Embed Size (px)
Citation preview
CCNA EXPLORATION
ACCESSING THE WAN
Study Guide
Chapter 5: ACLs
5.1.1
Describe port numbers. 0 – 1023 Well Known Ports1024 – 49151 Registered Ports49152 – 65535 Private and/or Dynamic Ports
What are some of the well known & registered TCP ports?
Well known:21 – FTP (Also Port 20)23 – Telnet25 – SMTP80 – HTTP110 – POP3194 – IRC443 – Secure HTTP (HTTPS)
Registered:1863 – MSN Messenger8008 – Alternate HTTP8080 - Alternate HTTP
What are some of the well known & registered UDP ports?
Well known:69 – TFTP520 – RIP
Registered:1812 – RADIUS Authentication Protocol2000 – Cisco SCCP (VoIP)5004 – RTP (Voice & Video Transport Protocol)5060 – SIP (VoIP)
What are some of the well known & registered TCP/UDP ports?
Well known:53 – DNS161 – SNMP531 – AOL Instant Messenger
Registered:1433 – MS SQL2948 – WAP (MMS)
5.1.2
Describe packet filtering. Sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.
At what OSI layer & TCP/IP layer does this process take place?
Packet filtering works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
What does a router use to perform packet filtering?
a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol
CCNA EXP 4 CH.5 ACLs APRIL 2009
of the packet.How are the rules in the answer above defined? These rules are defined using access control lists or ACLs.Describe ACLs. An ACL is a sequential list of permit or deny statements that
apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on:
Source IP addressDestination IP addressICMP message type
The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:
TCP/UDP source portTCP/UDP destination port
5.1.3
How does the router apply ACLs? As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet.
Does a router filter traffic by default? No. Without ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment.
What are some guidelines for using ACLs? Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both
Describe the three Ps for applying ACLs on a router.
You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0.
What tasks do ACLs perform? Limit network traffic to increase network performance.
Provide traffic flow control. ACLs can restrict the CCNA EXP 4 CH.5 ACLs APRIL 2009
delivery of routing updates. Provide a basic level of security for network access.
ACLs can allow one host to access a part of the network and prevent another host from accessing the same area.
Decide which types of traffic to forward or block at the router interfaces.
Control which areas a client can access on a network. Screen hosts to permit or deny access to network
services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
5.1.4
Describe ACLs as they apply to apply to inbound traffic or to outbound traffic.
Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
What is true about all ACLs? A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction.This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic.
Describe the router logic for an outbound ACL. Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer.
What are the results of the permit & deny statements in outbound lists?
“To permit" means to send the packet to the output buffer, and "to deny" means to discard the packet.
What could one reason be for traffic being unintentionally blocked?
At the end of every access list is an implied "deny all traffic" criteria statement. If a packet does not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.
5.1.5
Describe Standard ACLs. Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. Standard ACLs are created in global configuration mode.
Explain this example:access-list 10 permit 12.168.30.0 0.0.0.255
The example allows all traffic from network 192.168.30.0/24 network. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL.
Describe Extended ACLs. Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. Extended ACLs are created in global configuration mode.
Explain this example: ACL 103 permits traffic originating from any address on the CCNA EXP 4 CH.5 ACLs APRIL 2009
Access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80 192.168.30.0/24 network to any destination host port 80 (HTTP).
5.1.6
What are the two main tasks involved in using ACLs?
Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.
How does a standard ACL work? A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses. The destination of the packet and the ports involved are not covered.
5.1.7
Why use named ACLs? A number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.
Describe numbered ACLs. You assign a number based on which protocol you want filtered:1 – 99 & 1300 – 1999 Standard IP ACL100 – 199 & 2000 – 2699 Extended IP ACL
Describe named ACLs. You assign a name by providing the name of the ACL:Names can contain alphanumeric charactersSuggestion: name be written in CAPTIAL LETTERSNames cannot contain spaces or punctuation & must begin w/a letterYou can add or delete entries within the ACL
What numbers are used by AppleTalk? By IPX? Numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX.
5.1.8
What are the basic rules for the proper placement of an ACL?
Every ACL should be placed where it has the greatest impact on efficiency.
Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
5.1.9
What are some ACL best practices?
5.2.2
What is required in configuring numbered standard ACLs?
You must first create the standard ACL and then activate the ACL on an interface.
What command defines a standard ACL with a number in the range of 1 to 99?
The access-list global configuration command
What is the maximum number of possible standard ACLs?
799:1 – 991300 – 1999
What is the full syntax of the standard ACL? Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]
CCNA EXP 4 CH.5 ACLs APRIL 2009
Explain the syntax above.
What command displays the current ACLs configured on a router?
The show access-list command.
What command removes a standard ACL? The no form of the access-list command with its number parameter.
What is the purpose of the remark keyword? It is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters.
5.2.3
What is a wild card mask? It is a 32-bit quantity used in conjunction with an IP address to determine which bits in an IP address should be ignored when comparing that address with another IP address. It is used when setting up ACLs.
How do wild card masks use the binary 1s & 0s as compared to subnet masks?
Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses
Wildcard masks use what rules to match binary 1s and 0s?
Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address
Why are wildcard masks often referred to as an inverse mask?
The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, the reverse is true.
Describe the following wildcard masks: 0.0.0.0: the wildcard mask stipulates that every bit in the IP
CCNA EXP 4 CH.5 ACLs APRIL 2009
0.0.0.0255.255.255.2550.0.0.255
address must match exactly. (Match all bits)255.255.255.255: the wildcard mask stipulates that anything will match. (Ignore all bits)0.0.0.255: the wildcard mask stipulates that it will match any host within the given network.
Given an IP address of 192.168.16.0 & a wildcard mask of 0.0.15.255, what are the results?
The first two octets and first four bits of the third octet must match exactly. The last four bits in the third octet and the last octet can be any valid number. This results in a mask that checks for 192.168.16.0 to 192.168.31.0
Given an IP address of 192.168.0.0 & a wildcard mask of 0.0.254.255, what are the results?
This shows a wildcard mask that matches the first two octets, and the least significant bit in the third octet. The last octet and the first seven bits in the third octet can be any valid number. The result is a mask that would permit or deny all hosts from odd subnets from the 192.168.0.0 major network.
What is the easiest way to calculate the wildcard mask?
By subtracting the subnet mask from 255.255.255.255.
Describe the keywords host and any in wild card masks.
The host option substitutes for the 0.0.0.0 mask. This mask states that all IP address bits must match or only one host is matched.The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IP address or to accept any addresses.
5.2.4
How is a standard ACL linked to an interface? Use the ip access-group command. What is the complete syntax for the command above?
Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
How do you remove a standard ACL? To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
List the steps to configure a standard ACL Step 1. Use access-list global command to create an entryStep 2. Use the interface configuration command to select an interface to which to apply the ACL.Step3. Use the ip access-group interface configuration command to activate the existing ACL on the interface.
How can you can control which administrative workstation or network manages your router?
Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. This can be done by using an ACL.
What command restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list?
The access-class command in line configuration mode
Why is an extended ACL not required to complete this process?
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access.
What is the command syntax of the access-class command?
access-class access-list-number {in [vrf-also] | out}
What is the significance of the in | out parameters?
The parameter in restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter out restricts outgoing connections
CCNA EXP 4 CH.5 ACLs APRIL 2009
between a particular Cisco device and the addresses in the access list.
What are some considerations when configuring access lists on VTYs?
Only numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.
5.2.5
How do you use the built-in editing feature for ACLs?
There is no built-in editing feature that allows you to edit a change in an ACL. You cannot selectively insert or delete lines.
What is the recommended method for configuring ACLs?
It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it onto the router. For an existing ACL, you could use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and reload it.
What are the steps to edit and correct ACLs? Step 1. Display the ACL using the show running-config command.Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. Once the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.Step 3. In global configuration mode, disable the access list using the no access-list 20 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router.
How do you add comments to an ACL? Use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL.
Where is the comment placed in an ACL? The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement.
What is the command syntax to configure a comment?
To include a comment for IP numbered standard or extended ACLs use the access-list access-list number remark remark global configuration command.
Can comments be added to named ACLs? If so, how?
For an entry in a named ACL, use the remark configuration command.
5.2.6
What are the steps to create a standard named ACL?
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number.Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped.Step 3. Return to privileged EXEC mode with the end command.Step 4. Apply the ACL to the appropriate interface.
5.2.7
What command displays the contents of all ACLs?
The show access-lists command.
5.2.8
What is another advantage of using named ACLs?
They are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. If you are using an earlier Cisco IOS software version, you can add statements only at the bottom of the named ACL. Because you
CCNA EXP 4 CH.5 ACLs APRIL 2009
can delete individual entries, you can modify your ACL without having to delete and then reconfigure the entire ACL.
5.3.1
What is an advantage of using an extended ACL vs. a standard ACL?
You can use extended ACLs For more precise traffic-filtering control.
How many total extended ACLs are possible? 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs.
How are the filter rules applied when using an extended ACL?
The ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit-deny decision.
How are applications filtered when using an extended ACL?
Using the appropriate port number, you can specify an application by configuring either the port number or the name of a well-known port.
Describe the logical operations that can be used in extended ACLs?
equal (eq), not equal (neq), greater than (gt), and less than (lt)
5.3.2
What is the syntax for configuring an Extended ACL?
Describe the parameters of an Extended ACL.
5.3.4
What are the steps to create extended ACL using names?
Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a named extended ACL. Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name] command.Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-config startup-config command.
How do you remove a named extended ACL? Use the no ip access-list extended name global configuration command.
5.4. List & describe the 3 categories of complex Dynamic ACLs (lock-and-key) - Users that want to traverse the
CCNA EXP 4 CH.5 ACLs APRIL 2009
1 ACLs. router are blocked until they use Telnet to connect to the router and are authenticated.Reflexive ACLs - Allows outbound traffic and limits inbound traffic in response to sessions that originate inside the router.Time-based ACLs - Allows for access control based on the time of day and week.
5.4.2
What is another name for Dynamic ACLs Lock-and-KeyWhat are some common reasons to use dynamic ACLs?
When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period. When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts.
What are some of the benefits of Dynamic ACLs?
Use of a challenge mechanism to authenticate individual users.
Simplified management in large internetworks. In many cases, reduction of the amount of router
processing that is required for ACLs. Reduction of the opportunity for network break-ins by
network hackers. Creation of dynamic user access through a firewall,
without compromising other configured security restrictions.
What are the steps to configuring Dynamic ACLs?
Step 1. Create a login name & password for authentication.Step 2. Configure the ACL to allow the user to open a Telnet session to the router—can set a time limit.Step 3. Apply the ACL to the appropriate interface.Step 4. Configure the vty lines to use login local & enable the use of the autocommand command which will terminate the Telnet session & the user can access the network as allowed.
5.4.3
What is the purpose of Reflexive ACLs? To force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
How are Reflexive ACLs applied to an interface? They are not applied directly to an interface but are "nested" within an extended named IP ACL that is applied to the interface.
How are Reflexive ACLs defined? They can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.
What are the benefits of Reflexive ACLs? Help secure your network against network hackers and can be included in a firewall defense.
Provide a level of security against spoofing and certain CCNA EXP 4 CH.5 ACLs APRIL 2009
DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
What additional step is required when configuring Reflexive ACLs?
Creation of a policy to track the interesting traffic.
5.4.4
How are Time-Based ACLs implemented? To implement time-based ACLs, you create a time range that defines specific times of the day and week. You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.
What are the benefits of Time-Based ACLs? Offers the network administrator more control over permitting or denying access to resources.
Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.
What are the steps to configuring Time-Based ACLs?
Step 1. Define the time range to implement the ACL and give it a name. Step 2. Apply the time range to the ACL.Step 3. Apply the ACL to the interface.
How is the time synchronized? The time range relies on the router system clock. The feature works best with Network Time Protocol (NTP) synchronization, but the router clock can be used.
5.4.5
What are some common ACL errors? Incorrect order of list statementsIncorrect transport protocol used ACL applied to the wrong interfaceACL applied to the interface in the wrong direction-i.e. Inbound
CCNA EXP 4 CH.5 ACLs APRIL 2009
