Upload
guest35417d
View
410
Download
0
Tags:
Embed Size (px)
Citation preview
1010 1010
CHAPTERCHAPTERONEONE
Access ListsAccess Lists
ObjectivesObjectives
• Describe the usage and rules of access lists• Establish standard IP access lists• Produce extended IP access lists• Develop standard IPX access lists• Create extended IPX access lists• Define IPX SAP filters• Apply access lists to interfaces• Monitor and verify access lists
Access Lists: Usage and RulesAccess Lists: Usage and Rules
• Network traffic flow and security influence the design and management of computer networks
• Access lists solve many of the problems associated with these two tasks
• Access lists are permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet
Access List UsageAccess List Usage
• Implicit deny any– Blocks all packets that do not meet requirements of the access list
Figure 10-1: Sample network
Problems with Access ListsProblems with Access Lists
• One of the most common problems associated with access lists is a lack of planning
• Another troublesome area is the sequential nature in which you must enter the list into the router
• Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list
Access List RulesAccess List Rules
Figure 10-2: No access-list command
Access List RulesAccess List Rules
• Inbound– Direction parameter used when applying an access
list– Direction is into the router
• Outbound– Direction parameter used when applying an access
list– Direction is out of the router
Access List RulesAccess List Rules
Figure 10-3:The man in the router
Access List RulesAccess List Rules
• Routers apply lists sequentially in the order in which you type them into the router
• Routers apply lists to packets sequentially
• Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements
Access List RulesAccess List Rules
• Lists always end with an implicit deny
• Access lists must be applied to an interface as either inbound or outbound traffic filters
• Only one list, per protocol, per direction can be applied to an interface
• Access list are effective as soon as they are applied
Standard IP Access ListsStandard IP Access Lists
• Standard IP Access Lists– Filter network traffic based on the source IP address
only
– Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address
• Wildcard mask– Also called inverse mask– Applied to IP addresses to determine if an access list
line will act upon a packet
Standard IP Access ListsStandard IP Access Lists
Table 10-1: Wildcard mask examples
Standard IP Access ListsStandard IP Access Lists
Figure 10-4: Wildcard masking example matching a single host
Standard IP Access ListsStandard IP Access Lists
Figure 10-5: Wildcard masking example matching a complete subnet
Standard IP Access ListsStandard IP Access Lists
• Partial masking– When an octet in a wildcard mask contains a mix of binary 1s and 0s
Figure 10-6: Wildcard masking example using partial masking
Standard IP Access ListsStandard IP Access Lists
Figure 10-7: Wildcard masking example without match
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-8: Sample IP network
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-9: Creating a standard IP access list
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-11: Show access-lists and show ip access-lists commands
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-12: Show ip interface command
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-13: Removing an ip access list from an interface
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-14: Show ip interface after removal of access list 1 from e0
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-15: Creation and application of standard IP access list
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-16: Show access-list and show ip interface commands
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-17: Access list that blocks multiple subnets
Monitoring Standard IP Access Monitoring Standard IP Access ListsLists
• Three main commands are available for monitoring access lists on your router:– Show access-lists– Show ip access-lists– Show interfaces or show ip interfaces
• It is a good idea to run each of these commands after creating and applying access lists
Extended IP Access ListsExtended IP Access Lists
• IP access lists that filter traffic by:– Source IP address– Destination IP address– Protocol type– Port number
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-18: Sample IP network with a Web server
Extended IP Access List ExamplesExtended IP Access List Examples
• Unlike standard IP access lists, extended access lists do not have a default wildcard mask of 0.0.0.0– You must specify the wildcard mask for the source IP
address
• The host keyword is short for a wildcard mask of 0.0.0.0– The line will only be applied to packets that match the one
source address specified with host keyword
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-19: Extended IP access list example
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-19 (cont.): Extended IP access list example
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-20: Extended IP access list example continued
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-20 (cont.): Extended IP access list example continued
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-21: Applying an extended ip access list to an interface
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-22: Removing an extended ip access list from an interface
The “Established” ParameterThe “Established” Parameter
• Network administrators often want to block all TCP/IP traffic outside their network from coming into their network
• If you use deny statements to deny all traffic coming in, no one will be able to browse the Web, ping, or other network activities that involve a response to a request
• The easiest way around this problem is to use an extended ip access list with an established parameter
Monitoring Extended IP Access Monitoring Extended IP Access ListsLists
Figure 10-23: Show ip access-lists command
Monitoring Extended IP Access Monitoring Extended IP Access ListsLists
Figure 10-24: Clear access-list counters command
Standard IPX Access ListsStandard IPX Access Lists
• Very similar to their IP cousins– One distinct difference
• Can filter based on source and destination addresses– Standard IP access lists can only filter based on
source addresses
• In all other aspects, they act just like standard IP access lists
Standard IPX Access List Standard IPX Access List ExamplesExamples
Figure 10-25: Sample IPX network
Standard IPX Access List Standard IPX Access List ExamplesExamples
Figure 10-26: Standard IPX access-list configuration
Monitoring Standard IPX ListsMonitoring Standard IPX Lists
Figure 10-27: Show access-list command
Extended IPX Access ListsExtended IPX Access Lists
• Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number
Figure 10-28: Configuring extended IPX access-lists
Extended IPX Access ListsExtended IPX Access Lists
Figure 10-28 (cont.): Configuring extended IPX access-lists
Monitoring Extended IPX Access Monitoring Extended IPX Access ListsLists
Figure 10-29: show access-lists command
IXP SAP FiltersIXP SAP Filters
• Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients– Allows you to limit the “advertising” of particular
servers and services to a particular IPX network segment
– Since SAP advertisements are broadcast, limiting them reduces network traffic
• IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table
IXP SAP Filter ExampleIXP SAP Filter Example
Figure 10-30: IPX SAP filter example
IXP SAP Filter ExampleIXP SAP Filter Example
Figure 10-31: Applying an IPX SAP filter to an interface
Monitoring IXP SAP FiltersMonitoring IXP SAP Filters
• Like all other access lists, the show access-lists command displays all lists including all SAP filters defined on the router
• To make sure the list was applied successfully to the interface, use the show ipx interface command
• To remove the sap filter, use the no access-list [list #] command
• To remove the applications of sap filter from an interface, use the no ipx input-sap-filter [list #] or no ipx output-sap-filter [list #] command
Using Named ListsUsing Named Lists
• In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists– These are known as named access lists
• You cannot use the same name for multiple lists– Even different types of lists cannot have the same
name
• The naming feature allows you to maintain security by using an easily identifiable access list
Chapter SummaryChapter Summary
• Access lists are one of the most important IOS tools for controlling network traffic and security
• Access lists are created in a two-step process• All access lists are created sequentially and applied
sequentially to all packets that enter an interface where the list is applied
• Access lists, by default, always end in an implicit deny any
• Only one access list per direction per protocol can be applied to an interface
Chapter SummaryChapter Summary
• Standard IP access lists filter traffic based on the source IP address of a packet
• Extended IP access lists filter traffic based on the source, destination, protocol type, and application type
• Standard IPX access lists are more complex that standard IP lists
• Extended IPX lists allow you to filter based on IPX protocol type and IPX parameters
• IPX SAP filters allow you to limit the amount of SAP traffic passed by your routers
Chapter SummaryChapter Summary
• Ranges of numbers represent all access lists
Table 10-2: Access list number ranges