Professional Documents
Culture Documents
Chapter 8
Chapter 8
Chapter 8
Chapter 8
Jetking
Release Infotrain Ltd.
16/07/2009
Recall - I
IGRP is a distant-vector routing protocol, which
implies that each router sends all or a part of its
routing table in a routing message update
EIGRP was created using IGRP as the base and
adding additional functionality to enhance IGRP
The OSPF protocol is designed on the Shortest
Path First (SPF) algorithm, which enables to
determine the shortest route to each destination
When a network link changes its state, the
designated router sends a notification called Link
State Advertisement (LSA) across the network
Jetking
Release Infotrain Ltd.
16/07/2009
Recall - II
OSPF provides the following advantages:
Open protocol
Scalable
Hierarchical design
Provides multicasting
Stub area
Not-so-stubby area
Jetking
Release Infotrain Ltd.
16/07/2009
Access Control List - I
Access Control List (ACL) is a set of commands,
which are grouped together to filter the traffic that
enters or leaves an interface
The functions of ACLs include the following:
Reduce the network traffic and increase the
network performance
Control the flow of traffic in the network
Jetking
Release Infotrain Ltd.
16/07/2009
Access Control List - II
You must also specify one of the following directions in
which the traffic should be filtered:
Inbound
Outbound
Named ACL
Extended ACL
Jetking
Release Infotrain Ltd.
16/07/2009
ACL Processing
ACL are statements, which are grouped together by
using a name or number
When ACL process a packet on the router from the
group of statements, the router performs a number
of steps to find a match for the ACL statements
The router processes each ACL in the top-down
approach
If the router is not able to find a match of packet to
the first ACL statement then the router continues
with the next statement, following the same process
Jetking
Release Infotrain Ltd.
16/07/2009
Configuring ACL
You must know the guidelines to configure the ACL
You can use the access-list command to create an
ACL
The syntax to create an ACL is:
access-list ACL_# permit|deny conditions
To activate ACL on the interface, enter the following
at the command prompt:
interface type slot_#|port_#
ip access-group ACL_# in|out
Jetking
Release Infotrain Ltd.
16/07/2009
ACL Numbers and Protocol Types - I
Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2) 200-299
DECnet 300-399
Standard XNS 400-499
Extended XNS 500-599
Apple Talk 600-699
Jetking
Release Infotrain Ltd.
16/07/2009
ACL Numbers and Protocol Types - II
Jetking
Release Infotrain Ltd.
16/07/2009
Editing Entries
You may need to add, delete or modify an entry in
the ACL
In a numbered ACL, you cannot delete a specific
entry
The no access-list command allows you to delete an
ACL, The syntax of the command is:
no access-list number
The no access-list ACL_# command deletes the
entire list
Jetking
Release Infotrain Ltd.
16/07/2009
Wildcard Masking
Wildcard masks can be used for matching a range of
IP addresses in ACL, instead of manually entering it
A wildcard mask of 0 or 1 in the bit position implies the
following:
0 - Specifies that the bit position of the ACL
statement address must match the bit position in the
IP address of the packet that is to be examined
1 - Specifies that the bit position of the ACL
Jetking
Release Infotrain Ltd.
16/07/2009
Subnet Masks and Wildcard Masks
Values
Jetking
Release Infotrain Ltd.
16/07/2009
Standard Numbered ACL
You can create an entry in a standard numbered IP
ACL using the access-list command.The syntax of
this command is:
access-list 1-99|1300-1999 permit|deny
source_address [wildcard_mask] [log]
After creating the standard ACL, you must activate it
on the router's interface
The ip access-group command below enables you
to activate the ACL on the interface:
ip access-group ACL_number in|out
Jetking
Release Infotrain Ltd.
16/07/2009
Extended Numbered ACLs
The extended numbered ACLs are more flexible as
compared to the standard ACLs
The syntax of the command to configure an
extended numbered ACL is:
access-list 100-199|2000-2699 permit|deny
IP_protocol source_address source_wildcard mask
[protocol_information] destination_address
destination_wildcard_mask [protocol_information]
[log]
Jetking
Release Infotrain Ltd.
16/07/2009
TCP and UDP
The extended ACL can filter the traffic on IP
protocols such as TCP and UDP
The syntax of the command that allows you to
configure an extended ACL for TCP or UDP is:
access-list 100-199|2000-2699 permit|deny tcp|udp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [operator
destination_port_#][established][log]
Jetking
Release Infotrain Ltd.
16/07/2009
Operators for TCP and UDP
Connection
Operator Description
lt Less than
gt Greater than
eq Equal to
Jetking
Release Infotrain Ltd.
16/07/2009
TCP Port Names and Numbers
Telnet telnet 23
SMTP smtp 25
WWW www 80
Jetking
Release Infotrain Ltd.
16/07/2009
UDP Port Names and Numbers
TFTP tftp 69
Jetking
Release Infotrain Ltd.
16/07/2009
ICMP
ICMP is one of the protocols used with extended
ACL
The ICMP does not use ports like the TCP and UDP
The syntax for filtering ICMP traffic is:
access-list 100-199|2000-2699 permit|deny icmp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [icmp_message][log]
ICMP enables you to enter ICMP messages
Jetking
Release Infotrain Ltd.
16/07/2009
ICMP Messages
Message Type Description
Jetking
Release Infotrain Ltd.
16/07/2009
Controlling Telnet Access to a Router
The standard IP ACLs controls the telnet access to
the router. The access-class command enables you
to accomplish this. The syntax of this command is:
access-class standard_ACL_# in|out
Cisco routers enable you to restrict telnet access for
the normal users
You can configure your router to allow telnet access
only for the networks administrators
Jetking
Release Infotrain Ltd.
16/07/2009
Named ACL’s
Named ACLs support both IP and IPX protocols
The ip access-list allows you to create a named ACL
The syntax for this command is:
ip access-list standard/extended ACL_name
After creating a named ACL, you have to activate it
on the router interface
The ip access-group command given below enables
you to activate the named ACL:
ip access-group ACL_name in|out
Jetking
Release Infotrain Ltd.
16/07/2009
Verifying and Monitoring Access
Control List
To view the ACLs that are activated on the router’s
interfaces, use the following command:
show ip interfaces
Cisco allows you to monitor each statement in the
ACL. To view the statements in the ACL, use the
following commands:
show access-lists [ACL_#_or_name]
show ip access-list [ACL_#_or_name]
Jetking
Release Infotrain Ltd.
16/07/2009
Placing ACL’s
You have to decide the placement of the ACL
depending on the source and destination address to
be filtered
You must consider the following while placing the
ACLs:
Standard ACL
Extended ACL
Jetking
Release Infotrain Ltd.
16/07/2009
Case Study
The Blue Diamond steel company, Gujarat branch has
recruited a few engineers in the Software
Management department. The company gets a new
project from their client in Delhi. The new engineers
need to work only on the software application
assigned to them and should access the server data.
To accomplish this, the network administrator Robert
uses the standard ACL. The network of the
organization appears as shown in the Figure.
Jetking
Release Infotrain Ltd.
16/07/2009
Network of the Organization
Jetking
Release Infotrain Ltd.
16/07/2009
Problem
Jetking
Release Infotrain Ltd.
16/07/2009
Suggested Solution
Jetking
Release Infotrain Ltd.
16/07/2009
Summary - I
The access control list is a set of commands, which are
grouped together, to filter the traffic that enters or leaves
an interface
ACL are the statements, which are grouped together by
using a name or number. When ACL process a packet on
the router from the group of statements, the router
performs a number of steps to find a match for the ACL
statements
After building IP ACL, you have to apply it to a process in
the IOS
The extended numbered ACL’s are more flexible as
compared to the standard ACLs
Jetking
Release Infotrain Ltd.
16/07/2009
Summary - II
If the router locates a match between the packet and
statement then the router executes one of the two
actions that are included with the statement. The actions
are:
Permit
Deny
Jetking
Release Infotrain Ltd.
16/07/2009
Summary - III
A wildcard is similar to an inverted subnet mask. If you
want to match on any address in a subnet or network
then you have to take the subnet mask and invert the bit
values
You must consider the following while placing the ACLs:
Standard ACL - Needs to be placed close to the
destination device that you want to prevent the source
from reaching.
Extended ACL - Needs to be placed close to the
source device. The extended ACL can filter on both
the source as well as destination address
Jetking
Release Infotrain Ltd.
16/07/2009