config t Lab_A(config)# ip access-list ?

Lab_A#

So I’ve entered the access list and then exited configuration mode. Next,

I’ll take a look at the running configuration to verify that the access list is

indeed in the router:

Lab_A#

sh running-config | begin ip access

ip access-list standard BlockSales

deny 172.16.40.0 0.0.0.255

permit any

!

And there it is: the BlockSales access list has truly been created and is in

the running-config of the router. Next, I’ll need to apply the access list to

the correct interface:

Lab_A#

config t

Lab_A(config)#

int fa0/1

Lab_A(config-if)#

ip access-group BlockSales out

Clear skies! At this point, we’ve re-created the work done earlier using a

named access list. But let’s take our IP extended example, shown in

Figure 12.6

, and redo that list using a named ACL instead as well.

Same business requirements: Allow HTTP access to the Finance server

from source Host B only. All other traffic is permitted.

Lab_A#

config t

Lab_A(config)#

ip access-list extended 110

Lab_A(config-ext-nacl)#

permit tcp host 192.168.177.2 host

172.22.89.26 eq 80

Lab_A(config-ext-nacl)#

deny tcp any host 172.22.89.26 eq 80

Lab_A(config-ext-nacl)#

permit ip any any

Lab_A(config-ext-nacl)#

int fa0/1

Lab_A(config-if)#

ip access-group 110 out

Okay—true—I named the extended list with a number, but sometimes it’s

okay to do that! I’m guessing that named ACLs don’t seem all that

exciting or different to you, do they? Maybe not in this configuration,

except that I don’t need to start every line with

access-list 110

, which is

nice. But where named ACLs really shine is that they allow us to insert,

delete, or edit a single line. That isn’t just nice, it’s wonderful! Numbered

ACLs just can’t compare with that, and I’ll demonstrate this in a minute.

Remarks

The

remark

keyword is really important because it arms you with the

ability to include comments—remarks—regarding the entries you’ve

made in both your IP standard and extended ACLs. Remarks are very

cool because they efficiently increase your ability to examine and

understand your ACLs to superhero level! Without them, you’d be caught

in a quagmire of potentially meaningless numbers without anything to

help you recall what all those numbers mean.

Even though you have the option of placing your remarks either before or

after a

permit

or

deny

statement, I totally recommend that you choose to

position them consistently so you don’t get confused about which remark

is relevant to a specific

permit

or

deny

statement.

To get this going for both standard and extended ACLs, just use the

access-list access-list number remark

remark global configuration

command like this:

R2#

config t

R2(config)#

access-list 110 remark Permit Bob from Sales Only To

Finance

R2(config)#

access-list 110 permit ip host 172.16.40.1 172.16.50.0

0.0.0.255

R2(config)#

access-list 110 deny ip 172.16.40.0 0.0.0.255

172.16.50.0 0.0.0.255

R2(config)#

ip access-list extended No_Telnet

R2(config-ext-nacl)#

remark Deny all of Sales from Telnetting to

Marketing

R2(config-ext-nacl)#

deny tcp 172.16.40.0 0.0.0.255 172.16.60.0

0.0.0.255 eq 23

R2(config-ext-nacl)#

permit ip any any

R2(config-ext-nacl)#

do show run

[output cut]

!

ip access-list extended No_Telnet

remark Stop all of Sales from Telnetting to Marketing

deny tcp 172.16.40.0 0.0.0.255 172.16.60.0 0.0.0.255 eq telnet

permit ip any any

!

access-list 110 remark Permit Bob from Sales Only To Finance

access-list 110 permit ip host 172.16.40.1 172.16.50.0 0.0.0.255

access-list 110 deny ip 172.16.40.0 0.0.0.255 172.16.50.0

0.0.0.255

access-list 110 permit ip any any

!

Sweet—I was able to add a

remark

to both an extended list and a named

access list. Keep in mind that you cannot see these remarks in the output

of the

show access-list

command, which we’ll cover next, because they

only show up in the running-config.

Speaking of ACLs, I still need to show you how to monitor and verify

them. This is an important topic, so pay attention!

Monitoring Access Lists

It’s always good to be able to verify a router’s configuration.

Table 12.1

lists the commands that we can use to achieve that.

TABLE 12.1

Commands used to verify access-list configuration

Command Effect

show

access-list

Displays all access lists and their parameters configured on

the router. Also shows statistics about how many times the

line either permitted or denied a packet. This command

does not show you which interface the list is applied on.

show

access-list

110

Reveals only the parameters for access list 110. Again, this

command will not reveal the specific interface the list is set

on.

show ip

access-list

Shows only the IP access lists configured on the router.

show ip

interface

Displays which interfaces have access lists set on them.

show

running-

config

Shows the access lists and the specific interfaces that have

ACLs applied on them.

We’ve already used the

show running-config

command to verify that a

named access list was in the router, so now let’s take a look at the output

from some of the other commands.

The

show access-list

command will list all ACLs on the router, whether

they’re applied to an interface or not:

Lab_A#

show access-list

Standard IP access list 10

10 deny 172.16.40.0, wildcard bits 0.0.0.255

20 permit any

Standard IP access list BlockSales

10 deny 172.16.40.0, wildcard bits 0.0.0.255

20 permit any

Extended IP access list 110

10 deny tcp any host 172.16.30.5 eq ftp

20 deny tcp any host 172.16.30.5 eq telnet

30 permit ip any any

40 permit tcp host 192.168.177.2 host 172.22.89.26 eq www

50 deny tcp any host 172.22.89.26 eq www

Lab_A#

First, notice that access list 10 as well as both of our named access lists

appear on this list—remember, my extended named ACL was named 110!

Second, notice that even though I entered actual numbers for TCP ports

in access list 110, the

show

command gives us the protocol names rather

than TCP ports for serious clarity.

But wait! The best part is those numbers on the left side: 10, 20, 30, etc.

Those are called sequence numbers, and they allow us to edit our named

ACL. Here’s an example where I added a line into the named extended

ACL 110:

Lab_A (config)#

ip access-list extended 110

Lab_A (config-ext-nacl)#

21 deny udp any host 172.16.30.5 eq 69

Lab_A#

show access-list

[output cut]

Extended IP access list 110

10 deny tcp any host 172.16.30.5 eq ftp

20 deny tcp any host 172.16.30.5 eq telnet

21 deny udp any host 172.16.30.5 eq tftp

30 permit ip any any

40 permit tcp host 192.168.177.2 host 172.22.89.26 eq www

50 deny tcp any host 172.22.89.26 eq www

You can see that I added line 21. I could have deleted a line or edited an

existing line as well—very nice!

Here’s the output of the

show ip interface

command:

Lab_A#

show ip interface fa0/1

FastEthernet0/1 is up, line protocol is up

Internet address is 172.16.30.1/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is 110

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

[output cut]

Be sure to notice the bold line indicating that the outgoing list on this

interface is 110, yet the inbound access list isn’t set. What happened to

BlockSales? I had configured that outbound on Fa0/1! That’s true, I did,

but I configured my extended named ACL 110 and applied it to Fa0/1 as

well. You can’t have two lists on the same interface, in the same direction,

so what happened here is that my last configuration overwrote the

BlockSales configuration.

And as I’ve already mentioned, you can use the

show running-config

command to see any and all access lists.

Summary

In this chapter you learned how to configure standard access lists to

properly filter IP traffic. You discovered what a standard access list is and

how to apply it to a Cisco router to add security to your network. You also

learned how to configure extended access lists to further filter IP traffic.

We also covered the key differences between standard and extended

access lists as well as how to apply them to Cisco routers.

Moving on, you found out how to configure named access lists and apply

them to interfaces on the router and learned that named access lists offer

the huge advantage of being easily identifiable and, therefore, a whole lot

easier to manage than mysterious access lists that are simply referred to

by obscure numbers.

Appendix C, “Disabling and Configuring Network Services,” which takes

off from this chapter, has a fun section in it: turning off default services.

I’ve always found performing this administration task fun, and the

auto

secure

command can help us configure basic, much-needed security on

our routers.

The chapter wrapped up by showing you how to monitor and verify

selected access-list configurations on a router.

Exam Essentials

Remember the standard and extended IP access-list number

ranges. The number ranges you can use to configure a standard IP

access list are 1–99 and 1300–1999. The number ranges for an extended

IP access list are 100–199 and 2000–2699.

Understand the termimplicit deny. At the end of every access list is an

implicit deny. What this means is that if a packet does not match any of

the lines in the access list, it will be discarded. Also, if you have nothing

but

deny

statements in your list, the list will not permit any packets.

Understand the standard IP access-list configuration

command. To configure a standard IP access list, use the access-list

numbers 1–99 or 1300–1999 in global configuration mode. Choose

permit

or

deny

, then choose the source IP address you want to filter on

using one of the three techniques covered in this chapter.

Understand the extended IP access-list configuration

command. To configure an extended IP access list, use the access-list

numbers 100–199 or 2000–2699 in global configuration mode. Choose

permit

or

deny

, the Network layer protocol field, the source IP address

you want to filter on, the destination address you want to filter on, and

finally, the Transport layer port number if TCP or UDP has been specified

as the protocol.

Remember the command to verify an access list on a router

interface. To see whether an access list is set on an interface and in

which direction it is filtering, use the

show ip interface

command. This

command will not show you the contents of the access list, merely which

access lists are applied on the interface.

Remember the command to verify the access-list

configuration. To see the configured access lists on your router, use the

show access-list

command. This command will not show you which

interfaces have an access list set.

Written Lab 12

In this section, you’ll complete the following lab to make sure you’ve got

the information and concepts contained within them fully dialed in:

Lab 12.1: Security

The answers to this lab can be found in Appendix A, “Answers to Written

Labs.”

In this section, write the answers to the following questions:

1.  What command would you use to configure a standard IP access list

to prevent all machines on network 172.16.0.0/16 from accessing your

Ethernet network?

2.  What command would you use to apply the access list you created in

question 1 to an Ethernet interface outbound?

3.  What command(s) would you use to create an access list that denies

host 192.168.15.5 access to an Ethernet network?

4.  Which command verifies that you’ve entered the access list correctly?

5.  What two tools can help notify and prevent DoS attacks?

6.  What command(s) would you use to create an extended access list

that stops host 172.16.10.1 from telnetting to host 172.16.30.5?

7.  What command would you use to set an access list on a VTY line?

8.  Write the same standard IP access list you wrote in question 1 but this

time as a named access list.

9.  Write the command to apply the named access list you created in

question 8 to an Ethernet interface outbound.

10.  Which command verifies the placement and direction of an access

list?

Hands-on Labs

In this section, you will complete two labs. To complete these labs, you

will need at least three routers. You can easily perform these labs with the

Cisco Packet Tracer program. If you are studying to take your Cisco exam,

you really need to do these labs!

Lab 12.1: Standard IP Access Lists

Lab 12.2: Extended IP Access Lists

All of the labs will use the following diagram for configuring the routers.

Hands-on Lab 12.1: Standard IP Access Lists

In this lab, you will allow only packets from a single host on the SF LAN

to enter the LA LAN.

1.  Go to LA router and enter global configuration mode by typing

config

t

.

2.  From global configuration mode, type

access-list ?

to get a list of all

the different access lists available.

3.  Choose an access-list number that will allow you to create an IP

standard access list. This is a number between 1 and 99 or 1300 and

1399.

4.  Choose to permit host 192.168.10.2, which is the host address:

LA(config)#

access-list 10 permit 192.168.20.2 ?

A.B.C.D Wildcard bits

To specify only host 192.168.20.2, use the wildcards 0.0.0.0:

LA(config)#

access-list 10 permit 192.168.20.2

0.0.0.0

5.  Now that the access list is created, you must apply it to an interface to

make it work:

LA(config)#

int f0/0

Lab_A(config-if)#

ip access-group 10 out

6.  Verify your access list with the following commands:

LA#

sh access-list

Standard IP access list 10

permit 192.168.20.2

LA#

sh run

[output cut]

interface FastEthernet0/0

ip address 192.168.20.1 255.255.255.0

ip access-group 10 out

7.  Test your access list by pinging from 192.168.10.2 to 192.168.20.2.

8.  If you have another host on the LA LAN, ping that address, which

should fail if your ACL is working.

Hands-on Lab 12.2: Extended IP Access Lists

In this lab, you will use an extended IP access list to stop host

192.168.10.2 from creating a Telnet session to router LA (172.16.10.6).

However, the host still should be able to ping the LA router. IP extended

lists should be placed close to the source, so add the extended list on

router SF. Pay attention to the

log

command used in step 6. It is a Cisco

objective!

1.  Remove any access lists on SF and add an extended list to SF.

2.  Choose a number to create an extended IP list. The IP extended lists

use 100–199 or 2000–2699.

3.  Use a

deny

statement. (You’ll add a

permit

statement in step 7 to allow

other traffic to still work.)

SF(config)#

access-list 110 deny ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

igrp Cisco's IGRP routing protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

tcp Transmission Control Protocol

udp User Datagram Protocol

4.  Since you are going to deny Telnet, you must choose TCP as a

Transport layer protocol:

SF(config)#

access-list 110 deny tcp ?

A.B.C.D Source address

any Any source host

host A single source host

5.  Add the source IP address you want to filter on, then add the

destination host IP address. Use the

host

command instead of

wildcard bits.

SF(config)#

access-list 110 deny tcp host

192.168.10.2 host 172.16.10.6 ?

ack Match on the ACK bit

eq Match only packets on a given port

number

established Match established connections

fin Match on the FIN bit

fragments Check fragments

gt Match only packets with a greater

port number

log Log matches against this entry

log-input Log matches against this entry,

including input interface

lt Match only packets with a lower port

number

neq Match only packets not on a given

port number

precedence Match packets with given precedence

value

psh Match on the PSH bit

range Match only packets in the range of

port numbers

rst Match on the RST bit

syn Match on the SYN bit

tos Match packets with given TOS value

urg Match on the URG bit

6.  At this point, you can add the

eq telnet

command to filter host

192.168.10.2 from telnetting to 172.16.10.6. The

log

command can

also be used at the end of the command so that whenever the access-

list line is hit, a log will be generated on the console.

SF(config)#

access-list 110 deny tcp host

192.168.10.2 host 172.16.10.6 eq telnet log

7.  It is important to add this line next to create a

permit

statement.

(Remember that 0.0.0.0 255.255.255.255 is the same as the

any

command.)

SF(config)#

access-list 110 permit ip any 0.0.0.0

255.255.255.255

You must create a

permit

statement; if you just add a

deny

statement,

nothing will be permitted at all. Please see the sections earlier in this

chapter for more detailed information on the

deny any

command

implied at the end of every ACL.

8.  Apply the access list to the FastEthernet0/0 on SF to stop the Telnet

traffic as soon as it hits the first router interface.

SF(config)#

int f0/0

SF(config-if)#

ip access-group 110 in

SF(config-if)#

Yüklə 22,5 Mb.

Dostları ilə paylaş: