Chapter 10
Upcoming SlideShare
Loading in...5
×
 

Chapter 10

on

  • 658 views

 

Statistics

Views

Total Views
658
Views on SlideShare
658
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Chapter 10 Chapter 10 Presentation Transcript

  • CHAPTER ONE Access Lists
  • Objectives
    • Describe the usage and rules of access lists
    • Establish standard IP access lists
    • Produce extended IP access lists
    • Develop standard IPX access lists
    • Create extended IPX access lists
    • Define IPX SAP filters
    • Apply access lists to interfaces
    • Monitor and verify access lists
  • Access Lists: Usage and Rules
    • Network traffic flow and security influence the design and management of computer networks
    • Access lists solve many of the problems associated with these two tasks
    • Access lists are permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet
  • Access List Usage
    • Implicit deny any
      • Blocks all packets that do not meet requirements of the access list
    Figure 10-1: Sample network
  • Problems with Access Lists
    • One of the most common problems associated with access lists is a lack of planning
    • Another troublesome area is the sequential nature in which you must enter the list into the router
    • Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list
  • Access List Rules Figure 10-2: No access-list command
  • Access List Rules
    • Inbound
      • Direction parameter used when applying an access list
      • Direction is into the router
    • Outbound
      • Direction parameter used when applying an access list
      • Direction is out of the router
  • Access List Rules Figure 10-3: The man in the router
  • Access List Rules
    • Routers apply lists sequentially in the order in which you type them into the router
    • Routers apply lists to packets sequentially
    • Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements
  • Access List Rules
    • Lists always end with an implicit deny
    • Access lists must be applied to an interface as either inbound or outbound traffic filters
    • Only one list, per protocol, per direction can be applied to an interface
    • Access list are effective as soon as they are applied
  • Standard IP Access Lists
    • Standard IP Access Lists
      • Filter network traffic based on the source IP address only
      • Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address
    • Wildcard mask
      • Also called inverse mask
      • Applied to IP addresses to determine if an access list line will act upon a packet
  • Standard IP Access Lists Table 10-1: Wildcard mask examples
  • Standard IP Access Lists Figure 10-4: Wildcard masking example matching a single host
  • Standard IP Access Lists Figure 10-5: Wildcard masking example matching a complete subnet
  • Standard IP Access Lists
    • Partial masking
      • When an octet in a wildcard mask contains a mix of binary 1s and 0s
    Figure 10-6: Wildcard masking example using partial masking
  • Standard IP Access Lists Figure 10-7: Wildcard masking example without match
  • Standard IP Access List Examples Figure 10-8: Sample IP network
  • Standard IP Access List Examples Figure 10-9: Creating a standard IP access list
  • Standard IP Access List Examples Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB
  • Standard IP Access List Examples Figure 10-11: Show access-lists and show ip access-lists commands
  • Standard IP Access List Examples Figure 10-12: Show ip interface command
  • Standard IP Access List Examples Figure 10-13: Removing an ip access list from an interface
  • Standard IP Access List Examples Figure 10-14: Show ip interface after removal of access list 1 from e0
  • Standard IP Access List Examples Figure 10-15: Creation and application of standard IP access list
  • Standard IP Access List Examples Figure 10-16: Show access-list and show ip interface commands
  • Standard IP Access List Examples Figure 10-17: Access list that blocks multiple subnets
  • Monitoring Standard IP Access Lists
    • Three main commands are available for monitoring access lists on your router:
      • Show access-lists
      • Show ip access-lists
      • Show interfaces or show ip interfaces
    • It is a good idea to run each of these commands after creating and applying access lists
  • Extended IP Access Lists
    • IP access lists that filter traffic by:
      • Source IP address
      • Destination IP address
      • Protocol type
      • Port number
  • Extended IP Access List Examples Figure 10-18: Sample IP network with a Web server
  • Extended IP Access List Examples
    • Unlike standard IP access lists, extended access lists do not have a default wildcard mask of 0.0.0.0
      • You must specify the wildcard mask for the source IP address
    • The host keyword is short for a wildcard mask of 0.0.0.0
      • The line will only be applied to packets that match the one source address specified with host keyword
  • Extended IP Access List Examples Figure 10-19: Extended IP access list example
  • Extended IP Access List Examples Figure 10-19 (cont.): Extended IP access list example
  • Extended IP Access List Examples Figure 10-20: Extended IP access list example continued
  • Extended IP Access List Examples Figure 10-20 (cont.): Extended IP access list example continued
  • Extended IP Access List Examples Figure 10-21: Applying an extended ip access list to an interface
  • Extended IP Access List Examples Figure 10-22: Removing an extended ip access list from an interface
  • The “Established” Parameter
    • Network administrators often want to block all TCP/IP traffic outside their network from coming into their network
    • If you use deny statements to deny all traffic coming in, no one will be able to browse the Web, ping, or other network activities that involve a response to a request
    • The easiest way around this problem is to use an extended ip access list with an established parameter
  • Monitoring Extended IP Access Lists Figure 10-23: Show ip access-lists command
  • Monitoring Extended IP Access Lists Figure 10-24: Clear access-list counters command
  • Standard IPX Access Lists
    • Very similar to their IP cousins
      • One distinct difference
    • Can filter based on source and destination addresses
      • Standard IP access lists can only filter based on source addresses
    • In all other aspects, they act just like standard IP access lists
  • Standard IPX Access List Examples Figure 10-25: Sample IPX network
  • Standard IPX Access List Examples Figure 10-26: Standard IPX access-list configuration
  • Monitoring Standard IPX Lists Figure 10-27: Show access-list command
  • Extended IPX Access Lists
    • Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number
    Figure 10-28: Configuring extended IPX access-lists
  • Extended IPX Access Lists Figure 10-28 (cont.): Configuring extended IPX access-lists
  • Monitoring Extended IPX Access Lists Figure 10-29: show access-lists command
  • IXP SAP Filters
    • Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients
      • Allows you to limit the “advertising” of particular servers and services to a particular IPX network segment
      • Since SAP advertisements are broadcast, limiting them reduces network traffic
    • IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table
  • IXP SAP Filter Example Figure 10-30: IPX SAP filter example
  • IXP SAP Filter Example Figure 10-31: Applying an IPX SAP filter to an interface
  • Monitoring IXP SAP Filters
    • Like all other access lists, the show access-lists command displays all lists including all SAP filters defined on the router
    • To make sure the list was applied successfully to the interface, use the show ipx interface command
    • To remove the sap filter, use the no access-list [ list # ] command
    • To remove the applications of sap filter from an interface, use the no ipx input-sap-filter [ list # ] or no ipx output-sap-filter [ list # ] command
  • Using Named Lists
    • In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists
      • These are known as named access lists
    • You cannot use the same name for multiple lists
      • Even different types of lists cannot have the same name
    • The naming feature allows you to maintain security by using an easily identifiable access list
  • Chapter Summary
    • Access lists are one of the most important IOS tools for controlling network traffic and security
    • Access lists are created in a two-step process
    • All access lists are created sequentially and applied sequentially to all packets that enter an interface where the list is applied
    • Access lists, by default, always end in an implicit deny any
    • Only one access list per direction per protocol can be applied to an interface
  • Chapter Summary
    • Standard IP access lists filter traffic based on the source IP address of a packet
    • Extended IP access lists filter traffic based on the source, destination, protocol type, and application type
    • Standard IPX access lists are more complex that standard IP lists
    • Extended IPX lists allow you to filter based on IPX protocol type and IPX parameters
    • IPX SAP filters allow you to limit the amount of SAP traffic passed by your routers
  • Chapter Summary
    • Ranges of numbers represent all access lists
    Table 10-2: Access list number ranges