Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
323
Let’s take a look at the syntax used when creating a standard access list:
Corp(config)#
access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
As I said, by using the access-list numbers 1–99 or 1300–1999, you’re telling the router that
you want to create a standard IP access list.
After you choose the access-list number, you need to decide whether you’re creating a
permit
or
deny
statement. For this example, you will create a
deny
statement:
Corp(config)#
access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step requires a more detailed explanation. There are three options available. You
can use the
any
parameter to permit or deny any host or network, you can use an IP address
to specify either a single host or a range of them, or you can use the
host
command to specify
a specific host only. The
any
command is pretty obvious—any source address matches the
statement, so every packet compared against this line will match. The
host
command is relatively
simple. Here’s an example using it:
Corp(config)#
access-list 10 deny host ?
Hostname or A.B.C.D Host address
Corp(config)#
access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is
host
.
In other words, if you type
access-list 10 deny 172.16.30.2
, the router assumes you that
mean host 172.16.30.2.
But there’s another way to specify either a particular host or a range of hosts—you can use
wildcard masking. In fact, to specify any range of hosts, you have to use wildcard masking in
the access list.
Wildcard Masking
Wildcards
are used with access lists to specify an individual host, a network, or a certain range
of a network or networks. To understand a
wildcard
, you need to understand what a
block
size
is; it’s used to specify a range of addresses. Some of the different block sizes available are
64, 32, 16, 8, and 4.
When you need to specify a range of addresses, you choose the next-largest block size for
your needs. For example, if you need to specify 34 networks, you need a block size of 64. If
you want to specify 18 hosts, you need a block size of 32. If you only specify 2 networks, then
a block size of 4 would work.
7.2 Configure and apply ACLs based on network filtering requirements
324
Chapter 7
Implement, verify, and troubleshoot NAT and ACLs
Wildcards are used with the host or network address to tell the router a range of available
addresses to filter. To specify a host, the address would look like this:
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that
octet in the address must match exactly. To specify that an octet can be any value, the value
of 255 is used. As an example, here’s how a /24 subnet is specified with a wildcard:
172.16.30.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be
any value.
Now, that was the easy part. What if you want to specify only a small range of subnets? This
is where the block sizes come in. You have to specify the range of values in a block size. In other
words, you can’t choose to specify 20 networks. You can only specify the exact amount as the
block size value. For example, the range would have to be either 16 or 32, but not 20.
Let’s say that you want to block access to part of the network that is in the range from
172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would
be 172.16.8.0, and the wildcard would be 0.0.7.255. Whoa! What is that? The 7.255 is what
the router uses to determine the block size. The network and wildcard tell the router to start
at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0.
Seriously—it really is easier than it looks—really! I could certainly go through the binary
math for you, but no one needs that. Actually, all you have to do is remember that the wildcard
is always one number less than the block size. So, in our example, the wildcard would be 7
since our block size is 8. If you used a block size of 16, the wildcard would be 15. Easy, huh?
But just in case, we’ll go through some examples to help you nail it. The following example
tells the router to match the first three octets exactly but that the fourth octet can be anything:
Corp(config)#
access-list 10 deny 172.16.10.0 0.0.0.255
The next example tells the router to match the first two octets and that the last two octets
can be any value:
Corp(config)#
access-list 10 deny 172.16.0.0
0.0.255.255
Try to figure out this next line:
Corp(config)#
access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4.
The range would then be 172.16.16.0 through 172.16.19.0.
The following example shows an access list starting at 172.16.16.0 and going up a block
size of 8 to 172.16.23.0:
Corp(config)#
access-list 10 deny 172.16.16.0 0.0.7.255
325
The next example starts at network 172.16.32.0 and goes up a block size of 16 to
172.16.47.0:
Corp(config)#
access-list 10 deny 172.16.32.0 0.0.15.255
The next example starts at network 172.16.64.0 and goes up a block size of 64 to
172.16.127.0:
Corp(config)#
access-list 10 deny 172.16.64.0 0.0.63.255
The last example starts at network 192.168.160.0 and goes up a block size of 32 to
192.168.191.255:
Corp(config)#
access-list 10 deny 192.168.160.0 0.0.31.255
Here are two more things to keep in mind when working with block sizes and wildcards:
Each block size must start at 0 or a multiple of the block size. For example, you can’t say
that you want a block size of 8 and then start at 12. You must use 0–7, 8–15, 16–23, and
so on. For a block size of 32, the ranges are 0–31, 32–63, 64–95, and so on.
The command
any
is the same thing as writing out the wildcard 0.0.0.0255.255.255.255.
Wildcard masking is a crucial skill to master when creating IP access lists.
It’s used identically when creating standard and extended IP access lists.
Standard Access List Example
In this section, you’ll learn how to use a standard access list to stop specific users from gaining
access to the Finance department LAN.
In Figure 7.1, a router has three LAN connections and one WAN connection to the Internet.
Users on the Sales LAN should not have access to the Finance LAN, but they should be
able to access the Internet and the marketing department. The Marketing LAN needs to access
the Finance LAN for application services.
On the router in the figure, the following standard IP access list is configured:
Lab_A#config t
Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)#access-list 10 permit any
It’s very important to know that the any command is the same thing as saying the following
using wildcard masking:
Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255
Since the wildcard mask says that none of the octets is to be evaluated, every address matches
the test condition. So, this is functionally the same as using the any keyword.
7.2 Configure and apply ACLs based on network filtering requirements
326 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
FIGURE 7 . 1 IP access list example with three LANs and a WAN connection
At this point, the access list is configured to deny source addresses from the Sales LAN
access to the Finance LAN and allow everyone else. But remember, no action will be taken
until the access list is applied on an interface in a specific direction. But where should this
access list be placed? If you place it as an incoming access list on E0, you might as well shut
down the Ethernet interface because all of the Sales LAN devices will be denied access to all
networks attached to the router. The best place to apply this access list is on the E1 interface
as an outbound list:
Lab_A(config)#int e1
Lab_A(config-if)#ip access-group 10 out
This completely stops traffic from 172.16.40.0 from getting out Ethernet 1. It has no effect
on the hosts from the Sales LAN accessing the Marketing LAN and the Internet since traffic
to those destinations doesn’t go through interface E1. Any packet trying to exit out E1 will
have to go through the access list first. If there were an inbound list placed on E0, then any
packet trying to enter interface E0 would have to go through the access list before being routed
to an exit interface.
Let’s take a look at another example of a standard access list. Figure 7.2 shows an internetwork
of two routers with three LANs and one serial WAN connection.
You want to stop the Accounting users from accessing the Human Resources server
attached to the Lab_B router but allow all other users access to that LAN. What standard
access list would you create and where would you place it?
The real answer is that you should use an extended access list and place it closest to
the source, but the question specifies that you should use a standard access list. Standard
access lists, by rule of thumb, are placed closest to the destination—in this example,
Lab_A
Internet
S0/0
Sales E0 E2 Marketing
E1
Finance
327
Ethernet 0 outbound on the Lab_B router. Here is the access list that should be placed on
the Lab_B router:
Lab_B#config t
Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31
Lab_B(config)#access-list 10 permit any
Lab_B(config)#interface Ethernet 0
Lab_B(config-if)#ip access-group 10 out
FIGURE 7 . 2 IP standard access list example 2
Before we move on to restricting Telnet access on a router, let’s take a look at one more
standard access list example, but it will require some thought. In Figure 7.3 you have a router
with four LAN connections and one WAN connection to the Internet.
You need to write an access list that will stop access from each of the four LANs shown in
the diagram to the Internet. Each of the LANs shows a single host’s IP address, and from that
you need to determine the subnet and use wildcards to configure the access list.
Here is an example of what your answer should look like (starting with the network on E0
and working through to E3):
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255
Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255
Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255
Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255
Router(config)#access-list 1 permit any
Router(config)#interface serial 0
Router(config-if)#ip access-group 1 out
Okay, what would be the purpose of creating this list? If you actually applied this access list
on the router, you’d effectively shut down access to the Internet, so what’s the purpose of even
having an Internet connection? I wrote this exercise so you can practice how to use block sizes
with access lists—which is critical for your success when studying the CCNA objectives.
Human Resources server
192.168.10.222/27
Human Resources
Accounting
Lab_A Lab_B
192.168.10.161/27
E0
E1 192.168.10.129/27 E0
7.2 Configure and apply ACLs based on network filtering requirements
328 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
FIGURE 7 . 3 IP standard access list example 3
Controlling VTY (Telnet) Access
You’ll probably have a difficult time trying to stop users from telnetting to a large router
because any active interface on a router is fair game for VTY access. You could try to create
an extended IP access list that limits Telnet access to every IP address on the router. But if you
did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well
to a large router with dozens, even hundreds, of interfaces, would it? Here’s a much better
solution: Use a standard IP access list to control access to the VTY lines themselves.
Why does this work? Because when you apply an access list to the VTY lines, you don’t
need to specify the Telnet protocol since access to the VTY implies terminal access. You also
don’t need to specify a destination address, since it really doesn’t matter which interface
address the user used as a target for the Telnet session. You really only need to control where
the user is coming from—their source IP address.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to
telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:
Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
172.16.144.17/19 172.16.198.94/18
172.16.50.173/20
172.16.92.10/21
E3 S0
E0
E1
E2
329
Because of the implied deny any at the end of the list, the access list stops any host from
telnetting into the router except the host 172.16.10.3, regardless of which individual IP
address on the router is used as a target.
Cisco recommends that you use Secure Shell (SSH) instead of Telnet on the
VTY lines of a router.
Extended Access Lists
In the standard IP access list example earlier, notice how you had to block all access from the
Sales LAN to the finance department. What if you needed Sales to gain access to a certain
server on the Finance LAN but not to other network services, for security reasons? With a
standard IP access list, you can’t allow users to get to one network service and not another.
Said another way, when you need to make decisions based on both source and destination
addresses, a standard access list won’t allow you to do that since it only makes decisions based
on source address.
But an extended access list will hook you up. That’s because extended access lists allow you
to specify source and destination address as well as the protocol and port number that identify
the upper-layer protocol or application. By using extended access lists, you can effectively allow
users access to a physical LAN and stop them from accessing specific hosts—or even specific
services on those hosts.
Here’s an example of an extended IP access list:
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
The first command shows the access-list numbers available. You’ll use the extended accesslist
range from 100 to 199. Be sure to notice that the range 2000–2699 is also available for
extended IP access lists.
At this point, you need to decide what type of list entry you are making. For this example,
you’ll choose a deny list entry.
Corp(config)#access-list 110 ?
deny Specify packets to reject
7.2 Configure and apply ACLs based on network filtering requirements
330 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
Once you choose the access-list type, you then need to select a protocol field entry.
Corp(config)#access-list 110 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
If you want to filter by Application layer protocol, you have to choose the
appropriate layer 4 transport protocol after the permit or deny statement. For
example, to filter Telnet or FTP, you choose TCP since both Telnet and FTP
use TCP at the Transport layer. If you were to choose IP, you wouldn’t be
allowed to specify a specific application protocol later.
Here, you’ll choose to filter an Application layer protocol that uses TCP by selecting TCP
as the protocol. You’ll specify the specific TCP port later. Next, you will be prompted for
the source IP address of the host or network (you can choose the any command to allow any
source address):
Corp(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address is chosen:
Corp(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
7.2 Configure and apply ACLs based on network filtering requirements (including 331
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
In the following example, any source IP address that has a destination IP address of
172.16.30.2 has been denied.
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
You can press Enter here and leave the access list as is. But if you do that, all TCP traffic to host
172.16.30.2 will be denied, regardless of destination port. You can be even more specific: Once
you have the host addresses in place, just specify the type of service you are denying. The following
help screen shows you the available options. You can choose a port number or use the application
or protocol name:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
332 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
At this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP,
fine—that’s allowed. The log command is used to log messages every time the access list is hit.
This can be an extremely cool way to monitor inappropriate access attempts. Here is how to
do this:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply
this access list to an interface, you might as well just shut the interface down, since by default
7.2 Configure and apply ACLs based on network filtering requirements (including 333
there is an implicit deny all at the end of every access list. You’ve got to follow up the access
list with the following command:
Corp(config)#access-list 110 permit ip any any
Remember, the 0.0.0.0 255.255.255.255 is the same command as any, so the command
could look like this:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255
0.0.0.0 255.255.255.255
Once the access list is created, you need to apply it to an interface (it’s the same command
as the IP standard list):
Corp(config-if)#ip access-group 110 in
Or this:
Corp(config-if)#ip access-group 110 out
In the following section, we’ll look at an example of how to use an extended access list.
Extended Access List Example 1
Using Figure 7.1 from the IP standard access list example earlier, let’s use the same network
and deny access to a host at 172.16.30.5 on the Finance department LAN for both
Telnet and FTP services. All other services on this and all other hosts are acceptable for
the sales and marketing departments to access.
The following access list should be created:
Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 23
Lab_A(config)#access-list 110 permit ip any any
The access-list 110 tells the router you are creating an extended IP access list. The tcp
is the protocol field in the Network layer header. If the list doesn’t say tcp here, you cannot
filter by port numbers 21 and 23 as shown in the example. (These are FTP and Telnet, and they
both use TCP for connection-oriented services.) The any command is the source, which means
any IP address, and the host is the destination IP address.
Remember that instead of using the host 172.16.30.5 command when we
created the extended access list, we could have entered 172.16.30.5 0.0.0.0
and there would be no difference in the result—other than the router would
change the command to host 172.16.30.5 in the running-config.
334 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
After the list is created, it needs to be applied to the Ethernet 1 interface outbound. This
applies the policy we created to all hosts and effectively blocks all FTP and Telnet access to
172.16.30.5 from outside the local LAN. If this list were created to only block access from the
Sales LAN, then we’d have put this list closer to the source, or on Ethernet interface 0. So, in
this situation, we’d apply the list to inbound traffic.
Let’s go ahead and apply the list to interface E1 and block all outside FTP and Telnet access
to the host:
Lab_A(config-if)#ip access-group 110 out
Extended Access List Example 2
In this example, we’ll again use Figure 7.3, which has four LANs and a serial connection.
What we need to do is stop Telnet access to the networks attached to the Ethernet 1 and Ethernet
2 interfaces. If we only used one access list, it would not be a very effective one because of
the latency that will be caused on the Ethernet 1 and 2 interfaces (since every packet going out
these interfaces must be looked at), but if we used two lists, the latency could be less on each
interface if configured correctly. However, since we’re studying the CCNA objectives, we’re
going to look at this with only one access list.
The configuration on the router would look something like this, although the answer can vary:
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255
eq 23
Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255
eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#interface Ethernet 1
Router(config-if)#ip access-group 110 out
Router(config-if)#interface Ethernet 2
Router(config-if)#ip access-group 110 out
The important information that you need to understand from this list is as follows:
First, you need to verify that the number range is correct for the type of access list you are
creating—in this example it’s extended, so the range must be 100–199. Second, you need
to verify that the protocol field matches the upper-layer process or application—in this
example, port 23 (Telnet).
The protocol parameter must be TCP since Telnet uses TCP. If the question stated to use
TFTP, for example, then the protocol parameter would have to be UDP since TFTP uses UDP.
Third, verify that the destination port number matches the application you are filtering for—
in this case, port 23 matches Telnet, which is correct. Finally, the test statement permit ip
any any is important to have at the end of the list to enable all packets other than Telnet packets
destined for the LANs connected to Ethernet 1 and Ethernet 2.
335
Exam Objectives
Understand the standard IP access list configuration command. To configure a standard IP
access list, use the access-list numbers 1–99 or 1300-1999 in global configuration mode.
Choose permit or deny, then choose the source IP address you want to filter on using one of
the three techniques covered earlier.
Understand the extended IP access list configuration command. To configure an extended
IP access list, use the access-list numbers 100–199 or 2000-2699 in global configuration mode.
Choose permit or deny, the Network layer protocol, the source IP address you want to filter
on, the destination address you want to filer on, and finally the Transport layer protocol
(if selected).
No comments:
Post a Comment