3. Recall - I
IGRP is a distant-vector routing protocol, which
implies that each router sends all or a part of its
routing table in a routing message update
EIGRP was created using IGRP as the base and
adding additional functionality to enhance IGRP
The OSPF protocol is designed on the Shortest
Path First (SPF) algorithm, which enables to
determine the shortest route to each destination
When a network link changes its state, the
designated router sends a notification called Link
State Advertisement (LSA) across the network
4. Recall - II
OSPF provides the following advantages:
Open protocol
Loop free topology
Scalable
Hierarchical design
Provides multicasting
There are different OSPF area types that help to handle
external routes:
Normal area
Stub area
Totally stubby area
Not-so-stubby area
5. Access Control List - I
Access Control List (ACL) is a set of commands,
which are grouped together to filter the traffic that
enters or leaves an interface
The functions of ACLs include the following:
Reduce the network traffic and increase the
network performance
Control the flow of traffic in the network
Provide security for network access
Make decision about the type of network to be
forwarded or restricted on an interface
6. Access Control List - II
You must also specify one of the following directions in
which the traffic should be filtered:
Inbound
Outbound
The Access lists are available in the following two
types:
Numbered ACL
Named ACL
Each of the below ACLs supports two types:
Standard ACL
Extended ACL
7. ACL Processing
ACL are statements, which are grouped together by
using a name or number
When ACL process a packet on the router from the
group of statements, the router performs a number
of steps to find a match for the ACL statements
The router processes each ACL in the top-down
approach
If the router is not able to find a match of packet to
the first ACL statement then the router continues
with the next statement, following the same process
8. Configuring ACL
You must know the guidelines to configure the ACL
You can use the access-list command to create an
ACL
The syntax to create an ACL is:
access-list ACL_# permit|deny conditions
To activate ACL on the interface, enter the following
at the command prompt:
interface type slot_#|port_#
ip access-group ACL_# in|out
9. ACL Numbers and Protocol Types - I
Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2) 200-299
DECnet 300-399
Standard XNS 400-499
Extended XNS 500-599
Apple Talk 600-699
10. ACL Numbers and Protocol Types - II
Bridging MAC address and vendor code 700-799
IPX Standard 800-899
IPX Extended 900-999
IPX SAP filters 1000-1099
Extended transparent bridging 1100-1199
IPX NLSP 1200-1299
11. Editing Entries
You may need to add, delete or modify an entry in
the ACL
In a numbered ACL, you cannot delete a specific
entry
The no access-list command allows you to delete an
ACL, The syntax of the command is:
no access-list number
The no access-list ACL_# command deletes the
entire list
12. Wildcard Masking
Wildcard masks can be used for matching a range of
IP addresses in ACL, instead of manually entering it
A wildcard mask of 0 or 1 in the bit position implies the
following:
0 - Specifies that the bit position of the ACL
statement address must match the bit position in the
IP address of the packet that is to be examined
1 - Specifies that the bit position of the ACL
statement address does not have to match the bit
position in the IP address of the packet that is to be
examined
13. Subnet Masks and Wildcard Masks
Values
Bit Value Subnet Mask Wildcard Mask
0 Host component Must match
1 Network component Ignore
14. Standard Numbered ACL
You can create an entry in a standard numbered IP
ACL using the access-list command.The syntax of
this command is:
access-list 1-99|1300-1999 permit|deny
source_address [wildcard_mask] [log]
After creating the standard ACL, you must activate it
on the router's interface
The ip access-group command below enables you
to activate the ACL on the interface:
ip access-group ACL_number in|out
15. Extended Numbered ACLs
The extended numbered ACLs are more flexible as
compared to the standard ACLs
The syntax of the command to configure an
extended numbered ACL is:
access-list 100-199|2000-2699 permit|deny
IP_protocol source_address source_wildcard mask
[protocol_information] destination_address
destination_wildcard_mask [protocol_information]
[log]
16. TCP and UDP
The extended ACL can filter the traffic on IP
protocols such as TCP and UDP
The syntax of the command that allows you to
configure an extended ACL for TCP or UDP is:
access-list 100-199|2000-2699 permit|deny tcp|udp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [operator
destination_port_#][established][log]
17. Operators for TCP and UDP
Connection
Operator Description
lt Less than
gt Greater than
neq Not equal to
eq Equal to
range Range of port numbers
18. TCP Port Names and Numbers
Name Command Parameter Number
FTP Data ftp-data 20
FTP Control ftp 21
Telnet telnet 23
SMTP smtp 25
WWW www 80
19. UDP Port Names and Numbers
Name Command Parameter Number
DNS Query dns 53
TFTP tftp 69
SNMP snmp 161
IP RIP Rip 520
20. ICMP
ICMP is one of the protocols used with extended
ACL
The ICMP does not use ports like the TCP and UDP
The syntax for filtering ICMP traffic is:
access-list 100-199|2000-2699 permit|deny icmp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [icmp_message][log]
ICMP enables you to enter ICMP messages
21. ICMP Messages
Message Type Description
administratively-prohibited Specifies that the packet is filtered
echo Enables to check the destination
echo-reply Displays a message in response to the
echo message created by ping
host-unreachable Specifies that the subnet is reachable,
but the host is not responding
net-unreachable Specifies that the network or subnet is
not reachable
traceroute Enables to filter based on the
traceroute information
22. Controlling Telnet Access to a Router
The standard IP ACLs controls the telnet access to
the router. The access-class command enables you
to accomplish this. The syntax of this command is:
access-class standard_ACL_# in|out
Cisco routers enable you to restrict telnet access for
the normal users
You can configure your router to allow telnet access
only for the networks administrators
23. Named ACL’s
Named ACLs support both IP and IPX protocols
The ip access-list allows you to create a named ACL
The syntax for this command is:
ip access-list standard/extended ACL_name
After creating a named ACL, you have to activate it
on the router interface
The ip access-group command given below enables
you to activate the named ACL:
ip access-group ACL_name in|out
24. Verifying and Monitoring Access
Control List
To view the ACLs that are activated on the router’s
interfaces, use the following command:
show ip interfaces
Cisco allows you to monitor each statement in the
ACL. To view the statements in the ACL, use the
following commands:
show access-lists [ACL_#_or_name]
show ip access-list [ACL_#_or_name]
25. Placing ACL’s
You have to decide the placement of the ACL
depending on the source and destination address to
be filtered
You must consider the following while placing the
ACLs:
Standard ACL
Extended ACL
26. Case Study
The Blue Diamond steel company, Gujarat branch has
recruited a few engineers in the Software
Management department. The company gets a new
project from their client in Delhi. The new engineers
need to work only on the software application
assigned to them and should access the server data.
To accomplish this, the network administrator Robert
uses the standard ACL. The network of the
organization appears as shown in the Figure.
29. Suggested Solution
You can use standard ACL to prevent the users from
accessing the server data. However, the placement
of the ACL is a very important. The engineers
should be allowed to access the all other computers
in the network but not the server
30. Summary - I
The access control list is a set of commands, which are
grouped together, to filter the traffic that enters or leaves
an interface
ACL are the statements, which are grouped together by
using a name or number. When ACL process a packet on
the router from the group of statements, the router
performs a number of steps to find a match for the ACL
statements
After building IP ACL, you have to apply it to a process in
the IOS
The extended numbered ACL’s are more flexible as
compared to the standard ACLs
31. Summary - II
If the router locates a match between the packet and
statement then the router executes one of the two
actions that are included with the statement. The actions
are:
Permit
Deny
A need may arise to add, delete or modify an entry in the
ACL. You cannot delete a specific entry in an ACL
To handle the IP addresses in ACL statements, wildcard
masks can be used for matching a range of address
instead of manually entering it
32. Summary - III
A wildcard is similar to an inverted subnet mask. If you
want to match on any address in a subnet or network
then you have to take the subnet mask and invert the bit
values
You must consider the following while placing the ACLs:
Standard ACL - Needs to be placed close to the
destination device that you want to prevent the source
from reaching.
Extended ACL - Needs to be placed close to the
source device. The extended ACL can filter on both
the source as well as destination address