ACCESS LISTS.pdf
(
1095 KB
)
Pobierz
Microsoft Word - ACCESS LISTS.doc
ACCESS LISTS
Access lists allow Cisco routers to function as a packet filter and are supported for
several protocols. The most common of these protocols are listed in the following
table:
Protocol
Range
IP standard
1 to 99 (and 1300 to 1999 in IOS 12.0 and higher)
IP Extended
100-199 (and 2000 to 2699 in IOS 12.0 and higher)
Ethernet type code
200-299
DecNet
300-399
XNS
400-499
Extended XNS
500-599
AppleTalk
600-699
Ethernet address
700-799
IPX Standard
800-899
IPX Extended
900-999
IPX SAP
1000-1099
Access lists are lists of rules that either permit or deny certain inbound or
outbound traffic from and to particular hosts or networks. The access list and its
rules are applied to one or more interfaces on the router. When the router routes
traffic through these interfaces, the rules in the list are processed sequentially,
looking for a matching rule permitting the traffic to pass. When there is not a
matching rule permitting the traffic to pass, it is denied by default because of the
implicit deny any
at the end of each rule. For example, if you deny telnet traffic to
host 172.16.22.139 using the rule:
access-list 110 deny TCP any host
172.16.22.139 eq TELNET
and this is the only rule in the access list, you would
effectively deny all IP traffic from entering or leaving the router's interface.
The implicit deny all, for many, is a confusing part of access lists and often
forgotten in practice while in fact it is very logical. If you want to protect a
network
using a packet filter, you would typically start out with denying all traffic,
and from there permit certain hosts or networks to communicate certain traffic.
In addition to protecting private networks from external intruders, access lists are
also commonly used to manage network traffic. For example, if you do not want
certain protocols or services available in particular subnets you can block only
those ports but permit all other traffic. This is also used as an effective way to
prevent traffic such as ICMP messages and routing updates from traveling over
certain links.
Standard IP Access Lists
Standard IP access lists are used to permit/deny traffic from or to one or more IP
addresses.
Use the global exec
access-list
command to create access lists:
router(config)#access-list number deny|permit source|any [log]
Use the Interface config mode
access-group
command to bind the access list to
an interface:
router(config-if)#ip access-group number in|out
For example, to deny hostC from sending traffic to the WAN in the network
depicted in the diagram below, use the following commands.
router(config)#access-list 10 deny 192.168.23.11
router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in
When traffic is sent to the router’s Ethernet interface the rules in access list 10
are processed, if the traffic is send by hostC the router drops the packets and
stops processing the rules. The rule
access-list 10 permit any
is included
because of the implicit deny. There must be at least one ‘permit’ rule otherwise
the protocol is completely disabled for the interface as soon as you bind it.
Wildcard Masks/Inverse Masks
Instead of specifying a single IP address, you can also permit or deny
networks/subnets entirely or partly by using
wildcard masks
, also known as
inverse masks
. To understand this concept, it helps a lot if you have some basic
understanding of subnetting.
The first example is simple: if you want to deny access to all hosts in the network
172.16.23.0 with subnet mask 255.255.255.0 you would use
172.168.23.0
0.0.0.255
as the source in the
access-list
command. When the router checks
if the addressing information of an incoming packet matches the denied address
specified in the access list, it only cares about the part of the address where the
corresponding bits in the inverse mask are 0. The part of the address where the
corresponding bits in the inverse mask are set to 1 can be anything (in this
example 0 to 255).
In other situations, where you want to specify a range of addresses that does not
have the boundary between 0s and 1s exactly between octets, you might need to
convert it all to binary to determine the inverse mask. For example, you want to
specify the network 172.18.16.0 with the subnet mask 255.255.240.0. When you
convert this mask to binary it shows that in this subnet mask the first 20 bits are
set to 1 (11111111.11111111.11110000.00000000), so the inverse mask would
have the first 20 bits set to 00000000.00000000.00001111.11111111 which is
0.0.15.255 in decimal notation. This would specify the address range 172.18.16.0
to 172.18.31.255.
If you want the source or destination to be any host from any network you could
use the address 0.0.0.0 with the inverse mask 255.255.255.255, but to save you
from pressing so much keys you can use the keyword
any
instead.
In Extended Access lists the keyword
host
can be used to replace the 0.0.0.0
inverse mask. Instead of specifying a single address with
192.168.23.11
0.0.0.0
you can use
host 192.168.23.11
.
Extended IP Access Lists
Extended IP access lists offer more granular control compared to standard lists
that only allow you to deny or permit traffic from a certain source. Extended
access lists allow you to control TCP/IP traffic based on the Transport protocol
being used (TCP or UDP) and the service or
application
(e.g. SMTP, Telnet) from
source addresses AND destination addresses.
Use the global exec
access-list
command to create the access lists. This
command supports numerous arguments, most of them are beyond the scope of
the CCNA exam. At the bottom of this TechNote are links to documents at
Cisco.com explaining the complete syntax. Nevertheless, here is the most
important part:
router(config)#access-list
number
deny|permit
protocol
source
|any
destination
|any
When TCP or UDP is used as the
protocol
argument two other important
arguments are
operator
port
. The port argument can be a TCP or UDP port
number or name (e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the operator is
usually
eq
which means equal, other options include
lt
(less than) and
gt
(greater than).
Use the Interface config mode
access-group
command to apply the access list to
an interface:
router(config-if)#ip access-group number in|out
Take a look at the diagram below for example:
You can prevent SMTP traffic originating from the WANs from traveling over link A
to an SMTP server wuth destination 192.168.115.20 by putting an outbound
extended IP access list on the Serial 0 interface of RouterX and using the
following commands on RouterX (or RouterY):
router(config)#access-list 105 deny TCP any host 192.168.115.20 eq
SMTP
router(config)#access-list 105 permit IP any any
router(config)#interface serial 0
router(config-if)#ip access-group 105 out
Following is another example using the same diagram above. It shows how you
can use extended access lists to control ICMP traffic (used for utilities such as
ping and trace). For example, to deny the hosts in the Ethernet network attached
to RouterY to use ICMP to communicate with hosts on the other side of the
router, use the following commands on RouterY:
router(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any
router(config)#access-list 102 permit IP any any
router(config)#interface serial 1
router(config-if)#ip access-group 102 out
The following command allows you to remove an access list from interface:
router(config-if)#no ip access-group number|name in|out
For example:
router(config-if)#no ip access-group 102 out
The following commands allows you to completely delete an access list from the
configuration:
router(config)#no access-list number|name
For example:
router(config)#no access-list 102
Named Access Lists
If your router is running IOS 11.2 or higher, you can create
named
access lists.
Instead of choosing a number between 1-99 for standard IP access lists, you can
use a custom name allowing for more lists and more convenient management.
The commands to create a named access list are different for standard and
extended access lists.
To create a named access list, use the following command in global configuration
mode:
router(config)#ip access-list {standard | extended}
name
This command will take you into
access-list configuration mode
where you can
define the deny and permit rules. For example to create a named access list with
the name
wwwfilter
and permit only access from the networks 192.168.132.0,
172.17.0.0 and 10.0.0.0 use the following commands:
router(config)#ip access-list standard wwwfilter
router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
router(config-std-nacl)#permit 172.17.0.0 0.0.255.255
router(config-std-nacl)#permit 10.0.0.0 0.255.255.255
Use the
exit
command to exit access-list configuration mode.
A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
VTY Lines
You can also use standard access lists to limit access to VTY lines. For example:
router(config)#access-list 50 permit 192.168.23.8
router(config)#line vty 0 4
router(config-line)#access-class 50 in
Monitoring and Verifying
The following commands are useful for monitoring and verifying the operation of
access lists.
The
show ip interface
command displays which access lists are applied to the
specified interface, for example:
router(config)#show ip interface serial 1
The following command displays the contents of an access list, and if applied to
an interface, the number of matches per permit/deny rule:
router(config)#show access-lists
number
|
name
If you do not specify an access-list number or name, all the current access lists
will be displayed. You can also use the
show ip access-lists
command to
display one or all of the current IP access lists.
Plik z chomika:
sliwak
Inne pliki z tego folderu:
CCNA Practice Certification Exam.pdf
(849 KB)
pl_CCNA3_SLM_v31.jpg
(41 KB)
pl_CCNA2_SLM_v31.jpg
(40 KB)
pl_CCNA1_SLM_v31.jpg
(44 KB)
cisco.txt
(0 KB)
Inne foldery tego chomika:
Zgłoś jeśli
naruszono regulamin