Day 3

Security (ACL)

www.itroute.com.au 1
What is ACL
• IPv4 Access Control Lists (IP ACL) gives a way to
identify different types of packets
• Common function of ACLs is the Packet Filter
• When enabled on interface, Allow or Discard IP Packets
• Other functions
• Match packets for QoS features
• Match voice packets
• Match packets for NAT

www.itroute.com.au 2
ACL Location and Direction
ACL are applied
• Inbound to the router
• Before it makes its forwarding/routing decision
(Entrance Interface)
• Outbound
• After the router makes its forwarding decision (Exit
Interface)

www.itroute.com.au 3
Matching Packets
• Configuration command keywords: Deny & Permit

www.itroute.com.au 4
ACL Logic
• First-match logic
• Once a packet matches one line in the ACL, router takes
the action listed in the line
• Does not look forward in the ACL

www.itroute.com.au 5
Types of ACLs
• Standard Numbered ACLs (1-99) & (1300-1999)
• Extended Numbered ACLs (100-199) & (2000-
2699)
• Named ACLs

www.itroute.com.au 6
Standard Numbered IPv4 ACLs
• Command Syntax
• Global Command:
access-list {1-99 | 1300-1999} {permit | deny} source source-wild-mask

• Example:
• Access-list 1 permit 10.1.1.1 0.0.0.0

• Access-list 99 deny 10.1.1.1 0.0.0.255

• Access-list 20 permit 0.0.0.0 255.255.255.255

• Decimal 0: The router must compare this octet as normal

• Decimal 255: The router ignores this octet

www.itroute.com.au 7
Host and Any Parameter
• Single host permit/deny
• Wildcard Mask: 0.0.0.0 is used
• We can used “host”
• For example
• Access-list 1 deny 172.16.3.10 0.0.0.0
• Access-list 1 deny host 172.16.3.10
• All IP addresses permit/deny
• Wildcard Mask: 255.255.255.255
• We can use “any” instead of wildcard mask
• For example
• Access-list 1 permit 0.0.0.0 255.255.255.255
• Access-list 1 permit any

www.itroute.com.au 8
Example
• Match and permit all packets with a source address of exactly 10.1.1.1
• Match and deny all packets with source addresses with first three octets 10.1.1
• Match and permit all addresses with first single octet 10

www.itroute.com.au 9
Finding The Right Wildcard Mask to
Match a Subnet
• For Example: 172.16.8.0 255.255.252.0
• To permit this network
• access-list 1 permit 172.16.8.0 0.0.3.255

www.itroute.com.au 10
Implicit and Explicit Deny
• Explicit Deny – If any statement is matched in the
ACL for a packet for Deny

• Implicit Deny – If a router compares a packet to the

ACL, and the packet matches none of the
configured statement, The Router Discards the
Packet

www.itroute.com.au 11
Implementation
• Step 1: Plan the location and direction (in or out) on interface
• Step 2: Configure one or more access-list global configuration commands to
create the ACL
• Considering, First match logic and Explicit deny options
• Global command:
access-list number {deny | permit | remark } source [source-wildcard] [log]

• Step 3: Enable the ACL on the chosen router interface, in the correct
direction
• Interface Subcommand: ip access-group number {in | out}

www.itroute.com.au 12
Extended Access Control
List
Advanced IPv4 acls and device security

www.itroute.com.au 13
 Matching Options itroute
Address & Wildcard

\ - - - - -·· : ""\
~
acooss·Hist 101 permit protocol source_IP dest_IP
t +-------......
100 - 199 lp
2000-2699 tcp Matching
udp Options
icmp
others ...

access· list 101 permit protocol souroe_IP source_port desUP dest_port

tcp oq _ Gq _
udp ne ne
It It
gl gt .
L egend:
range range
eq : = II: <
ne: ., gt: > Matching
range: x toy www.itroute.com.au 14
Example – FTP(21) Control Port
to Server
• Extended ACLs differ from Standard ACLs
• Matches the Protocols, Source IP and Destination IP

Applying to the interface

Interface Subcommand:
ip access-group access-list-number {in | out}

www.itroute.com.au 15
Example
• Denies Bob access to all FTP servers on R1’s
Ethernet
• Denies Larry access to Server1’s Web Server
• Jimmy telnets Server2 every time – stop him to
telnet Server2

www.itroute.com.au 16
Example …
• Access-list 101 remark Stop Bob to FTP servers and Larry to Server1 web
• Access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
• Access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq http
• Access-list 101 deny tcp host 172.16.3.8 host 172.16.1.102 eq 23
• Access-list 101 permit ip any any

www.itroute.com.au 17
Deleting Single Line in ACL
• No access-list 101 permit ip any any
• This will delete the entire ACL

www.itroute.com.au 18
Named IP Access Lists
Advantages
• Names identify the ACLs
• ACL subcommands, not global commands
• ACL editing features that allow the CLI user
to delete individual lines from the ACL and
insert new lines

www.itroute.com.au 19
 Command Syntax
• Global Command
ip access-list standard name
ip access-list extended name
• Subcommand
• Standard
{permit | deny} source source-wildcard-mask
• Extended
{permit | deny } protocol source source-wildcard [operator
port]
destination destination-wildcard [operator port]
• Applying to the interfaces
Interface Subcommand: ip access-group name out
• Name is case sensitive www.itroute.com.au 20
 itroute
Example
Rout er# configure terminal
Enter conf iguratio n commands, one per li ne. End with Ct r l -Z.
Router (config) i ip access-list extended barney
Rout er (config - ext - nac l )t permit tcp host 10 .1. 1 . 2 eq www any
Router (config-ext-nacl) t deny udp host 10.1.1.1 10.1.2.0 0 . 0.0.255
Rout er (config - ext - nac l )t deny ip 1 0.1 . 3. 0 0. 0 .0 . 255 10 .1.2. 0 0 . 0 . 0 .255
Router (config - ext- nacl)t deny i p 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Rout er(config - ext - nac l )t permit ip any any
Router (config-ex t- nacl)i interface serial1
Router( config -if)# ip access - group barney out
Routeri confi gure terminal
Enter c o nfiguration commands , one p er l ine . End with Ctrl-Z .
Router (conf ig)i ip access- l ist e x tended barney
Router (conf ig- ext- nac l)i no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router (conf ig- ext - nac l)i AZ
Routeri show access - list

Extended IP access list barney

10 permit tcp host 10 . 1.1.2 eq www any
20 d eny udp host 10 . 1 . 1 . 1 10 . 1 . 2 . 0 0 . 0 . 0 . 255
30 d eny ip 10 . 1 . 3 . 0 0 . 0 . 0 . 255 10.1.2.0 0 . 0 . 0 . 255
50 permit ip any any

www.itroute.com.au 21
Editing ACLs Using Sequence
Numbers
• New configuration style for numbered
• Deleting single lines
• Inserting new lines
• Automatic sequence Numbering

www.itroute.com.au 22
 itroute
Example
' Step 1: The 3-line Standard Numbered IP ACL is configured .
R1# configure terminal
Enter con f igu r a t i on commands , one p er l ine . End with Ctr l - z .
R1 (config ) i ip access-list standar d 2 4
R1 (config-std -nacl) i permit 1 0.1.1.0 0. 0.0.255
R1 (config - .std - nacl) i permit 10 . 1. 2. 0 0. 0 . 0. 255
R1 (config-.std -nacl) i permit 1 0.1.3.0 0. 0.0.255

! Step 2 : Displaying the ACL's contents, without l eaving configuratio n mode.

R1 (config-.std -nacl) i do sho w ip access-li s t 24
St and a rd I P a ccess list 2 4

10 permit 1 0 "1.1. 0 , wi l dcar d b its 0 . 0 . 0 . 255

20 permt 1 0 " 1 . 2 . 0 , wi l dcar d b its 0 . 0 . 0 . 255
30 permit 1 0 . 1.3 . 0 , wi l dcard b its 0 . 0 . 0 . 255

www.itroute.com.au 23
 itroute
Example Conti…
! Step 3: Still in ACL 24 c o nfiguratio n mode, the line with sequence number 2 0 is
deleted.
R1 (conf i g -std - nacl) t n o 20

1 Step 4: Displayin g the ACL's c o nte n ts again, wi t hout le aving configurati on mode .
! Note that line number 20 is no longer listed.
R1 (config- std - nacl) t do sho w ip access -list 24
St a n dard IP ac c ess list 24
10 permit 1 0 . 1 . 1 . 0 , wi ldcard bit s 0 . 0 . 0 . 255
30 p ermi t 1 0 . 1 . 3 . 0 , wi ldcard bit s 0 . 0 . 0 . 255

Step 5: I nserting a new first line i n the ACL .

R1 (c onfig -std-na cl) t 5 deny 10 . 1.1.1

! Step 6: Displaying the ACL's c o ntents o ne last time, with the new statement
(sequenc e number 5) listed first.
R1 (c o nf i g - std- nacl) t d o show ip ac c ess - lis t 2 4
Standa r d IP ac c ess l i st 2 4
5 d e ny 10 . 1 .1.1
10 p ermit 1 0 . 1 . 1 . 0 , wi ldcard bits 0 . 0 . 0 . 255
30 p ermit 1 0 . 1 . 3 . 0 , wi ldcard bit s 0 . 0 . 0 . 255

www.itroute.com.au 24
Network Address Translation

CCNA R & S
www.itroute.com.au
Chapter objective
• Static NAT
• Dynamic NAT
• PAT

CCNA R & S
www.itroute.com.au
When we Use NAT
• Private addresses not routable over the internet
• Use private addressing and connect to internet use
Network Address Translation (NAT)

CCNA R & S
www.itroute.com.au
 itroute
NAT Concept
Server
www.cisco.com
Client

10.1.1. 1 170.1.1.1

Source Destination Source Destination

J 10.1.1.1 1 170 .1.1.1 1 .. .... .. ~ J 200.1 .1.1 170.1.1.1
NAT Changes ~
·----------- ------------- ----- -- ------- -- --·
Source Destination Source Destination
-+i 170.1.1 .1 to.1.1.t 1 -+i 170.1.1.1 1 200.t .1.1 1
1I
I

··---------------------------------·------- ·

CCNA R & S
www.itroute.com.au
NAT Terminology

• Inside Local, Inside Global, Outside

Global, Outside Local

CCNA R & S
www.itroute.com.au
Static NAT
• One to One Mapping

CCNA R & S
www.itroute.com.au
Dynamic NAT
Many to many mapping

CCNA R & S
www.itroute.com.au
TCP Connections to a
Web Server

CCNA R & S
www.itroute.com.au
Overload NAT with PAT
• Port Address Translation (One to many mapping)

CCNA R & S
www.itroute.com.au
Static NAT Configuration
Step 1 – Configure interfaces to be in the inside part of the
NAT design
Interface Subcommand: ip nat inside
Step 2 – Configure interfaces to be in the outside part of
the NAT design
Interface Subcommand: ip nat outside
Step 3 – Configure the static mappings
Global Command: ip nat inside source static inside-local
inside-global

CCNA R & S
www.itroute.com.au
 Example Static NAT Configuration itroute
NATi show running-config Ccrte.killG

! Lines omitted f o r brevity

I
10_1 12
interface GigabitEthernet0/0 Inside
Static NAT~
ip address 10 . 1 . 1 . 3 255.255 . 255 . 0 ariorl
,.,..,r_,.,
rr.- ' """
ip nat inside 10. 1.1. 1
10.1.1.2
200. 1. 1.1
200. 1.1 .2

interface Seria l 0/0/0

ip address 200 . 1 . 1 . 251 255. 255.255. 0
ip nat outside
I

ip nat inside sou~ce static 10. 1 .1.2 200 . 1.1 . 2

ip nat inside sou~ce static 10 . 1 . 1 . 1 200 . 1 . 1 . 1

NAT i show ip nat translations

Pro Inside globa l Inside loca: Outside l ocal Outside global
200 . 1 . 1 . 1 10.1.1 . 1
200.1.1.2 10 . 1 . 1 . 2

CCNA R & S
www.itroute.com.au
Dynamic NAT Configuration
Step 1
• Configure interfaces to be in the inside part of the NAT design
• Interface Subcommand: ip nat inside
Step 2
• Configure interfaces to be in the outside part of the NAT design
• Interface Subcommand: ip nat outside
Step 3
• Configure an ACL that matches the packets entering inside interfaces
Step 4
• Configure the pool of public IP addresses using
• Global Command: ip nat pool name first-address last-address netmask subnet-mask
Step 5
• Enable dynamic NAT
• Global Command: ip nat inside source list acl-number pool pool-name

CCNA R & S
www.itroute.com.au
 Example: Dynamic NAT
Configuration

• Verification commands:
• Show ip nat translations
• Show ip nat statistics

CCNA R & S
www.itroute.com.au
NAT Overload Configuration
Step 1
• Configure interfaces to be in the inside part of the NAT
design
• Interface Subcommand: ip nat inside
Step 2
• Configure interfaces to be in the outside part of the NAT
design
• Interface Subcommand: ip nat outside
Step 3
• Configure an ACL that matches the packets entering inside
interfaces
Step 4 – Enable dynamic NAT
Global Command: ip nat inside source list acl-number interface type/number overload

CCNA R & S
www.itroute.com.au
 Example itroute
NAT# show running- config

! Lines Omitted f o r Brevi t y

I

interface GigabitEthernet0/0
ip a ddress 10 . 1 . 1 . 3 255 . 255.255 . 0
ip nat i nsi de

inte rface Seri al0/0/0

ip a ddress 200 . 1 . 1 . 249 255 . 255.255 . 252
ip nat outside

ip nat i ns ide s our ce list 1 i nterface Serial0/0/0 overload

access-list 1 permit 10 . 1 . 1 . 2
a ccess - l i st 1 permit 10 . 1 .1 . 1

2DO.U .2"49
2(t0.1.1;.;;.2:::5;.:;0_ _ _ _ _ _ _ _ _ _ _ _....,,...--.,

Interne!

10.1.12
lnsi:1e
NAT T~ble (Overload)
1ns1e1e 1or.~l lrSIC1A G lOMI
10.1.1.1 : ~2 1 2 200.1. , .2ll9 : 3212
10. 1.1.2: ~213 200.1. 1.249: 321 3
1•:l 1. 1.2 : ~001~ 200.1 . 1.240: :38013

CCNA R & S
www.itroute.com.au
 itroute
Verification
NAT# show ip nat t ranslations
Pro Inside global Inside local Out s ide l ocal Outside global
tcp 200 . 1 . 1.249:3212 10 .1.1.1:3212 170 . 1. 1.1 : 23 170 .1. 1 . 1: 23
tcp 200 . 1 . 1 . 249 : 3213 10 .1 . 1 . 2 : 3213 170 . 1. 1.1 : 23 170 .1. 1 . 1 : 23
tcp 200 . 1 . 1 . 249 : 38913 10 .1. 1 . 2 : 38913 170 . 1. 1.1 : 23 170 .1. 1 . 1 : 23
NATf show ip nat statist ics
Total active translations : 3 (0 stat ic, 3 dynami c ; 3 extended)
Outside i nt e rfac es:
Serial 0/ 0/0
Inside i nterfaces :
Gi gabitEthemet 0/ 0
Hits: 103 Misses: 3
Expired t ransl a tions : 0
Dynamic mappi ngs:
-- I nside Source
a c cess-l ist 1 interfac e Seri al0/ 0/ 0 refcount 3

CCNA R & S
www.itroute.com.au
Managing a Cisco Internetwork
Internal Components of a
Cisco Router and Switch
RAM FLASH ROM NVRAM
(Working
Memory and
Running (Cisco IOS (Bootstrap (Startup
Configuration) Software) Program) Configuration)

Cisco IOS Configuration Files

• Startup config – Stores the initial configuration used anytime the switch reloads
the Cisco IOS – Stored in NVRAM

• Running config – Stores the currently used configuration commands. This file
changes Dynamically when someone enters commands in configuration mode –
Stored in RAM
CCNA Routing & Swithing
Cisco IOS Boot Sequence
When a router first power on, it follows this steps:
• The router performs a power-on self test (POST) process to discover the
hardware components and verify that all components work properly
• The router copies a bootstrap program from ROM into RAM and runs
the bootstrap program
• The bootstrap program decides which IOS (or other) image to load into
RAM, and then the bootstrap program loads the OS. After loading the
other OS image, the bootstrap program hands over control of the router
hardware to the newly loaded OS
• IF the bootstrap program loaded IOS (Instead of some other OS), IOS
finds the configuration file (Usually the startup-config file in NVRAM)
and loads it into RAM as the running-config

CCNA Routing & Swithing

Copying the Current Configuration
to NVRAM or TFTP
• Router#copy running-config startup-config
• Router#copy running config tftp
• Need to provide tftp server address 10.10.10.254

• Restoration:
• Router#copy tftp running config
• Need to provide tftp server address 10.10.10.254
 Dynamic Host Configuration
Protocol (DHCP)
• Dynamic Host Configuration Protocol (DHCP) is one of the
most commonly used protocols in a TCP/IP network.
• The vast majority of hosts in a TCP/IP network are user
devices & those devices learn their IPv4 settings using DHCP.
• DHCP Server automatically assign IP address to the host.
• The configuration of host IP settings sits in a DHCP server &
client learning these settings using DHCP messages

DHCP Server
DHCP discover
• The DHCP process to lease an IP address uses the
following four messages between the client and server.
• Discover: Sent by the DHCP client to find a willing DHCP
server
• Offer: Sent by a DHCP server to offer to lease to that
client a specific IP address
• Request: Sent by the DHCP client to ask the server to
lease the IPv4 address listed in the Offer message
• Acknowledgment: Sent by the DHCP Server to assign
the address, and to list the mask, default router, and
DNS server IP addresses

DHCP Server
 itroute
DHCP Discover and Offer
._..,.....
R2

G) ~ Discover ~
tLro 255.255255255
from 0.0.0.0
DHCP Server
172.16.1.11

+1 Offer F- ®
tt To 255.255 255.255
FrO'Tl 17? 16 1 11

DHCP Server
DHCP server configuration
• DHCP server needs to know the following types of
settings to support DHCP clients:
• Subnet ID and mask
• Reserved (excluded) addresses
• Default router
• DNS IP address

DHCP Server
DHCP Server Configuration
• ip dhcp excluded-address 192.168.1.1 192.168.1.70
• !
• ip dhcp pool test
• network 192.168.1.0 255.255.255.0
• default-router 192.168.1.100
• dns-server 192.168.1.50

• show ip dhcp binding

• show ip dhcp pool [poolname]
• show ip dhcp server statistics
• Ipconfig /release (apply to pc cmdlet)
• Ipconfig /renew (apply to pc cmdlet)

DHCP Server
DHCP Relay Agent
• If you need to provide address from a DHCP server
to hosts that aren’t on the same LAN as the DHCP
server, you can configure your router interface to
relay or forward the DHCP client request
• Router(config)#int fa0/0
• Router(config)#ip helper-address 10.10.10.254
Syslog
❑Syslog captures key status messages from Cisco devices
❑Syslog permits various cisco devices to send their system
messages across the network to syslog servers
❑There are many free Syslog server software packages for
windows and UNIX
❑Each device can store syslog messages locally or on a
remote server
❑Syslog uses UDP port 514

CCNA Routing & Swithing

Syslog
Popular destination for syslog messages includes
• The logging buffer (RAM inside the router or
switch)
• The console line
• The terminal lines
• A syslog servers
Syslog Server

CCNA Routing & Swithing Switch 1

Router 1
Syslog Remote Configuration
• R1 (config) # conf t
• R1 (config) # logging 1.1.1.1 (ip address of syslog
server)

• Setting Memory for syslog

#logging buffered
#logging trap notification

• #Show Logging (default logging service settings on a

cisco router)

CCNA Routing & Swithing

NTP
• To make sure all devices are synchronised with the
same time information, we need to configure our
device to receive accurate time information from a
centralized server
R1(config)# ntp server 172.16.10.1
#Sh ntp status
#Sh ntp associations
Uses of CDP
• Device identifier
• Find the Host name
• Address list
• Network and data link addresses
• Port Identifier
• Which interface the remote router or switch on the other side
of the link sent the CDP advertisement
• Capabilities list
• What type of device – for example, a router or a switch
• Platform
• The model of the device

www.itroute.com.au
CDP Commands – Examining
Information Learned
• Show cdp entry name
• Show cdp neighbors detail
• Both commands lists the exact same details but
for only one neighbor when used the first
command

www.itroute.com.au
CDP Commands – Examining Status of CDP Protocol

• Global Command: no cdp run

• Disables the CDP globally
• Subinterface command: no cdp enable
• Disables the CDP on the selected interface(s)

www.itroute.com.au
LLDP
• LLDP used for discovering non CISCO devices in the
network
SW1(config)#lldp run
SW1(config)# no lldp run

To turn on interface use:

SW1(config-if)#lldp transmit
SW1(config-if)#lldp receive
DNS – Domain Name System
• Resolves names into the matching IP address

CCNA Routing & Switching

www.itroute.com.au
Handy commands
• Checking Telnet Connections#sh sessions
• Checking Telnet Users#Sh Users
• Checking Telnet Session#sh sessions
• #Ping
• #Telnet
• #traceroute
• #tracert
• #debug all (do not apply)
• #undebug all
• #debug ip icmp (ping a ip)
• #Sh processes
Managing Cisco Devices
 Configuration register
• All Cisco routers have a 16-bit software register
that’s written into NVRAM
• By default configuration register is set to load the
Cisco IOS from flash memory and to look for and
load the startup-config file from NVRAM
• To check current configuration register value
#Sh version
• Boot system commands:
#boot system flash c2800nm-advsecurityk9-mz.151-
4.M6.bin
#boot system tftp c2800nm-advsecurityk9-mz.151-
4.M6.bin 1.1.1.2
Recovering Password
• To recover password we need to change the value to
0x2142
1. Go to ROMMON (reboot and Ctrl+Shift+Break)
2. change the value to 0x2142 (confreg 0x2142)
3. Reset the router
4. Say "no" to enter setup mode
5. Copy the startup file to running file (copy startup-config
6. Change the password running-config)
7. Change the configure register value to default (0x2102)
8. Save the router configuration
9. Reload the router (optional)
Backing Up and Restoration
the Cisco IOS
Command: Copies the IOS image to Flash memory
#copy tftp flash:
Copying an IOS from a router to a tftp host
#copy flash tftp:

#show flash

CCNA Routing & Swithing

Using the cisco IOS file system
R1#dir
R1#sh file info flash:
R1#delete flash:
R1#sh flash
Three Router OS
• Cisco IOS Image
• ROM Monitor (ROMMON)
• Boot ROM (RxBoot, boot helper)

CCNA Routing & Swithing

Managing IOS Licensing
Original Packaging: One IOS Image
per feature Set Combination
• IP based
• IP based + Security
• IP based + Data
• IP based + Voice
• IP based + Security + Data
• IP based + Security + Voice
• IP based + Security + Voice +Data
• New IOS Packaging: One Universal Image with All
Feature Sets > IP based + Security + Voice +Data

CCNA Routing & Swithing

IOS Software Activation with Universal Images

• Need License key to enable IOS features

• Such as IP based is by default enable
• Licenses enable and verifies legal rights
• Such as Need license required to enable features
Security, Voice , Data IOS image

CCNA Routing & Swithing

 Managing Software Activation
with Cisco License Manager
• Cisco License Manager (CLM) is a free application can be
installed on Windows client, server, Sun Solaris, Red Hat Linux
• CLM communicates with Cisco’s Product License Registration
Portal over the internet
• Takes as input information about feature licences purchased
from any cisco reseller
• Communicates with the company routers and switches to
install license keys, enabling features on the correct devices

CCNA Routing & Swithing

EXEC command
▪ Show license feature
▪ Show license udi
▪ Dir filesystem
▪ Show version
▪ License install url

CCNA Routing & Swithing