Professional Documents
Culture Documents
Security (ACL)
www.itroute.com.au 1
What is ACL
• IPv4 Access Control Lists (IP ACL) gives a way to
identify different types of packets
• Common function of ACLs is the Packet Filter
• When enabled on interface, Allow or Discard IP Packets
• Other functions
• Match packets for QoS features
• Match voice packets
• Match packets for NAT
www.itroute.com.au 2
ACL Location and Direction
ACL are applied
• Inbound to the router
• Before it makes its forwarding/routing decision
(Entrance Interface)
• Outbound
• After the router makes its forwarding decision (Exit
Interface)
www.itroute.com.au 3
Matching Packets
• Configuration command keywords: Deny & Permit
www.itroute.com.au 4
ACL Logic
• First-match logic
• Once a packet matches one line in the ACL, router takes
the action listed in the line
• Does not look forward in the ACL
www.itroute.com.au 5
Types of ACLs
• Standard Numbered ACLs (1-99) & (1300-1999)
• Extended Numbered ACLs (100-199) & (2000-
2699)
• Named ACLs
www.itroute.com.au 6
Standard Numbered IPv4 ACLs
• Command Syntax
• Global Command:
access-list {1-99 | 1300-1999} {permit | deny} source source-wild-mask
• Example:
• Access-list 1 permit 10.1.1.1 0.0.0.0
www.itroute.com.au 7
Host and Any Parameter
• Single host permit/deny
• Wildcard Mask: 0.0.0.0 is used
• We can used “host”
• For example
• Access-list 1 deny 172.16.3.10 0.0.0.0
• Access-list 1 deny host 172.16.3.10
• All IP addresses permit/deny
• Wildcard Mask: 255.255.255.255
• We can use “any” instead of wildcard mask
• For example
• Access-list 1 permit 0.0.0.0 255.255.255.255
• Access-list 1 permit any
www.itroute.com.au 8
Example
• Match and permit all packets with a source address of exactly 10.1.1.1
• Match and deny all packets with source addresses with first three octets 10.1.1
• Match and permit all addresses with first single octet 10
www.itroute.com.au 9
Finding The Right Wildcard Mask to
Match a Subnet
• For Example: 172.16.8.0 255.255.252.0
• To permit this network
• access-list 1 permit 172.16.8.0 0.0.3.255
www.itroute.com.au 10
Implicit and Explicit Deny
• Explicit Deny – If any statement is matched in the
ACL for a packet for Deny
www.itroute.com.au 11
Implementation
• Step 1: Plan the location and direction (in or out) on interface
• Step 2: Configure one or more access-list global configuration commands to
create the ACL
• Considering, First match logic and Explicit deny options
• Global command:
access-list number {deny | permit | remark } source [source-wildcard] [log]
• Step 3: Enable the ACL on the chosen router interface, in the correct
direction
• Interface Subcommand: ip access-group number {in | out}
www.itroute.com.au 12
Extended Access Control
List
Advanced IPv4 acls and device security
www.itroute.com.au 13
Matching Options itroute
Address & Wildcard
\ - - - - -·· : ""\
~
acooss·Hist 101 permit protocol source_IP dest_IP
t +-------......
100 - 199 lp
2000-2699 tcp Matching
udp Options
icmp
others ...
www.itroute.com.au 15
Example
• Denies Bob access to all FTP servers on R1’s
Ethernet
• Denies Larry access to Server1’s Web Server
• Jimmy telnets Server2 every time – stop him to
telnet Server2
www.itroute.com.au 16
Example …
• Access-list 101 remark Stop Bob to FTP servers and Larry to Server1 web
• Access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
• Access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq http
• Access-list 101 deny tcp host 172.16.3.8 host 172.16.1.102 eq 23
• Access-list 101 permit ip any any
www.itroute.com.au 17
Deleting Single Line in ACL
• No access-list 101 permit ip any any
• This will delete the entire ACL
www.itroute.com.au 18
Named IP Access Lists
Advantages
• Names identify the ACLs
• ACL subcommands, not global commands
• ACL editing features that allow the CLI user
to delete individual lines from the ACL and
insert new lines
www.itroute.com.au 19
Command Syntax
• Global Command
ip access-list standard name
ip access-list extended name
• Subcommand
• Standard
{permit | deny} source source-wildcard-mask
• Extended
{permit | deny } protocol source source-wildcard [operator
port]
destination destination-wildcard [operator port]
• Applying to the interfaces
Interface Subcommand: ip access-group name out
• Name is case sensitive www.itroute.com.au 20
itroute
Example
Rout er# configure terminal
Enter conf iguratio n commands, one per li ne. End with Ct r l -Z.
Router (config) i ip access-list extended barney
Rout er (config - ext - nac l )t permit tcp host 10 .1. 1 . 2 eq www any
Router (config-ext-nacl) t deny udp host 10.1.1.1 10.1.2.0 0 . 0.0.255
Rout er (config - ext - nac l )t deny ip 1 0.1 . 3. 0 0. 0 .0 . 255 10 .1.2. 0 0 . 0 . 0 .255
Router (config - ext- nacl)t deny i p 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Rout er(config - ext - nac l )t permit ip any any
Router (config-ex t- nacl)i interface serial1
Router( config -if)# ip access - group barney out
Routeri confi gure terminal
Enter c o nfiguration commands , one p er l ine . End with Ctrl-Z .
Router (conf ig)i ip access- l ist e x tended barney
Router (conf ig- ext- nac l)i no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router (conf ig- ext - nac l)i AZ
Routeri show access - list
www.itroute.com.au 21
Editing ACLs Using Sequence
Numbers
• New configuration style for numbered
• Deleting single lines
• Inserting new lines
• Automatic sequence Numbering
www.itroute.com.au 22
itroute
Example
' Step 1: The 3-line Standard Numbered IP ACL is configured .
R1# configure terminal
Enter con f igu r a t i on commands , one p er l ine . End with Ctr l - z .
R1 (config ) i ip access-list standar d 2 4
R1 (config-std -nacl) i permit 1 0.1.1.0 0. 0.0.255
R1 (config - .std - nacl) i permit 10 . 1. 2. 0 0. 0 . 0. 255
R1 (config-.std -nacl) i permit 1 0.1.3.0 0. 0.0.255
www.itroute.com.au 23
itroute
Example Conti…
! Step 3: Still in ACL 24 c o nfiguratio n mode, the line with sequence number 2 0 is
deleted.
R1 (conf i g -std - nacl) t n o 20
1 Step 4: Displayin g the ACL's c o nte n ts again, wi t hout le aving configurati on mode .
! Note that line number 20 is no longer listed.
R1 (config- std - nacl) t do sho w ip access -list 24
St a n dard IP ac c ess list 24
10 permit 1 0 . 1 . 1 . 0 , wi ldcard bit s 0 . 0 . 0 . 255
30 p ermi t 1 0 . 1 . 3 . 0 , wi ldcard bit s 0 . 0 . 0 . 255
! Step 6: Displaying the ACL's c o ntents o ne last time, with the new statement
(sequenc e number 5) listed first.
R1 (c o nf i g - std- nacl) t d o show ip ac c ess - lis t 2 4
Standa r d IP ac c ess l i st 2 4
5 d e ny 10 . 1 .1.1
10 p ermit 1 0 . 1 . 1 . 0 , wi ldcard bits 0 . 0 . 0 . 255
30 p ermit 1 0 . 1 . 3 . 0 , wi ldcard bit s 0 . 0 . 0 . 255
www.itroute.com.au 24
Network Address Translation
CCNA R & S
www.itroute.com.au
Chapter objective
• Static NAT
• Dynamic NAT
• PAT
CCNA R & S
www.itroute.com.au
When we Use NAT
• Private addresses not routable over the internet
• Use private addressing and connect to internet use
Network Address Translation (NAT)
CCNA R & S
www.itroute.com.au
itroute
NAT Concept
Server
www.cisco.com
Client
10.1.1. 1 170.1.1.1
··---------------------------------·------- ·
CCNA R & S
www.itroute.com.au
NAT Terminology
CCNA R & S
www.itroute.com.au
Static NAT
• One to One Mapping
CCNA R & S
www.itroute.com.au
Dynamic NAT
Many to many mapping
CCNA R & S
www.itroute.com.au
TCP Connections to a
Web Server
CCNA R & S
www.itroute.com.au
Overload NAT with PAT
• Port Address Translation (One to many mapping)
CCNA R & S
www.itroute.com.au
Static NAT Configuration
Step 1 – Configure interfaces to be in the inside part of the
NAT design
Interface Subcommand: ip nat inside
Step 2 – Configure interfaces to be in the outside part of
the NAT design
Interface Subcommand: ip nat outside
Step 3 – Configure the static mappings
Global Command: ip nat inside source static inside-local
inside-global
CCNA R & S
www.itroute.com.au
Example Static NAT Configuration itroute
NATi show running-config Ccrte.killG
CCNA R & S
www.itroute.com.au
Dynamic NAT Configuration
Step 1
• Configure interfaces to be in the inside part of the NAT design
• Interface Subcommand: ip nat inside
Step 2
• Configure interfaces to be in the outside part of the NAT design
• Interface Subcommand: ip nat outside
Step 3
• Configure an ACL that matches the packets entering inside interfaces
Step 4
• Configure the pool of public IP addresses using
• Global Command: ip nat pool name first-address last-address netmask subnet-mask
Step 5
• Enable dynamic NAT
• Global Command: ip nat inside source list acl-number pool pool-name
CCNA R & S
www.itroute.com.au
Example: Dynamic NAT
Configuration
• Verification commands:
• Show ip nat translations
• Show ip nat statistics
CCNA R & S
www.itroute.com.au
NAT Overload Configuration
Step 1
• Configure interfaces to be in the inside part of the NAT
design
• Interface Subcommand: ip nat inside
Step 2
• Configure interfaces to be in the outside part of the NAT
design
• Interface Subcommand: ip nat outside
Step 3
• Configure an ACL that matches the packets entering inside
interfaces
Step 4 – Enable dynamic NAT
Global Command: ip nat inside source list acl-number interface type/number overload
CCNA R & S
www.itroute.com.au
Example itroute
NAT# show running- config
interface GigabitEthernet0/0
ip a ddress 10 . 1 . 1 . 3 255 . 255.255 . 0
ip nat i nsi de
access-list 1 permit 10 . 1 . 1 . 2
a ccess - l i st 1 permit 10 . 1 .1 . 1
2DO.U .2"49
2(t0.1.1;.;;.2:::5;.:;0_ _ _ _ _ _ _ _ _ _ _ _....,,...--.,
Interne!
10.1.12
lnsi:1e
NAT T~ble (Overload)
1ns1e1e 1or.~l lrSIC1A G lOMI
10.1.1.1 : ~2 1 2 200.1. , .2ll9 : 3212
10. 1.1.2: ~213 200.1. 1.249: 321 3
1•:l 1. 1.2 : ~001~ 200.1 . 1.240: :38013
CCNA R & S
www.itroute.com.au
itroute
Verification
NAT# show ip nat t ranslations
Pro Inside global Inside local Out s ide l ocal Outside global
tcp 200 . 1 . 1.249:3212 10 .1.1.1:3212 170 . 1. 1.1 : 23 170 .1. 1 . 1: 23
tcp 200 . 1 . 1 . 249 : 3213 10 .1 . 1 . 2 : 3213 170 . 1. 1.1 : 23 170 .1. 1 . 1 : 23
tcp 200 . 1 . 1 . 249 : 38913 10 .1. 1 . 2 : 38913 170 . 1. 1.1 : 23 170 .1. 1 . 1 : 23
NATf show ip nat statist ics
Total active translations : 3 (0 stat ic, 3 dynami c ; 3 extended)
Outside i nt e rfac es:
Serial 0/ 0/0
Inside i nterfaces :
Gi gabitEthemet 0/ 0
Hits: 103 Misses: 3
Expired t ransl a tions : 0
Dynamic mappi ngs:
-- I nside Source
a c cess-l ist 1 interfac e Seri al0/ 0/ 0 refcount 3
CCNA R & S
www.itroute.com.au
Managing a Cisco Internetwork
Internal Components of a
Cisco Router and Switch
RAM FLASH ROM NVRAM
(Working
Memory and
Running (Cisco IOS (Bootstrap (Startup
Configuration) Software) Program) Configuration)
• Startup config – Stores the initial configuration used anytime the switch reloads
the Cisco IOS – Stored in NVRAM
• Running config – Stores the currently used configuration commands. This file
changes Dynamically when someone enters commands in configuration mode –
Stored in RAM
CCNA Routing & Swithing
Cisco IOS Boot Sequence
When a router first power on, it follows this steps:
• The router performs a power-on self test (POST) process to discover the
hardware components and verify that all components work properly
• The router copies a bootstrap program from ROM into RAM and runs
the bootstrap program
• The bootstrap program decides which IOS (or other) image to load into
RAM, and then the bootstrap program loads the OS. After loading the
other OS image, the bootstrap program hands over control of the router
hardware to the newly loaded OS
• IF the bootstrap program loaded IOS (Instead of some other OS), IOS
finds the configuration file (Usually the startup-config file in NVRAM)
and loads it into RAM as the running-config
• Restoration:
• Router#copy tftp running config
• Need to provide tftp server address 10.10.10.254
Dynamic Host Configuration
Protocol (DHCP)
• Dynamic Host Configuration Protocol (DHCP) is one of the
most commonly used protocols in a TCP/IP network.
• The vast majority of hosts in a TCP/IP network are user
devices & those devices learn their IPv4 settings using DHCP.
• DHCP Server automatically assign IP address to the host.
• The configuration of host IP settings sits in a DHCP server &
client learning these settings using DHCP messages
DHCP Server
DHCP discover
• The DHCP process to lease an IP address uses the
following four messages between the client and server.
• Discover: Sent by the DHCP client to find a willing DHCP
server
• Offer: Sent by a DHCP server to offer to lease to that
client a specific IP address
• Request: Sent by the DHCP client to ask the server to
lease the IPv4 address listed in the Offer message
• Acknowledgment: Sent by the DHCP Server to assign
the address, and to list the mask, default router, and
DNS server IP addresses
DHCP Server
itroute
DHCP Discover and Offer
._..,.....
R2
G) ~ Discover ~
tLro 255.255255255
from 0.0.0.0
DHCP Server
172.16.1.11
+1 Offer F- ®
tt To 255.255 255.255
FrO'Tl 17? 16 1 11
DHCP Server
DHCP server configuration
• DHCP server needs to know the following types of
settings to support DHCP clients:
• Subnet ID and mask
• Reserved (excluded) addresses
• Default router
• DNS IP address
DHCP Server
DHCP Server Configuration
• ip dhcp excluded-address 192.168.1.1 192.168.1.70
• !
• ip dhcp pool test
• network 192.168.1.0 255.255.255.0
• default-router 192.168.1.100
• dns-server 192.168.1.50
DHCP Server
DHCP Relay Agent
• If you need to provide address from a DHCP server
to hosts that aren’t on the same LAN as the DHCP
server, you can configure your router interface to
relay or forward the DHCP client request
• Router(config)#int fa0/0
• Router(config)#ip helper-address 10.10.10.254
Syslog
❑Syslog captures key status messages from Cisco devices
❑Syslog permits various cisco devices to send their system
messages across the network to syslog servers
❑There are many free Syslog server software packages for
windows and UNIX
❑Each device can store syslog messages locally or on a
remote server
❑Syslog uses UDP port 514
www.itroute.com.au
CDP Commands – Examining
Information Learned
• Show cdp entry name
• Show cdp neighbors detail
• Both commands lists the exact same details but
for only one neighbor when used the first
command
www.itroute.com.au
CDP Commands – Examining Status of CDP Protocol
www.itroute.com.au
LLDP
• LLDP used for discovering non CISCO devices in the
network
SW1(config)#lldp run
SW1(config)# no lldp run
#show flash