c
...
Router(config)#interface ethernet 1
Router(config-if)# ipx network 4d
Router(config-if)# ipx output-sap-filter 1000
*What the Commands Are Doing
The first, second, fifth, sixth, seventh, and eighth commands work together. In the first command, the access list 1000 denies only the service advertisements that advertise server 0000.0000.0001 on network aa.
The second command permits the advertisement of all other services by this network. This access is applied to the Ethernet 1 interface. The output SAP filter 1000 uses access list 1000. Consequently, just the SAP advertisements about server 0000.0000.0001 on network aa are denied access to the destination network 4d. These same SAP packets, however, are permitted access to destination networks 3c and 2b.
Router(config)#access-list 1000 deny aa.0000.0000.0001
Router(config)#access-list 1000 permit -1
Router(config)#interface ethernet 0
Router(config-if)# ipx network 3c
...
Router(config)#interface ethernet 1
Router(config-if)# ipx network 4d
Router(config-if)# ipx output-sap-filter 1000
...
Router(config)#interface serial 0
Router(config-if)# ipx network 2b
* Exercise 1
Try applying Novell IPX commands to the same network connections which you previously configured for IP networking.
| Step | Action |
|---|---|
| 1 | Assume you have a firewall router that connects to your corporate headquarters across a serial WAN network. Your IPX address is a192.b168.c003.d001. The network address for corporate headquarters is b132. |
| 2 | Create a standard access list that allows your router to accept packets only from corporate headquarters. Therefore, corporate headquarters is the source address, and your local network is the destination. |
| 3 | Apply all the access lists to the Ethernet 1 interface of your local network. |
| 4 | Configure SAP access lists and SAP input filters to deny print server advertisements. |
| 5 | Re-write the SAP access-list commands, using a named access-list command. |
| 6 | Assume you are now configuring the router at corporate headquarters. Corporate headquarters is the destination and your local network is the source. |
| 7 | Write an extended access list that denies IPX packets from the NLSP socket but permits everything else. |
| 8 | Apply these access-list commands to the Serial 0 interface at corporate headquarters. |
Topic 4.7: Unit 4 Summary
In this unit, you investigated the types of Novell IPX access lists. You learned actual configurations for standard, extended, and SAP access lists. You discovered that SAP filters apply SAP access lists to filter service advertisements, which add a lot of traffic in Novell networks.In the next unit, you'll see how to monitor IP and IPX access lists in action.
Unit 5. Showing Access Lists
Access lists are powerful tools, and because of this they come with some risks. Therefore, you need to keep an eye on your configurations. The easiest way to do this is with show commands.
In this unit, you'll study show commands that limit their output to information about access lists. You'll also revisit some show commands you've seen before — commands that reveal access-list information along with other interface and configuration information.
After completing this unit, you should be able to:
- Identify the show commands that display access-list information for both IP and IPX access lists
- List the show commands that display access-list information as a portion of the total output
- Identify the show commands that display IP access-list information
- Identify the show commands that display IPX access-list information
This unit provides information that is relevant to the following CCNA exam objective:
- Monitor and verify selected access list operations on the router
Topic 5.1: All Access Lists
*Viewing an Access ListThese are the commands for viewing any access list, whether it is IP or IPX:
- Router#show running-config
- Router#show startup-config
- Router#show access-lists
*Displaying Access-List Information
The commands show running-config and show startup-config display access-list information, but it is spread out through the output. If access lists have not been configured, no information is provided.
show access-lists Command
The show access-lists command displays output about all current access lists. This command is available in privileged EXEC mode only. This is the command syntax:
Router#show access-lists [access-list-number|name]
The range for access-list-number is 0–1199. If no number or name is given, all current access lists are listed in the output.
Router#show access-lists
show access-lists Output
Shown here is typical output for show access-lists. The output could show IP or IPX access lists, but our example just happens to show an extended IP access list.
In the output, a counter is shown beside any access list that has played an active role in denying and permitting traffic. The counter is inside parentheses. The counter shows the actual number of packets permitted or denied.
Router# show access-lists 121
Extended IP access list 121
permit tcp host 192.168.3.120 any established (6404 matches)
permit udp host 192.168.3.120 any eq domain (223 matches)
permit icmp host 192.168.3.120 any
permit tcp host 192.168.3.120 host 161.29.2.141 gt 1023
permit tcp host 192.168.3.120 host 161.29.2.135 eq smtp (3 matches)
permit tcp host 192.168.3.120 host 192.168.30.32 eq smtp
permit tcp host 192.168.3.120 host 161.29.108.33 eq smtp
permit udp host 192.168.3.120 host 161.28.225.190 eq syslog
deny ip 120.123.0.0 0.0.255.255 224.0.0.0 15.255.255.255
deny ip 121.58.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (8 matches)
deny ip 172.34.24.0 0.0.1.255 224.0.0.0 15.255.255.255
deny ip 172.63.152.0 0.0.0.255 224.0.0.0 15.255.255.255
deny ip 172.123.173.0 0.0.0.255 224.0.0.0 15.255.255.255
deny ip 172.123.174.0 0.0.0.255 224.0.0.0 15.255.255.255
deny ip 172.136.239.0 0.0.0.255 224.0.0.0 15.255.255.255
deny ip 172.136.240.0 0.0.7.255 224.0.0.0 15.255.255.255
deny ip 172.136.248.0 0.0.3.255 224.0.0.0 15.255.255.255
deny ip 172.145.42.0 0.0.0.255 224.0.0.0 15.255.255.255
Question 26
Question 27
Topic 5.2: IP Access Lists
*Showing IP Access ListsThese are the commands for showing IP access lists:
- Router#show ip interface
- Router#show ip access-list
show ip interface Command
The command show ip interface shows IP interface configurations and current status. This command can only be used in privileged EXEC mode. Here is the command syntax:
Router#show ip interface [brief] [type] [number]
The keyword brief displays a shorter list of interface configuration; use of this keyword means that access-list information will not be displayed. The type is the interface type, such as Ethernet or serial. The number is the interface number, such as Ethernet 0; it has nothing to do with access-list numbers.
show ip interface Output
Here is a typical display for show ip interface. Notice that access-list information is listed, even when no access lists are enabled.
Router# show ip interface
Ethernet0 is administratively down, line protocol is down
Internet address is 1.0.67.20, subnet mask is 255.0.0.0
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast groups joined: 224.0.0.1 224.0.0.2
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP SSE switching is disabled
Router Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
PCbus0 is administratively down, line protocol is down
Internet address is 198.135.1.43, subnet mask is 255.255.255.0
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast groups joined: 224.0.0.1 224.0.0.2
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP SSE switching is disabled
Router Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Serial0 is administratively down, line protocol is down
Internet address is 192.153.2.49, subnet mask is 255.255.255.0
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast groups joined: 224.0.0.1 224.0.0.2
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP SSE switching is disabled
Router Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
*The show ip access-list Command
The command show ip access-list is identical to the show access-lists command, except, of course, it displays output for current IP standard and extended access lists.
*Available in Two Modes
This command can be used in either user or privileged EXEC mode. Here is the command syntax:
Router#show ip access-list [access-list-number|name]
The range for access-list-number is 0–199. If no number or name is given, all current access lists are listed.
show ip access-list Output
Here is some typical show ip access-list output for a numbered extended access list.
Router# show ip access-list
Extended IP access list 151
deny udp any any eq ntp
permit tcp any any
permit udp any any eq tftp
permit icmp any any
permit udp any any eq domain
*An Example
Here is output for a named extended access list.
Router# show ip access-list internetlist
Extended IP access list internetlist
permit tcp any 121.21.0.0 0.0.255.255 eq telnet
deny tcp any any log
deny udp any 121.21.0.0 0.0.255.255 lt 1024
deny ip any any log
Question 28
Question 29
Topic 5.3: IPX Access Lists
*Two CommandsThese are the commands for showing IPX access lists:
- Router#show ipx interface
- Router#show ipx access-list
show ipx interface Command
The command show ipx interface shows the configuration for IPX interfaces. Use this command in user or privileged EXEC modes. The command syntax is:
Router#show ipx interface [type number]
type is the interface type, and can be asynchronous, dialer, Ethernet (IEEE 802.3), FDDI, loopback, null, serial, Token Ring, or tunnel. number is the interface number, not the access-list number.
show ipx interface Output
This is typical show ipx interface output. Notice that this output tells you the access-list status, even when access lists have not been enabled.
Router# show ipx interface ethernet 0 Ethernet0 is up, line protocol is up
IPX address is D02.0000.0b11.5020, NOVELL-ETHER [up] line-up, RIPPQ: 0, SAPPQ : 0
Delay of this Novell network, in ticks is 1
IPXWAN processing not enabled on this interface
IPX SAP update interval is 1 minute(s)
IPX type 20 propagation packet forwarding is disabled
Outgoing access list is not set
IPX Helper access list is not set
SAP Input filter list is not set
SAP Output filter list is not set
SAP Router filter list is not set
SAP GNS output filter list is not set
Input filter list is not set
Output filter list is not set
Router filter list is not set
Netbios Input host access list is not set
Netbios Input bytes access list is not set
Netbios Output host access list is not set
Netbios Output bytes access list is not set
Update time is 60 seconds
IPX accounting is enabled
IPX fast switching is configured (enabled)
IPX SSE switching is disabled
show ipx access-list Command
The show ipx access-list command functions just like show access-lists and show ip access-list. It can be used in user and privileged EXEC mode. This is the command syntax:
Router#show ipx access-list [access-list-number|name]
The access-list-number ranges are 800–899 for Novell IPX standard access lists, 900–999 for Novell IPX extended access lists, and 1000-1099 for SAP filters.
show ipx access-list Output
This example shows all IPX access lists for a router.
Router#show ipx access-list
IPX extended access list 901
deny any 1
IPX sap access list Ohio
deny FFFFFFFF 121
deny FFFFFFFF 431B
permit FFFFFFFF 0
*Another Example
This example just shows the access list numbered 901.
Router#show ipx access-list
IPX extended access list 901
deny any 1
Question 30
Question 31
* Exercise 1
Try identifying the show commands that display output about access lists on your Cisco router.
| Step | Action |
|---|---|
| 1 | List all the show commands that can be used to display output for access lists. Be sure to include the arguments for each. |
| 2 | Mark the commands that can be used in IP networking. |
| 3 | Mark the commands that can be used in IPX networking. |
| 4 | Make a separate list of the commands that can be used only in privileged EXEC mode. |
| 5 | Make a separate list of commands that display access-list output even when no access lists have been configured. |
Topic 5.4: Unit 5 Summary
In this unit you examined the show commands that allow you to monitor and verify your access-list configurations.Throughout this course, you studied aspects of network security. You investigated the risks to network security, and then analyzed methods to improve network security, with an emphasis on access lists. You learned the commands to configure both standard and extended access lists in both IP and IPX networks.
No comments:
Post a Comment