Professional Documents
Culture Documents
Interconnecting Cisco Network Devices - ICND - v2.3 Volume 2
Interconnecting Cisco Network Devices - ICND - v2.3 Volume 2
Interconnecting Cisco
Network Devices
Volume 2
Version 2.3
Student Guide
Text Part Number: 97-2322-02
2006, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica
Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece
Hong Kong SAR Hungary India Indonesia Ireland Israel Italy J apan Korea Luxembourg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland
Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
2006 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow Me
Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play,
and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX,
Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco
IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the
Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive,
GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar,
Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY
OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO
SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING,
USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be
accurate, it falls subject to the disclaimer above.
Students, this letter describes important
course evaluation access information!
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program,
Cisco Systems is committed to bringing you the highest-quality training in the industry.
Cisco learning products are designed to advance your professional goals and give you the
expertise you need to build and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions; therefore, your valuable
input will help shape future Cisco course curricula, products, and training offerings.
We would appreciate a few minutes of your time to complete a brief Cisco online course
evaluation of your instructor and the course materials in this student kit. On the final day
of class, your instructor will provide you with a URL directing you to a short post-course
evaluation. If there is no Internet access in the classroom, please complete the evaluation
within the next 48 hours or as soon as you can access the web.
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your Internet
technology training.
Sincerely,
Cisco Systems Learning
Table of Contents
Volume 2
Managing IP Traffic with ACLs 4-1
Overview 4-1
Module Objectives 4-1
Introducing ACLs 4-3
Overview 4-3
Objectives 4-3
ACL Overview 4-4
Example: ACL Implementation 4-4
ACL Applications 4-5
Types of ACLs 4-7
ACL Identification 4-8
ACL Operations 4-11
Example: Outbound ACL 4-12
ACL Statement Processing 4-13
Wildcard Masking Process 4-14
Example: Wildcard Masking Process with a Single IP Address 4-15
Wildcard Masking Process with a Match Any IP Address 4-16
Example: Wildcard Masking Process for IP Subnets 4-17
Summary 4-18
Configuring IP ACLs 4-21
Overview 4-21
Objectives 4-21
Implementing ACLs 4-22
ACL Configuration 4-23
Configuring Standard IP ACLs 4-24
Example: Standard ACLPermit My Network Only 4-26
Example: Standard IP ACLDeny a Specific Host 4-27
Example: Standard IP ACLDeny a Specific Subnet 4-28
Configuring Extended IP ACLs 4-29
Example: Extended ACLDeny FTP from Subnets 4-31
Example: Extended ACLDeny Only Telnet from Subnet 4-32
Using Named ACLs 4-33
Configuring vty ACLs 4-34
Example: vty Access 4-37
Guidelines for Placing ACLs 4-38
Example: Placing IP ACLs 4-39
Verifying the ACL Configuration 4-40
Summary 4-42
ii Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Scaling the Network with NAT and PAT 4-45
Overview 4-45
Objectives 4-45
Introducing NAT and PAT 4-46
Translating Inside Source Addresses 4-49
Example: Translating Inside Source Addresses 4-49
Example: Static NAT Address Mapping 4-52
Example: Dynamic Address Translation 4-54
Overloading an Inside Global Address 4-55
Example: Overloading an Inside Global Address 4-55
Verifying the NAT and PAT Configuration 4-59
Example: Cannot Ping Remote Host 4-61
Troubleshooting the NAT and PAT Configuration 4-63
Example: Using the debug ip nat Command 4-64
Summary 4-65
Module Summary 4-66
Module Self-Check 4-67
Module Self-Check Answer Key 4-72
Establishing Serial Point-to-Point Connections 5-1
Overview 5-1
Module Objectives 5-1
Introducing Wide-Area Networks 5-3
Overview 5-3
Objectives 5-3
WAN Overview 5-4
WAN Connection Types 5-5
WAN Components 5-6
WAN Cabling 5-7
Layer 2 Encapsulation Protocols 5-9
Summary 5-11
Configuring Serial Point-to-Point Encapsulation 5-13
Overview 5-13
Objectives 5-13
HDLC Encapsulation Configuration 5-14
PPP Layered Architecture 5-16
PPP Configuration 5-18
PPP Session Establishment 5-19
PPP Authentication Protocols 5-20
PPP Authentication Configuration 5-22
Example: CHAP Configuration 5-26
Serial Encapsulation Configuration Verification 5-27
Example: Verifying HDLC and PPP Encapsulation Configuration 5-27
PPP Authentication Configuration Troubleshooting 5-28
Example: Verifying PPP Authentication 5-28
Summary 5-32
Module Summary 5-35
Module Self-Check 5-36
Module Self Check Answer Key 5-40
Establishing Frame Relay Connections 6-1
Overview 6-1
Module Objectives 6-1
2006, Cisco Systems, Inc. Interconnecting Cisco Network Devices (ICND) v2.3 iii
Introducing Frame Relay 6-3
Overview 6-3
Objectives 6-3
Frame Relay Overview 6-4
Frame Relay Stack Layered Support 6-5
Frame Relay Terminology 6-6
Example: Frame Relay TerminologyDLCI 6-7
Frame Relay Topologies 6-8
Reachability Issues in Frame Relay 6-10
Reachability Issue Resolution 6-12
Frame Relay Address Mapping 6-13
Example: Frame Relay Address Mapping 6-13
Frame Relay Signaling 6-14
Example: Inverse ARP and LMI Operation 6-16
How Service Providers Map Frame Relay DLCIs 6-17
Example: Mapping Frame Relay DLCIsService Provider View 6-17
Example: Mapping Frame Relay DLCIsEnterprise View 6-18
Service Provider Frame Relay-to-ATM Internetworking 6-19
Summary 6-21
Configuring Frame Relay 6-23
Overview 6-23
Objectives 6-23
Basic Frame Relay Network Configuration 6-24
Static Frame Relay Map Configuration 6-26
Frame Relay Subinterface Configuration 6-28
Example: Configuring Point-to-Point Subinterfaces 6-29
Example: Multipoint Subinterface Configuration 6-31
Basic Frame Relay Operation Verification 6-32
Basic Frame Relay Operation Troubleshooting 6-40
Summary 6-44
Module Summary 6-45
Module Self-Check 6-46
Module Self-Check Answer Key 6-50
Completing ISDN Calls 7-1
Overview 7-1
Module Objectives 7-1
Configuring ISDN BRI and PRI 7-3
Overview 7-3
Objectives 7-3
ISDN Overview 7-4
ISDN Standards 7-5
ISDN Access Methods 7-7
ISDN BRI or PRI Call Establishment 7-8
Example: BRI and PRI Call Processing 7-8
ISDN Functions and Reference Points 7-9
Router ISDN Interface Determination 7-11
ISDN Switch Types 7-13
ISDN BRI Configuration 7-15
ISDN PRI Configuration 7-17
Example: ISDN PRI Configuration 7-19
ISDN Configuration Verification 7-20
ISDN Configuration Troubleshooting 7-21
Summary 7-23
iv Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Configuring Dial-on-Demand Routing 7-25
Overview 7-25
Objectives 7-25
DDR Overview 7-26
DDR Operation 7-28
Legacy DDR Configuration 7-30
Static Routes for DDR Defined 7-31
Interesting Traffic for DDR 7-33
DDR Dialer Information Configuration 7-35
Example: Legacy DDR Configuration Tasks 7-39
ISDN PRI and Legacy DDR Configuration 7-41
Example: Dialer Profile Configuration Concepts 7-43
DDR Configuration Verification 7-46
Example: Verifying Dialer Profile Operation 7-47
DDR Configuration Troubleshooting 7-48
Example: debug isdn q921 7-49
Example: debug isdn q931 7-50
Troubleshooting Inbound Calls 7-51
Troubleshooting Outbound Calls 7-52
Summary 7-54
Module Summary 7-56
Module Self-Check 7-57
Module Self-Check Answer Key 7-63
Module 4
Managing IP Traffic with ACLs
Overview
Standard and extended Cisco IOS access control lists (ACLs) are used to classify IP packets.
You can apply a number of features, such as access control (security), encryption, policy-based
routing, quality of service (QoS), Network Address Translation (NAT), and port address
translation (PAT), to the classified packets. You can also configure standard and extended IOS
ACLs on router and switch interfaces. IOS features are applied on interfaces for specific
directions (inbound versus outbound). Some features use ACLs globally. This module describes
the operation of different types of ACLs and shows you how to configure IP ACLs.
Module Objectives
Upon completing this module, you will be able to configure different types of IP ACLs in order
to manage IP traffic. This ability includes being able to meet these objectives:
Describe how Cisco IOS software processes ACLs
Configure IP ACLs
Configure NAT and PAT on Cisco routers
4-2 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Lesson 1
Introducing ACLs
Overview
Access control lists (ACLs) provide an important network security feature. With ACLs, you
can classify and filter packets on inbound and outbound router interfaces and access ports.
Understanding the uses of ACLs enables you to determine how to implement them on your
Cisco network. This lesson describes some of the applications for ACLs on Cisco Systems
networks and explains how Cisco IOS software processes ACLs.
Objectives
Upon completing this lesson, you will be able to describe how IOS software processes ACLs.
This ability includes being able to meet these objectives:
Explain the purpose of ACLs
Explain the various applications for ACLs on Cisco Systems networks
Describe the different types of ACLs
Describe how ACLs operate
Explain how Cisco IOS software processes ACL statements
Explain the wildcard masking process
4-4 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
ACL Overview
ACLs are lists that are kept by routers to identify particular traffic. ACLs also manage IP traffic
as network access grows. This topic describes the purpose of ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-3
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use ACLs?
The earliest routed networks connected a modest number of LANs and hosts. As router
connections to legacy and outside networks increase and use of the Internet increases, access
control presents new challenges. Network administrators face the dilemma of how to deny
unwanted traffic while allowing appropriate access. Although tools such as passwords, callback
equipment, and physical security devices are helpful, they often lack the flexible and specific
controls that most administrators prefer.
ACLs offer an important tool for controlling traffic on the network. These lists allow you to
filter the packet flow into or out of router interfaces to help limit network traffic and restrict
network use by certain users or devices.
Example: ACL Implementation
The figure illustrates the main reason that a network administrator would employ ACLs. The
network originally includes a single Ethernet segment. The workstation represents the
administrator console to the router.
As the network grows, the administrator now has to deal with traffic from multiple networks,
devices, and the Internet. In order to filter the extensive traffic and secure the networks, the
administrator can implement ACLs.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-5
ACL Applications
This topic describes the applications for ACLs on Cisco networks.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-4
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without ACLs, all packets could be transmitted onto all parts of your network.
ACL Applications
Packet filtering helps control packet movement through the network. ACLs filter traffic going
through the router, but they do not filter traffic that originates from the router. Cisco provides
ACLs to permit or deny the crossing of packets to or from specified router interfaces. ACLs can
also be applied to the vty ports of the router to permit or deny Telnet traffic into or out the
router vty ports.
4-6 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-5
Special handling for traffic based on packet tests
Other ACL Uses
IP ACLs can classify and differentiate traffic, which enables you to assign different traffic
types to different software output queues when there is congestion. Classifying and
differentiating traffic is useful in supporting QoS requirements for different traffic. Priority
queuing and custom queuing are two of the queuing techniques available in IOS software.
ACLs can also identify interesting traffic, by triggering dial-on-demand routing (DDR), and
you can use ACLs for filtering routing protocol updates to or from the router.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-7
Types of ACLs
This topic describes the types of ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-6
Standard ACL
Checks source address
Generally permits or denies entire protocol suite
Extended ACL
Checks source and destination address
Generally permits or denies specific protocols
Types of ACLs
ACLs are optional mechanisms in IOS software that you can configure to filter or test packets
to determine whether to forward the packets to their destination or discard them.
The two general types of ACLs are as follows:
Standard ACLs: Standard IP ACLs check the source addresses of packets that could be
routed. The result permits or denies output for an entire protocol suite, based on the source
network, subnet, or host IP address.
Extended ACLs: Extended IP ACLs check both source and destination packet addresses.
They can also check for specific protocols, port numbers, and other parameters, allowing
administrators more flexibility and control.
4-8 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-7
How to Identify ACLs
Standard IP lists (1-99) test conditions of all IP packets from
source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses,
specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range).
Extended IP lists (2000-2699) (expanded range).
Other ACL number ranges test conditions for other networking protocols.
Named ACLs identify IP standard and extended ACLs with an alphanumeric
string (name).
ACL Identification
The figure shows the number ranges of the ACL types for IP.
An administrator enters an ACL number as the first argument of the global ACL statement. The
router identifies which ACL software to use based on this numbered entry. ACL statements
contain test conditions. These test conditions specify tests according to the rules of the given
protocol suite. The test conditions for an ACL vary by protocol.
Many ACLs are possible for a protocol. Select a different ACL number for each new ACL
within a given protocol. However, you can specify only one ACL per protocol, per direction,
per interface.
Specifying an ACL number from 1 to 99 or 1300 to 1999 instructs the router to accept standard
IP ACL statements. Specifying an ACL number from 100 to 199 or 2000 to 2699 instructs the
router to accept extended IP ACL statements.
The named ACL feature allows you to identify IP standard and extended ACLs with an
alphanumeric string (name) instead of the numeric representations. Named IP ACLs allow you
to delete, but not insert, individual entries in a specific ACL.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-9
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-8
Testing Packets with
Standard ACLs
Standard ACLs (numbered 1 to 99 and 1300 to 1999) filter packets based on a source address
and mask, and they permit or deny the entire TCP/IP protocol suite. This standard ACL
filtering may not provide the filtering control you require. You may need a more precise way to
filter your network traffic.
4-10 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-9
Testing Packets with
Extended ACLs
For more precise traffic-filtering control, use extended IP ACLs (numbered 100 to 199 and
2000 to 2699), which check for the source and destination address. In addition, at the end of the
extended ACL statement, you can specify the protocol and optional TCP or User Datagram
Protocol (UDP) port number to filter more precisely. Port numbers can be well-known port
numbers. A few of the most common port numbers are shown in the table.
Well-Known Port Numbers and IP Protocols
Well-Known Port Number (Decimal) IP Protocol
20 (TCP) FTP data
21 (TCP) FTP control
23 (TCP) Telnet
25 (TCP) Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP) Domain Name System (DNS)
69 (UDP) TFTP
80 (TCP) HTTP
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-11
ACL Operations
This topic describes how ACLs operate.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-10
Outbound ACL Operation
If no ACL statement matches, discard the packet.
ACLs express the set of rules that give added control for packets that enter inbound interfaces,
packets that relay through the router, and packets that exit outbound interfaces of the router.
ACLs do not act on packets that originate from the router itself. Instead, ACLs are statements
that specify conditions of how the router will handle the traffic flow through specified
interfaces.
ACLs operate in two ways.
Inbound ACLs: Incoming packets are processed before they are routed to an outbound
interface. An inbound ACL is efficient because it saves the overhead of routing lookups if
the packet is to be discarded after it is denied by the filtering tests. If the packet is permitted
by the tests, it is then processed for routing.
Outbound ACLs: Incoming packets are routed to the outbound interface, then they are
processed through the outbound ACL.
4-12 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Example: Outbound ACL
The figure shows an example of an outbound ACL. The beginning of the process is the same,
regardless of whether outbound ACLs are used. When a packet enters an interface, the router
checks the routing table to see if the packet is routable. If the packet is not routable, the packet
is dropped.
Next, the router checks to see whether the destination interface is grouped to an ACL. If the
destination interface is not grouped to an ACL, the packet can be sent to the output buffer.
Some examples of outbound ACL operation are as follows:
If the outbound interface is S0, which has not been grouped to an outbound ACL, the
packet is sent to S0 directly.
If the outbound interface is E0, which has been grouped to an outbound ACL, the packet is
not sent out on E0 until it is tested by the combination of ACL statements associated with
that interface. Based on the ACL tests, the packet will be permitted or denied.
For outbound lists, to permit means to send the packet to the output buffer and to deny
means to discard the packet. For inbound lists, to permit means to continue to process the
packet after receiving it on an inbound interface and to deny means to discard the packet.
When discarding packets, some protocols return a special packet to notify the sender that
the destination is unreachable. For the IP protocol, an ACL discard will result in a
Destination unreachable (U.U.U.) response to a ping, and an Administratively
prohibited (!A * !A) response to a traceroute.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-13
ACL Statement Processing
This topic describes how IOS software processes ACL statements.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-11
A List of Tests: Deny or Permit
ACL statements operate in sequential, logical order. ACL statements evaluate packets from the
top down, one statement at a time. If a packet header and an ACL statement match, the rest of
the statements in the list are skipped and the packet is permitted or denied as determined by the
matched statement. If a packet header does not match an ACL statement, the packet will be
tested against the next statement in the list. This matching process continues until the end of the
list is reached.
A final implied statement covers all packets for which conditions did not test true. This final
test condition matches all other packets and results in a deny instruction. Instead of
proceeding into or out of an interface, all these remaining packets are dropped. This final
statement is often referred to as the implicit deny any statement. Because of the implicit deny
any statement, an ACL should have at least one permit statement in it; otherwise, the ACL will
block all traffic.
You can apply an ACL to multiple interfaces. However, there can be only one ACL per
protocol, per direction, per interface.
4-14 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Wildcard Masking Process
This topic describes how wildcard masking is used with ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-12
0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.
Wildcard Bits: How to Check the
Corresponding Address Bits
Address filtering occurs when you use ACL address wildcard masking to identify how to check
or ignore corresponding IP address bits. Wildcard masking for IP address bits uses the number
1 and the number 0 to identify how to treat the corresponding IP address bits, as follows:
Wildcard mask bit 0: Check the corresponding bit value in the address.
Wildcard mask bit 1: Do not check (ignore) that corresponding bit value in the address.
Note A wildcard mask is sometimes referred to as an inverted mask.
By carefully setting wildcard masks, you can permit or deny tests with one ACL statement.
You can select a single ID address or any IP address.
The figure illustrates how to check corresponding address bits.
Note Wildcard masking for ACLs operates differently from an IP subnet mask. A 0 in a bit
position of the ACL mask indicates that the corresponding bit in the address must be
checked. A 1 in a bit position of the ACL mask indicates that the corresponding bit in the
address is not interesting and can be ignored.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-15
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-13
172.30.16.29 0.0.0.0 checks all of the address bits.
Abbreviate this wildcard mask using the IP address preceded
by the keyword host (host 172.30.16.29).
Check all of the address bits (match all).
Verify an IP host address, for example:
Wildcard Bits to Match a Specific IP Host
Address
The 0 and 1 bits in an ACL wildcard mask cause the ACL to either check or ignore the
corresponding bit in the IP address.
Example: Wildcard Masking Process with a Single IP Address
Consider that you want to specify that a specific IP host address will be denied in an ACL test.
To indicate a host IP address, you would enter the full address, for example, 172.30.16.29.
Then, to indicate that the ACL should check all the bits in the address, the corresponding
wildcard mask bits for this address would be all 0s, that is, 0.0.0.0.
Working with decimal representations of binary wildcard mask bits can be tedious. For the
most common uses of wildcard masking, you can use abbreviations. These abbreviation words
reduce how many numbers you are required to enter while configuring address test conditions.
For example, you can use an abbreviation instead of a long wildcard mask string when you
want to match a host address.
You can use the abbreviation host to communicate this same test condition to IOS ACL
software. In the example, instead of entering 172.30.16.29 0.0.0.0, you can use the string host
172.30.16.29.
4-16 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-14
Test conditions: Ignore all the address bits (match any).
An IP host address, for example:
Accept any address: any
Abbreviate expression with keyword any
Wildcard Bits to Match Any IP Address
Wildcard Masking Process with a Match Any IP Address
IOS software will also permit an abbreviation term in the ACL wildcard mask when you want
to match all the bits of any IP address.
Consider that you want to specify that any address will be permitted in an ACL test. To indicate
any IP address, you would enter the IP address of 0.0.0.0. Then, to indicate that the ACL should
ignore (allow without checking) any bit value within the IP address, the corresponding wildcard
mask bits for this address would be all ones (255.255.255.255).
You can use the abbreviation any to communicate this same test condition to IOS ACL
software. In the example, instead of entering 0.0.0.0 255.255.255.255, you can use the word
any by itself as the keyword.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-17
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-15
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
Example: Wildcard Masking Process for IP Subnets
In the figure, an administrator wants to test a range of IP subnets that will be permitted or
denied. Assume that the IP address is a class B address (the first two octets are the network
number) with 8 bits of subnetting (the third octet is for subnets). The administrator wants to use
the IP wildcard masking bits to match subnets 172.30.16.0/24 to 172.30.31.0/24.
To use one ACL statement to match this range of subnets, the IP address to be used in the ACL
will be 172.30.16.0 (the first subnet to be matched) followed by the required wildcard mask.
First, the wildcard mask will check the first two octets (172.30) of the IP address using
corresponding 0 bits in the first two octets of the wildcard mask.
Because there is no interest in an individual host, the wildcard mask will ignore the final octet
by using the corresponding 1 bit in the wildcard mask. For example, the final octet of the
wildcard mask is 255 in decimal.
In the third octet, where the subnet address occurs, the wildcard mask of decimal 15, or binary
00001111, will match the high-order 4 bits of the IP address. In this case, the wildcard mask
will match subnets starting with the 172.30.16.0/24 subnet. For the final (low-end) 4 bits in this
octet, the wildcard mask will indicate that the bits can be ignored. In these positions, the
address value can be binary 0 or binary 1. Thus, the wildcard mask matches subnet 16, 17, 18,
and so on up to subnet 31. The wildcard mask will not match any other subnets.
In this example, the address 172.30.16.0 with the wildcard mask 0.0.15.255 matches subnets
172.30.16.0/24 to 172.30.31.0/24.
In some cases, you must use more than one ACL statement to match a range of subnets; for
example, to match 10.1.4.0/24 to 10.1.8.0/24, use 10.1.4.0 0.0.3.255 and 10.1.8.0 0.0.0.255.
4-18 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-16
Summary
ACLs allow the packet flow to be filtered into or out of router
interfaces and vty ports to help limit network traffic and
restrict network use by certain users or devices.
ACLs can be used to classify and differentiate traffic for
special handling.
Standard ACLs check the source addresses of packets that
could be routed. Extended ACLs check both source and
destination packet addresses.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-19
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-17
Summary (Cont.)
Inbound ACLs process incoming packets as they enter the
router. Outbound ACLs process outgoing packets before they
leave an outbound interface.
ACL statements operate in sequential, logical order. ACL
statements evaluate packets from the top down, one
statement at a time, until a matching statement is found.
ACL address wildcard masking can be used to identify how to
check or ignore corresponding IP address bits. Wildcard
masking uses the number 1 and the number 0 to identify how
to treat the corresponding IP address bits.
4-20 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Lesson 2
Configuring IP ACLs
Overview
Cisco IOS standard and extended access control lists (ACLs) provide a number of features,
such as access control (security), encryption, and policy-based routing, that you can use for
classifying packets. You can also configure standard and extended ACLs on router interfaces
and apply them to routed packets.
Controlling traffic to certain networks, hosts, and servers is an important component of overall
network security. This lesson describes how to configure and verify IP standard and
extended ACLs.
Objectives
Upon completing this lesson, you will be able to use standard and extended ACLs to classify
packets in order to control traffic to certain networks. This ability includes being able to meet
these objectives:
Describe the guidelines and commands for implementing ACLs
Configure standard IP ACLs on a Cisco router
Configure extended IP ACLs on a Cisco router
Explain how named IP ACLs are used
Configure vty ACLs
Describe the guidelines for placing ACLs
Use the show commands to verify ACL configuration
4-22 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Implementing ACLs
This topic provides some general guidelines and commands to help you implement ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-3
ACL Configuration Guidelines
ACL numbers indicate which protocol is filtered.
One ACL per interface, per protocol, per direction is allowed.
The order of ACL statements controls testing.
The most restrictive statements go at the top of the list.
The last ACL test is always an implicit deny any statement, so
every list needs at least one permit statement.
ACLs must be created before applying them to interfaces.
ACLs filter traffic going through the router. ACLs do not filter
traffic originating from the router.
Well-designed and well-implemented ACLs add an important security component to your
network. Follow these general principles to ensure that the ACLs you create have the intended
results:
Use numbers only from the assigned range for the protocol and type of list you are creating.
Only one ACL per protocol, per direction, per interface is allowed. Multiple ACLs are
permitted per interface, but each must be for a different protocol.
Your ACL should be organized to allow processing from the top down.
Organize your ACL so that more specific references in a network or subnet appear
before more general ones. Place conditions that occur more frequently before
conditions that occur less frequently.
You cannot selectively remove lines when using numbered ACLs, but you can when
using named IP ACLs.
Additions, whether named or numbered, are always placed at the end of the ACL.
Your ACL contains an implicit deny any statement at the end.
Unless you end your ACL with an explicit permit any statement, by default the ACL
will deny all traffic that fails to match any of the ACL lines.
Every ACL should have at least one permit statement. Otherwise, all traffic will be
denied.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-23
You must create the ACL before applying it to an interface. An interface that has an empty
ACL applied to it permits all traffic.
ACLs filter only traffic going through the router. They do not filter traffic originating from
the router.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-4
Step 1: Set parameters for this ACL test
statement (which can be one of several statements).
Step 2: Enable an interface to use the specified ACL.
Router(config-if)# {protocol} access-group
access-list-number {in | out}
ACL Command Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)# access-list access-list-number
{permit | deny} {test conditions}
ACL Configuration
You can reduce the commands to two general elements, as indicated by Steps 1 and 2 in the
figure.
Step 1 Set parameters for the ACL test statements.
Step 2 Enable an interface to use the specified ACL.
Some of the features of global ACL statements are as follows:
A global statement identifies the ACL, usually an ACL number. This number refers to the
type of ACL that is permitted. ACLs for IP may use an ACL name rather than a number.
The permit or deny term in the global ACL statement indicates how packets that meet the
test conditions will be handled by Cisco IOS software.
The final term or terms specify the test conditions used by this ACL statement. The
statement can be set up so that multiple test conditions are checked. Use several global
ACL statements with the same ACL number or name to stack several test conditions into a
logical sequence or list of tests.
Use the ip access-group {access-list-number | access-list-name}{in | out} interface
configuration command to activate an IP ACL on an interface. The in option filters on inbound
packets, while the out option filters on outbound packets.
4-24 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Configuring Standard IP ACLs
This topic describes how to configure a standard IP ACL.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-5
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes ACL from
the interface
Router(config-if)# ip access-group
access-list-number {in | out}
Sets parameters for this list entry
IP standard ACLs use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire ACL
remark lets you add a description for the ACL
Router(config)# access-list access-list-number
{permit | deny | remark} source [mask]
Standard IP ACL Configuration
To configure standard IP ACLs on a Cisco router, you need to create a standard IP ACL and
activate an ACL on an interface.
The table describes the steps required to configure standard ACLs on a router.
Step Action Notes
1.
Create an entry in a standard IP
traffic filter list using the access-list
global configuration command.
Router(config)# access-list
1 172.16.0.0 0.0.255.255
Enter the global no access-list access-list-number
command to remove the entire ACL.
The example statement matches any address that
starts with 172.16.x.x.
Use the remark option to add a description to your
ACL.
2.
Select an interface to enable the ACL
using the interface configuration
command.
Router(config)# interface
ethernet 1
After you enter the interface command, the command-
line interface (CLI) prompt will change from (config)#
to (config-if)#.
3.
Activate the existing ACL to an
interface using the ip access-group
interface configuration command.
Router(config-if)# ip
access-group 1 out
To remove an IP ACL from an interface, enter the no ip
access-group access-list-number command on the
interface.
The access-list command creates an entry in a standard IP traffic filter list. The table explains
the syntax of the command shown in the figure.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-25
access-list
Command Parameters
Description
access-list-number Identifies the list that the entry belongs to; a number from 1 to 99
permit | deny Indicates whether this entry allows or blocks traffic from the specified
address
source Identifies the source IP address
source [mask] Identifies which bits in the address field are matched; default mask is
0.0.0.0
The ip access-group command links an existing ACL to an interface. Only one ACL per
protocol, per direction, per interface is allowed. The following table describes the syntax of the
ip access-group command.
ip access-group
Command Parameters
Description
access-list-number Indicates number of ACL to be linked to this interface
in | out Selects whether the ACL is applied as an incoming or outgoing filter;
out is default
Note To remove an IP ACL from an interface, first enter the no ip access-group command on the
interface; then enter the global no access-list command to remove the entire ACL.
4-26 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-6
Permit my network only.
Standard IP ACL
Example 1
Example: Standard ACLPermit My Network Only
The table describes the command syntax presented in the figure.
access-list
Command Parameters
Description
1 ACL number that indicates that this is a standard list.
permit Traffic that matches selected parameters will be forwarded.
172.16.0.0 IP address that will be used with the wildcard mask to identify the
source network.
0.0.255.255 Wildcard mask; 0s indicate positions that must match, 1s indicate
dont care positions.
ip access-group 1 out Links the ACL to the interface as an outbound filter.
This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and
E1. Traffic from networks other than 172.16.0.0 is blocked.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-27
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-7
Deny a specific host.
Standard IP ACL
Example 2
Example: Standard IP ACLDeny a Specific Host
The tables describe the command syntax presented in the figure.
access-list
Command Parameters
Description
1 ACL number that indicates that this is a standard list.
deny Traffic that matches selected parameters will not be forwarded.
172.16.4.13 IP address of the source host.
0.0.0.0 This mask requires the test to match all bits. (This is the default mask.)
permit Traffic that matches selected parameters will be forwarded.
0.0.0.0 IP address of the source host; all 0s indicate a placeholder.
255.255.255.255 Wildcard mask; 0s indicate positions that must match, 1s indicate dont
care positions.
All 1s in the mask indicate that all 32 bits will not be checked in the
source address.
This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all
other traffic to be forwarded on interface Ethernet 0. The 0.0.0.0 255.255.255.255 IP address
and wildcard mask combination permits traffic from any source. This combination can also be
written using the keyword any.
4-28 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-8
Deny a specific subnet.
Standard IP ACL
Example 3
Example: Standard IP ACLDeny a Specific Subnet
The tables describe the command syntax presented in the figure.
access-list
Command Parameters
Description
1 ACL number that indicates this is a standard list.
deny Traffic that matches selected parameters will not be forwarded.
172.16.4.0 IP address of the source subnet.
0.0.0.255 Wildcard mask; 0s indicate positions that must match, 1s indicate
dont care positions.
The mask with 0s in the first three octets indicates those positions
must match; the 255 in the last octet indicates a dont care
condition.
permit Traffic that matches selected parameters will be forwarded.
any Abbreviation for the IP address of the source; all 0s indicate a
placeholder and the wildcard mask 255.255.255.255.
All 1s in the mask indicate that all 32 bits will not be checked in the
source address.
This ACL is designed to block traffic from a specific subnet, 172.16.4.0, and to allow all other
traffic to be forwarded out E0.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-29
Configuring Extended IP ACLs
This topic describes how to configure an extended IP ACL on a Cisco router.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-9
Router(config-if)# ip access-group access-list-number {in | out}
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)# access-list access-list-number
{permit | deny} protocol source source-wildcard [operator
port] destination destination-wildcard [operator port]
[established] [log]
Extended IP ACL Configuration
To configure extended IP ACLs on a Cisco router, you will create an extended IP ACL and
activate an ACL on an interface. The procedure outlined in the table describes the steps to
configure extended ACLs on a router.
Step Action Notes
1.
Define an extended IP ACL. Use the
access-list global configuration command.
Router(config)# access-list 101
deny tcp 172.16.4.0 0.0.0.255
172.16.3.0 0.0.0.255 eq 21
Use the show access-lists command to display
the contents of the ACL.
In the example, access-list 101 denies TCP traffic
from source 172.16.4.0, using the wildcard
0.0.0.255, to destination 172.16.3.0, using the
wildcard 0.0.0.255 on port 21 (FTP control port).
2.
Select a desired interface to be configured.
Use the interface global configuration
command.
Router(config)# interface
ethernet 0
After the interface command is entered, the CLI
prompt changes from (config)# to
(config-if)#.
3.
Link the extended IP ACL to an interface.
Use the ip access-group interface
configuration command.
Router(config-if)# ip access-
group 101 in
Use the show ip interfaces command to verify
that an IP ACL is applied to the interface.
4-30 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
The access-list command creates an entry to express a condition statement in a complex filter.
The table explains the syntax of the command as shown in the figure.
access-list
Command Parameters
Description
access-list-number Identifies the list using a number in the ranges of 100 to 199 or 2000
to 2699.
permit | deny Indicates whether this entry allows or blocks the specified address.
protocol IP, TCP, User Datagram Protocol (UDP), Internet Control Message
Protocol (ICMP), generic routing encapsulation (GRE),or Interior
Gateway Routing Protocol (IGRP).
source and destination Identifies source and destination IP addresses.
source-wildcard and
destination-wildcard
Wildcard mask; 0s indicate positions that must match, 1s indicate
dont care positions.
operator port lt (less than), gt (greater than), eq (equal), neq (not equal), and a
port number.
established For inbound TCP only; allows TCP traffic to pass if the packet uses
an established connection. (For example, it has acknowledgement
[ACK] bits set.)
log Sends a logging message to the console.
Note The syntax of the access-list command presented here is representative of the TCP
protocol form. Not all parameters and options are given. For the complete syntax of all forms
of the command, refer to the appropriate Cisco IOS software documentation available on
CD-ROM or at Cisco.com.
The ip access-group command links an existing extended ACL to an interface. Only one ACL
per protocol, per direction, per interface is allowed.
The table defines the parameters of the ip access-group command.
ip access-group Command
Parameters
Description
access-list-number Indicates the number of the ACL that is to be linked to an interface
in | out Selects whether the ACL is applied as an input or output filter; out is
default
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-31
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-10
Extended ACL
Example 1
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0.
Permit all other traffic.
Example: Extended ACLDeny FTP from Subnets
The table explains the command syntax presented in the figure.
access-list
Command Parameters
Description
101 ACL number; indicates an extended IP ACL.
deny Traffic that matches selected parameters will be blocked.
tcp Transport layer protocol.
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but
not the last octet.
172.16.3.0 0.0.0.255 Destination IP address and mask; the first three octets must match
but not the last octet.
eq 21 Destination port; specifies the well-known port number for FTP
control.
eq 20 Destination port; specifies the well-known port number for FTP data.
out Links ACL 101 to interface E0 as an output filter.
The deny statements deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0.
The permit statement allows all other IP traffic out interface E0.
4-32 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-11
Extended ACL
Example 2
Deny only Telnet from subnet 172.16.4.0 out E0.
Permit all other traffic.
Example: Extended ACLDeny Only Telnet from Subnet
The table explains the command syntax presented in the figure.
access-list
Command Parameters
Description
101 ACL number; indicates an extended IP ACL.
deny Traffic that matches selected parameters will not be forwarded.
tcp Transport layer protocol.
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but
not the last octet.
any Match any destination IP address.
eq 23 Destination port; specifies a well-known port number for Telnet.
permit Traffic that matches selected parameters will be forwarded.
ip Any IP protocol.
any Keyword matching traffic from any source.
any Keyword matching traffic to any destination.
out Links ACL 101 to interface E0 as an output filter.
This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other
IP traffic from any other source to any destination is permitted out E0.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-33
Using Named ACLs
This topic describes the use of named ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-12
Router(config)# ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)# {permit | deny}
{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}
Router(config-if)# ip access-group name {in | out}
Using Named IP ACL
Alphanumeric name string must be unique.
Permit or deny statements have no prepended number.
no removes the specific test from the named ACL.
Activates the named IP ACL on an interface.
The named ACL feature allows you to identify IP standard and extended ACLs with an
alphanumeric string (name) instead of the current numeric representations. An administrator
who wants to alter a numbered ACL must first delete the entire numbered ACL, then
reconfigure it. An administrator cannot delete individual statements.
Named IP ACLs allow you to delete, but not insert, individual entries in a specific ACL.
Because you can delete individual entries, you can modify your ACL without having to delete
then reconfigure the entire ACL. Use named IP ACLs when you want to intuitively identify
ACLs.
The following describes some of the issues to consider before implementing named IP ACLs:
Named IP ACLs are not compatible with Cisco IOS releases prior to IOS Release 11.2.
You cannot use the same name for multiple ACLs. In addition, ACLs of different types
cannot have the same name. For example, you cannot specify a standard ACL named
George and an extended ACL with the same name.
4-34 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Configuring vty ACLs
This topic describes how to configure vty ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-13
Five virtual terminal lines (0 through 4)
Filter addresses that can access the router vty ports
Filter vty access originating from the router
Filtering vty Access to a Router
In addition to physical ports or interfaces such as E0 and E1, there are also virtual ports. A
virtual port is called a vty. By default, there are five such virtual terminal lines, numbered vty 0
through vty 4. Some Cisco IOS images can support more than five vty ports.
For security purposes, you can deny vty access to the router, or you can permit vty access to the
router but deny Telnet access originating from the router. Restricting vty access is primarily a
technique for increasing network security.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-35
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-14
How to Control vty Access
Set up an IP address filter with a standard ACL statement.
Use line configuration mode to filter access with the access-class
command.
Set identical restrictions on every vty.
Telnet filtering is normally considered an extended IP ACL function because it is filtering a
higher-level protocol. However, because you will be using the access-class command to filter
incoming Telnet sessions by source address and apply filtering to vty lines, you can use
standard IP ACL statements to control vty access.
The access-class command also applies standard IP ACL filtering to vty lines for outgoing
Telnet sessions originating from the router.
4-36 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-15
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections for addresses in
the ACL
Router(config-line)# access-class access-list-
number {in | out}
Router(config)# line vty {vty# | vty-range}
vty Commands
Use the line command to place the router in line configuration mode. The table describes the
line command parameters.
line Command
Parameters
Description
vty# Indicates a specific vty line to be configured
vty-range Indicates a range of vty lines that the configuration will apply to
Use the access-class command to link an existing ACL to a terminal line or range of lines. The
table describes the access-class parameters.
access-class
Command Parameters
Description
access-list-
number
Indicates the number of the ACL to be linked to a terminal line. This is a
decimal number from 1 to 99 or 1300 to 2699.
in Prevents the router from receiving incoming Telnet connections from the
addresses in the ACL.
out Prevents the router vty ports from initiating Telnet connections to addresses
defined in the standard ACL. Note that the source address specified in the
standard ACL is treated like a destination address when you use access-
class out.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-37
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-16
Permits only hosts in network 192.168.1.0 0.0.0.255 to
connect to the router vty
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
vty Access Example
Example: vty Access
In this example, you are permitting any device on network 192.168.1.0 0.0.0.255 to establish a
virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate
passwords to enter user mode and privileged mode.
Notice that identical restrictions have been set on every vty (0 to 4) because you cannot control
on which vty a user will connect.
The implicit deny any statement still applies to the ACL when it is used as an access-class
entry.
4-38 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Guidelines for Placing ACLs
This topic provides guidelines to help you determine where to place ACLs.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-17
ACL Configuration Guidelines
The order of ACL statements is crucial.
Recommended: Use a text editor on a PC to create the ACL statements,
then cut and paste them into the router.
Top-down processing is important.
Place the more specific test statements first.
Statements cannot be rearranged or removed.
Use the no access-list number command to remove the entire ACL.
Exception: Named ACLs permit removal of individual statements.
Implicit deny any will be applied to all packets that do not
match any ACL statement unless the ACL ends with an
explicit permit any statement.
ACLs can be used to control traffic by filtering and eliminating unwanted packets. Proper
placement of an ACL can reduce unnecessary traffic on the network. The basic principles of
ACL configuration are as follows:
The order of ACL statements is crucial to proper filtering. Cisco recommends that you
create the ACL using a text editor program on a PC, then cut and paste the ACL into the
router. For example, you can use Microsoft Word on a PC to create the ACL, then Telnet or
console into the router from the PC. Enter the global configuration mode on the router, then
cut and paste the ACL from the Word document into the router.
ACLs are processed from the top down. You can reduce processing overhead if you place
the more specific tests and the tests that will frequently test true at the beginning of the
ACL.
Only named ACLs allow removal (but not the rearranging) of individual statements from a
list. If you want to rearrange ACL statements, you must remove the whole list and re-create
it in the desired order, with the desired statements.
All ACLs end with an implicit deny any statement.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-39
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-18
Place extended ACLs close to the source.
Place standard ACLs close to the destination.
Where to Place IP ACLs
Example: Placing IP ACLs
Suppose an enterprise wants to reject Token Ring traffic on router A to the switched Ethernet
LAN on the E1 port of router D. At the same time, other traffic must be permitted. Several
approaches can accomplish the enterprise objective.
The recommended approach is to use an extended ACL. An extended ACL specifies both
source and destination addresses. Place this extended ACL in router A. As a result, packets do
not cross the router A Ethernet, nor the serial interfaces of routers B and C, and therefore do not
enter router D. Traffic with different source and destination addresses can still be permitted.
Extended ACLs should normally be placed as close as possible to the source of the traffic to
be denied.
Standard ACLs do not specify destination addresses. The administrator would have to put the
standard ACL as near as possible to the destination of the traffic to be denied. For example,
place an ACL on E0 of router D to prevent Token Ring traffic from router A.
4-40 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Verifying the ACL Configuration
This topic describes the show commands that you can use to verify the ACL configuration.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-19
wg_ro_a# show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
<text ommitted>
Verifying ACLs
When you finish the ACL configuration, use the show commands to verify the configuration.
The show ip interfaces command displays IP interface information and indicates whether any
IP ACLs are set on the interface. In the show ip interfaces e0 command output shown in the
figure, IP ACL 1 has been configured on the E0 interface as an inbound ACL. No outbound IP
ACL has been configured on the E0 interface.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-41
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-20
Monitoring ACL Statements
wg_ro_a# show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a# show {protocol} access-list {access-list number}
wg_ro_a# show access-lists {access-list number}
Use the show access-lists command to display the contents of all ACLs. By entering the ACL
name or number as an option for this command, you can display a specific ACL. To display
only the contents of all IP ACLs, use the show ip access-list command.
4-42 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-21
Summary
Following the ACL configuration guidelines and commands
is important to successfully
implement ACLs.
To configure standard IP ACLs on a Cisco router, you must
create a standard IP ACL and apply an ACL on an interface.
To configure extended IP ACLs on a Cisco router, you must
create an extended IP access list range and apply an ACL on
an interface.
The named ACL feature allows you to identify IP standard
and extended ACLs with an alphanumeric string (name)
instead of the current numeric (1 to 199 and 1300 to 2699)
representations.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-43
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-22
Summary (Cont.)
For security purposes, you can deny Telnet access to or from a
routers vty ports. Restricting Telnet access is primarily a
technique for increasing network security.
ACLs are used to control traffic by filtering and eliminating
unwanted packets. Proper placement of an ACL statement can
reduce unnecessary traffic.
The show command can be used to verify ACL configuration.
4-44 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Lesson 3
Scaling the Network with NAT
and PAT
Overview
Two scalability challenges facing the Internet are depletion of registered IP address space and
scaling in routing. Cisco IOS Network Address Translation (NAT) and port address translation
(PAT) are mechanisms for conserving registered IP addresses in large networks and
simplifying IP addressing management tasks. NAT and PAT translate IP addresses within
private internal networks to legal IP addresses for transport over public external networks, such
as the Internet, without requiring a registered subnet address. Incoming traffic is translated back
for delivery within the inside network.
This translation of IP addresses eliminates the need for host renumbering and allows the same
IP address range to be used in multiple intranets. This lesson describes the features offered by
NAT and PAT and shows you how to configure NAT and PAT on Cisco routers.
Objectives
Upon completing this lesson, you will be able to configure NAT and PAT on Cisco routers.
This ability includes being able to meet these objectives:
Describe the features of NAT and PAT on Cisco routers
Translate inside source addresses by using static and dynamic translation
Configure PAT by overloading an inside global address
Use show and clear commands to verify that NAT and PAT are operating as expected
Use debug commands to identify events and anomalies in the NAT and PAT
configurations
4-46 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Introducing NAT and PAT
This topic describes the features of NAT and PAT.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-3
Network Address Translation
An IP address is either local or global.
Local IP addresses are seen in the inside network.
NAT operates on a Cisco router and is designed for IP address simplification and conservation.
NAT enables private IP internetworks that use nonregistered IP addresses to connect to the
Internet. Usually, NAT connects two networks together and translates the private (inside local)
addresses in the internal network into public addresses (inside global) before packets are
forwarded to another network. As part of this functionality, you can configure NAT to advertise
only one address for the entire network to the outside world. Advertising only one address
effectively hides the internal network from the world, thus providing additional security.
Any device that sits between an internal network and the public networksuch as a firewall, a
router, or a computeruses NAT, which is defined in RFC 1631.
In NAT terminology, the inside network is the set of networks that are subject to translation.
The outside network refers to all other addresses. Usually these are valid addresses located on
the Internet.
Cisco defines the following list of NAT terms:
Inside local address: The IP address assigned to a host on the inside network. The inside
local address is likely not an IP address assigned by the Network Information Center (NIC)
or service provider.
Inside global address: A legitimate IP address assigned by the NIC or service provider
that represents one or more inside local IP addresses to the outside world.
Outside local address: The IP address of an outside host as it appears to the inside
network. Not necessarily legitimate, the outside local address is allocated from an address
space routable on the inside.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-47
Outside global address: The IP address assigned to a host on the outside network by the
host owner. The outside global address is allocated from a globally routable address or
network space.
NAT has many forms and can work in the following ways:
Static NAT: Maps an unregistered IP address to a registered IP address (one-to-one). Static
NAT is particularly useful when a device needs to be accessible from outside the network.
Dynamic NAT: Maps an unregistered IP address to a registered IP address from a group of
registered IP addresses.
Overloading: Maps multiple unregistered IP addresses to a single registered IP address
(many-to-one) by using different ports. Overloading is also known as PAT, and is a form of
dynamic NAT.
NAT offers these benefits:
Eliminates the need to readdress all hosts that require external access, saving time and
money.
Conserves addresses through application port-level multiplexing. With NAT, internal hosts
can share a single registered IP address for all external communications. In this type of
configuration, relatively few external addresses are required to support many internal hosts,
thus conserving IP addresses.
Protects network security. Because private networks do not advertise their addresses or
internal topology, they remain reasonably secure when they gain controlled external access
in conjunction with NAT.
4-48 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-4
Port Address Translation
One of the main features of NAT is static PAT, which is also referred to as overload in Cisco
IOS configuration. Several internal addresses can be translated using NAT into just one or a
few external addresses by using PAT.
PAT uses unique source port numbers on the inside global IP address to distinguish between
translations. Because the port number is encoded in 16 bits, the total number of internal
addresses that NAT can translate into one external address is, theoretically, as many as 65,536.
PAT attempts to preserve the original source port. If the source port is already allocated, PAT
attempts to find the first available port number. It starts from the beginning of the appropriate
port group, 0-511, 512-1023, or 1024-65535. If PAT does not find a port that is available from
the appropriate port group and if more than one external IP address is configured, PAT will
move to the next IP address and try to allocate the original source port again. PAT continues
trying to allocate the original source port until it runs out of available ports and external IP
addresses.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-49
Translating Inside Source Addresses
This topic describes how to translate inside source addresses by using static and
dynamic translation.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-5
Translating Inside Source Addresses
You can translate your own IP addresses into globally unique IP addresses when you are
communicating outside your network. You can configure static or dynamic inside
source translation.
Example: Translating Inside Source Addresses
The figure illustrates a router that is translating a source address inside a network into a source
address outside the network. The steps for translating an inside source address are as follows:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the router to check
its NAT table.
If a static translation entry was configured, the router goes to Step 3.
If no static translation entry exists, the router determines that the source address
1.1.1.1 (SA 1.1.1.1) must be translated dynamically. The router then selects a
legal, global address from the dynamic address pool and creates a translation
entry (in this example, 2.2.2.2). This type of entry is called a simple entry.
Step 3 The router replaces the inside local source address of host 1.1.1.1 with the
translation entry global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the inside global IP
destination address 2.2.2.2 (DA 2.2.2.2).
4-50 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Step 5 When the router receives the packet with the inside global IP address, the router
performs a NAT table lookup by using the inside global address as a key. The router
then translates the address back to the inside local address of host 1.1.1.1 and
forwards the packet to host 1.1.1.1.
Step 6 Host 1.1.1.1 receives the packet and continues the conversation. The router performs
Steps 2 through 5 for each packet.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-51
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-6
Configuring Static Translation
Establishes static translation between an inside local address
and an inside global address
Router(config)# ip nat inside source static local-ip global-ip
Marks the interface as connected to the inside
Router(config-if)# ip nat inside
Marks the interface as connected to the outside
Router(config-if)# ip nat outside
The table describes the steps for configuring static inside source address translation.
Step Action Notes
1.
Establish static translation between an inside local
address and an inside global address.
Router(config)# ip nat inside source
static local-ip global-ip
Enter the no ip nat inside source
static global command to remove the
static source translation.
2.
Specify the inside interface.
Router(config)# interface type number
After you enter the interface
command, the CLI prompt will change
from (config)# to (config-
if)#.
3.
Mark the interface as connected to the inside.
Router(config-if)# ip nat inside
4.
Specify the outside interface.
Router(config-if)# interface type number
5.
Mark the interface as connected to the outside.
Router(config-if)# ip nat outside
4-52 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-7
Enabling Static NAT
Address Mapping Example
Example: Static NAT Address Mapping
The example shows the use of discrete address mapping with static NAT translations. The
router will translate packets from host 10.1.1.2 to a source address of 192.168.1.2.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-53
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-8
Configuring Dynamic Translation
Establishes dynamic source translation, specifying the ACL
that was defined in the prior step.
Router(config)# ip nat inside source list
access-list-number pool name
Defines a pool of global addresses to be allocated as needed.
Router(config)# ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
Defines a standard IP ACL permitting those inside local
addresses that are to be translated.
Router(config)# access-list access-list-number permit
source [source-wildcard]
The table describes the steps for configuring dynamic inside source address translation.
Step Action Notes
1.
Define a pool of global addresses to be allocated as
needed.
Router(config)# ip nat pool name start-ip
end-ip {netmask netmask | prefix-length
prefix-length}
Enter the no ip nat pool global
command to remove the pool of
global addresses.
2.
Define a standard ACL that will permit the addresses
that are to be translated.
Router(config)# access-list access-list-
number permit source [source-wildcard]
Enter the no access-list access-list-
number global command to remove
the ACL.
3.
Establish dynamic source translation, specifying the
ACL that was defined in the prior step.
Router(config)# ip nat inside source list
access-list-number pool name
Enter the no ip nat inside source
global command to remove the
dynamic source translation.
4.
Specify the inside interface.
Router(config)# interface type number
After you enter the interface
command, the CLI prompt will change
from (config)# to (config-
if)#.
5.
Mark the interface as connected to the inside.
Router(config-if)# ip nat inside
6.
Specify the outside interface.
Router(config-if)# interface type number
7.
Mark the interface as connected to the outside.
Router(config-if)# ip nat outside
4-54 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
Caution The ACL must permit only those addresses that are to be translated. Remember that there
is an implicit deny any statement at the end of each ACL. An ACL that is too permissive can
lead to unpredictable results. Cisco highly recommends that you do not configure ACLs
referenced by NAT commands with permit any. Using permit any can result in NAT
consuming too many router resources, which can cause network problems.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-9
Dynamic Address Translation Example
Example: Dynamic Address Translation
The example translates all source addresses that pass ACL 1 (which is having a source
address from 192.168.1.0/24) into an address from the pool named net-208. The pool
contains addresses from 171.69.233.209/28 to 171.69.233.222/28.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-55
Overloading an Inside Global Address
This topic describes how to configure PAT by overloading an inside global address.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-10
Overloading an Inside Global Address
You can conserve addresses in the inside global address pool by allowing the router to use one
inside global address for many inside local addresses. When this overloading is configured, the
router maintains enough information from higher-level protocolsfor example, TCP or User
Datagram Protocol (UDP) port numbersto translate the inside global address back into the
correct inside local address. When multiple inside local addresses map to one inside global
address, the TCP or UDP port numbers of each inside host distinguish between the local
addresses.
Example: Overloading an Inside Global Address
The figure illustrates NAT operation when one inside global address represents multiple inside
local addresses. The TCP port numbers act as differentiators. Both host B and host C think they
are talking to a single host at address 2.2.2.2. They are actually talking to different hosts; the
port number is the differentiator. In fact, many inside hosts could share the inside global IP
address by using many port numbers.
The router performs the following process in overloading inside global addresses:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the router to check
its NAT table.
If no translation entry exists, the router determines that address 1.1.1.1 must be
translated and sets up a translation of inside local address 1.1.1.1 into a legal inside
global address. If overloading is enabled and another translation is active, the router
4-56 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
reuses the inside global address from that translation and saves enough information
to be able to translate back. This type of entry is called an extended entry.
Step 3 The router replaces the inside local source address 1.1.1.1 with the selected inside
global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the inside global IP
address 2.2.2.2.
Step 5 When the router receives the packet with the inside global IP address, the router
performs a NAT table lookup. Using the inside global address and port and outside
global address and port as a key, the router translates the address back into the inside
local address 1.1.1.1 and forwards the packet to host 1.1.1.1.
Step 6 Host 1.1.1.1 receives the packet and continues the conversation. The router performs
Steps 2 through 5 for each packet.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-57
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-11
Configuring Overloading
Establishes dynamic source translation, specifying the ACL
that was defined in the prior step
Router(config)# ip nat inside source list
access-list-number interface interface overload
Defines a standard IP ACL that will permit the inside local
addresses that are to be translated
Router(config)# access-list access-list-number permit
source source-wildcard
To configure overloading of inside global addresses, perform the steps in this table.
Step Action Notes
1.
Define a standard ACL that will permit the addresses that
are to be translated.
Router(config)# access-list access-list-
number permit source [source-wildcard]
Enter the no access-list access-list-
number global command to remove
the ACL.
2.
Establish dynamic source translation, specifying the ACL
that was defined in the prior step.
Router(config)# ip nat inside source list
access-list-number interface interface
overload
Enter the no ip nat inside source
global command to remove the
dynamic source translation. The
keyword overload enables PAT.
3.
Specify the inside interface.
Router(config)# interface type number
Router(config-if)# ip nat inside
After you enter the interface
command, the CLI prompt will
change from (config)# to
(config-if)#.
4.
Specify the outside interface.
Router(config-if)# interface type number
Router(config-if)# ip nat outside
4-58 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-12
Overloading an Inside
Global Address Example
The NAT inside-to-outside process comprises this sequence of steps:
Step 1 The incoming packet goes to the route table and the next hop is identified.
Step 2 NAT statements are parsed so that the interface Serial 0 IP address can be used in
overload mode. PAT creates a source address to use.
Step 3 The router encapsulates the packet and sends it out on interface Serial 0.
Step 4 The NAT outside-to-inside address translation process works in sequence.
Step 5 NAT statements are parsed. The router looks for an existing translation and
identifies the appropriate destination address.
Step 6 The packet goes to the route table and the next-hop interface is determined.
Step 7 The packet is encapsulated and sent out to the local interface.
No internal addresses are visible during this process. As a result, hosts do not have an external
public address, which leads to improved security.
2006, Cisco Systems, Inc. Managing IP Traffic with ACLs 4-59
Verifying the NAT and PAT Configuration
This topic describes how to verify the NAT and PAT configuration.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-13
Clearing the NAT Translation Table
Clears a simple dynamic translation entry that contains an
inside translation or both an inside and outside translation
Router# clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
Clears all dynamic address translation entries
Router# clear ip nat translation *
Clears a simple dynamic translation entry that contains an
outside translation
Router# clear ip nat translation outside
local-ip global-ip
Clears an extended dynamic translation entry
Router# clear ip nat translation protocol inside global-ip
global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
After you have configured NAT, verify that it is operating as expected. You can do this by
using the clear and show commands.
By default, dynamic address translations will time out from the NAT and PAT translation
tables at some point, after a period of nonuse. When port translation is not configured,
translation entries time out after 24 hours unless you reconfigure them with the ip nat
translation command. You can clear the entries before the timeout by using one of the
commands listed in the table:
Command Description
clear ip nat translation * Clears all dynamic address translation entries from the NAT
translation table.
clear ip nat translation inside
global-ip local-ip [outside
local-ip global-ip]
Clears a simple dynamic translation entry containing an inside
translation or both an inside and outside translation.
clear ip nat translation
outside local-ip global-ip
Clears a simple dynamic translation entry containing an outside
translation.
clear ip nat translation
protocol inside global-ip
global-port local-ip local-port
[outside local-ip local-port
global-ip global-port]
Clears an extended dynamic translation entry.
4-60 Interconnecting Cisco Network Devices (ICND) v2.3 2006, Cisco Systems, Inc.
2006 Cisco Systems, Inc. All rights reserved. ICND v2.34-14
Displays translation statistics
Router# show ip nat statistics
Displays active translations
Router# show ip nat translations
Router# show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.131.1 10.10.10.1 --- ---
Router# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0