![](/user_photo/1438_p9ksI.png)
- •Warning and Disclaimer
- •Feedback Information
- •Trademark Acknowledgments
- •About the Author
- •About the Technical Reviewers
- •Dedication
- •Acknowledgments
- •Contents at a Glance
- •Contents
- •Icons Used in This Book
- •Command Syntax Conventions
- •Cisco’s Motivation: Certifying Partners
- •Format of the CCNA Exams
- •What’s on the CCNA Exams
- •ICND Exam Topics
- •Cross-Reference Between Exam Topics and Book Parts
- •CCNA Exam Topics
- •INTRO and ICND Course Outlines
- •Objectives and Methods
- •Book Features
- •How This Book Is Organized
- •Part I: LAN Switching
- •Part II: TCP/IP
- •Part III: Wide-Area Networks
- •Part IV: Network Security
- •Part V: Final Preparation
- •Part VI: Appendixes
- •How to Use These Books to Prepare for the CCNA Exam
- •For More Information
- •Part I: LAN Switching
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Brief Review of LAN Switching
- •The Forward-Versus-Filter Decision
- •How Switches Learn MAC Addresses
- •Forwarding Unknown Unicasts and Broadcasts
- •LAN Switch Logic Summary
- •Basic Switch Operation
- •Foundation Summary
- •Spanning Tree Protocol
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Spanning Tree Protocol
- •What IEEE 802.1d Spanning Tree Does
- •How Spanning Tree Works
- •Electing the Root and Discovering Root Ports and Designated Ports
- •Reacting to Changes in the Network
- •Spanning Tree Protocol Summary
- •Optional STP Features
- •EtherChannel
- •PortFast
- •Rapid Spanning Tree (IEEE 802.1w)
- •RSTP Link and Edge Types
- •RSTP Port States
- •RSTP Port Roles
- •RSTP Convergence
- •Edge-Type Behavior and PortFast
- •Link-Type Shared
- •Link-Type Point-to-Point
- •An Example of Speedy RSTP Convergence
- •Basic STP show Commands
- •Changing STP Port Costs and Bridge Priority
- •Foundation Summary
- •Foundation Summary
- •Virtual LANs and Trunking
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Review of Virtual LAN Concepts
- •Trunking with ISL and 802.1Q
- •ISL and 802.1Q Compared
- •VLAN Trunking Protocol (VTP)
- •How VTP Works
- •VTP Pruning
- •Foundation Summary
- •Part II: TCP/IP
- •IP Addressing and Subnetting
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •IP Addressing Review
- •IP Subnetting
- •Analyzing and Interpreting IP Addresses and Subnets
- •Math Operations Used to Answer Subnetting Questions
- •Converting IP Addresses from Decimal to Binary and Back Again
- •The Boolean AND Operation
- •How Many Hosts and How Many Subnets?
- •What Is the Subnet Number, and What Are the IP Addresses in the Subnet?
- •Finding the Subnet Number
- •Finding the Subnet Broadcast Address
- •Finding the Range of Valid IP Addresses in a Subnet
- •Finding the Answers Without Using Binary
- •Easier Math with Easy Masks
- •Which Subnet Masks Meet the Stated Design Requirements?
- •What Are the Other Subnet Numbers?
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Extended ping Command
- •Distance Vector Concepts
- •Distance Vector Loop-Avoidance Features
- •Route Poisoning
- •Split Horizon
- •Split Horizon with Poison Reverse
- •Hold-Down Timer
- •Triggered (Flash) Updates
- •RIP and IGRP
- •IGRP Metrics
- •Examination of RIP and IGRP debug and show Commands
- •Issues When Multiple Routes to the Same Subnet Exist
- •Administrative Distance
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Link-State Routing Protocol and OSPF Concepts
- •Steady-State Operation
- •Loop Avoidance
- •Scaling OSPF Through Hierarchical Design
- •OSPF Areas
- •Stub Areas
- •Summary: Comparing Link-State and OSPF to Distance Vector Protocols
- •Balanced Hybrid Routing Protocol and EIGRP Concepts
- •EIGRP Loop Avoidance
- •EIGRP Summary
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Route Summarization and Variable-Length Subnet Masks
- •Route Summarization Concepts
- •VLSM
- •Route Summarization Strategies
- •Sample “Best” Summary on Seville
- •Sample “Best” Summary on Yosemite
- •Classless Routing Protocols and Classless Routing
- •Classless and Classful Routing Protocols
- •Autosummarization
- •Classful and Classless Routing
- •Default Routes
- •Classless Routing
- •Foundation Summary
- •Advanced TCP/IP Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Scaling the IP Address Space for the Internet
- •CIDR
- •Private Addressing
- •Network Address Translation
- •Static NAT
- •Dynamic NAT
- •Overloading NAT with Port Address Translation (PAT)
- •Translating Overlapping Addresses
- •Miscellaneous TCP/IP Topics
- •Internet Control Message Protocol (ICMP)
- •ICMP Echo Request and Echo Reply
- •Destination Unreachable ICMP Message
- •Time Exceeded ICMP Message
- •Redirect ICMP Message
- •Secondary IP Addressing
- •FTP and TFTP
- •TFTP
- •MTU and Fragmentation
- •Foundation Summary
- •Part III: Wide-Area Networks
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Review of WAN Basics
- •Physical Components of Point-to-Point Leased Lines
- •Data-Link Protocols for Point-to-Point Leased Lines
- •HDLC and PPP Compared
- •Looped Link Detection
- •Enhanced Error Detection
- •Authentication Over WAN Links
- •PAP and CHAP Authentication
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •ISDN Protocols and Design
- •Typical Uses of ISDN
- •ISDN Channels
- •ISDN Protocols
- •ISDN BRI Function Groups and Reference Points
- •ISDN PRI Function Groups and Reference Points
- •BRI and PRI Encoding and Framing
- •PRI Encoding
- •PRI Framing
- •BRI Framing and Encoding
- •DDR Step 1: Routing Packets Out the Interface to Be Dialed
- •DDR Step 2: Determining the Subset of the Packets That Trigger the Dialing Process
- •DDR Step 3: Dialing (Signaling)
- •DDR Step 4: Determining When the Connection Is Terminated
- •ISDN and DDR show and debug Commands
- •Multilink PPP
- •Foundation Summary
- •Frame Relay
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Frame Relay Protocols
- •Frame Relay Standards
- •Virtual Circuits
- •LMI and Encapsulation Types
- •DLCI Addressing Details
- •Network Layer Concerns with Frame Relay
- •Layer 3 Addressing with Frame Relay
- •Frame Relay Layer 3 Addressing: One Subnet Containing All Frame Relay DTEs
- •Frame Relay Layer 3 Addressing: One Subnet Per VC
- •Frame Relay Layer 3 Addressing: Hybrid Approach
- •Broadcast Handling
- •Frame Relay Service Interworking
- •A Fully-Meshed Network with One IP Subnet
- •Frame Relay Address Mapping
- •A Partially-Meshed Network with One IP Subnet Per VC
- •A Partially-Meshed Network with Some Fully-Meshed Parts
- •Foundation Summary
- •Part IV: Network Security
- •IP Access Control List Security
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Standard IP Access Control Lists
- •IP Standard ACL Concepts
- •Wildcard Masks
- •Standard IP ACL: Example 2
- •Extended IP Access Control Lists
- •Extended IP ACL Concepts
- •Extended IP Access Lists: Example 1
- •Extended IP Access Lists: Example 2
- •Miscellaneous ACL Topics
- •Named IP Access Lists
- •Controlling Telnet Access with ACLs
- •ACL Implementation Considerations
- •Foundation Summary
- •Part V: Final Preparation
- •Final Preparation
- •Suggestions for Final Preparation
- •Preparing for the Exam Experience
- •Final Lab Scenarios
- •Scenario 1
- •Scenario 1, Part A: Planning
- •Solutions to Scenario 1, Part A: Planning
- •Scenario 2
- •Scenario 2, Part A: Planning
- •Solutions to Scenario 2, Part A: Planning
- •Part VI: Appendixes
- •Glossary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •“Do I Know This Already?” Quiz
- •Chapter 2
- •“Do I Know This Already?” Quiz
- •Chapter 3
- •“Do I Know This Already?” Quiz
- •Chapter 4
- •“Do I Know This Already?” Quiz
- •Chapter 5
- •“Do I Know This Already?” Quiz
- •Chapter 6
- •“Do I Know This Already?” Quiz
- •Chapter 7
- •“Do I Know This Already?” Quiz
- •Chapter 8
- •“Do I Know This Already?” Quiz
- •Chapter 9
- •“Do I Know This Already?” Quiz
- •Chapter 10
- •“Do I Know This Already?” Quiz
- •Chapter 11
- •“Do I Know This Already?” Quiz
- •Chapter 12
- •“Do I Know This Already?” Quiz
- •Using the Simulation Software for the Hands-on Exercises
- •Accessing NetSim from the CD
- •Hands-on Exercises Available with NetSim
- •Scenarios
- •Labs
- •Listing of the Hands-on Exercises
- •How You Should Proceed with NetSim
- •Considerations When Using NetSim
- •Routing Protocol Overview
- •Comparing and Contrasting IP Routing Protocols
- •Routing Through the Internet with the Border Gateway Protocol
- •RIP Version 2
- •The Integrated IS-IS Link State Routing Protocol
- •Summary of Interior Routing Protocols
- •Numbering Ports (Interfaces)
![](/html/1438/356/html_uxf6Zs7H1f.CGhp/htmlconvd-8gn0Rv469x1.jpg)
Extended IP Access Control Lists 437
Extended IP Access Control Lists
Extended IP access lists have both similarities and differences compared to standard IP ACLs. Just like standard lists, you enable extended access lists on interfaces for packets either entering or exiting the interface. IOS searches the list sequentially. The first statement matched stops the search through the list and defines the action to be taken. All these features are true of standard access lists as well.
The one key difference between the two is the variety of fields in the packet that can be compared for matching by extended access lists. A single ACL statement can examine multiple parts of the packet headers, requiring that all the parameters be matched correctly in order to match that one ACL statement. That matching logic is what makes extended access lists both much more useful and much more complex than standard IP ACLs.
This section starts with coverage of the extended IP ACL concepts that differ from standard ACLs—namely, the matching logic. Following that, the configuration details are covered.
Extended IP ACL Concepts
Extended access lists create powerful matching logic by examining many parts of a packet. Figure 12-4 shows several of the fields in the packet headers that can be matched.
Figure 12-4 Extended Access List Matching Options
|
|
|
IP header |
|
|
|
|
|
|
|
9 |
1 |
2 |
4 |
4 |
Variable |
|
|
|
|
|
Miscellaneous |
Protocol |
Header |
Source IP |
Destination IP |
Options |
TCP, UDP |
||||
Header |
Type |
Checksum |
Address |
Address |
|
ICMP, |
|
|||
Fields |
|
IGRP, IGMP,… |
||||||||
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Defines What's Over Here |
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|||
|
|
|
IP header |
|
|
|
TCP |
|
||
9 |
1 |
2 |
4 |
4 |
Variable |
2 |
2 |
16+ |
||
Miscellaneous |
Protocol |
Header |
Source IP |
Destination IP |
Options |
Source |
Dest. |
Rest |
||
Header |
6 (TCP) |
Checksum |
Address |
Address |
Port |
Port |
of |
|||
Fields |
|
TCP |
The top set of headers shows the IP protocol type, which identifies what header follows the IP header. You can specify all IP packets, or those with TCP headers, UDP headers, ICMP, and so on, by checking the Protocol field. You can also check both the source and destination IP addresses, as shown. The lower part of the figure shows an example with a TCP header following the IP header, pointing out the location of the TCP source and destination port numbers. These port numbers identify the application. For instance, web uses port 80 by default. If you specify a protocol of TCP or UDP, you can also check the port numbers.
![](/html/1438/356/html_uxf6Zs7H1f.CGhp/htmlconvd-8gn0Rv470x1.jpg)
438 Chapter 12: IP Access Control List Security
Table 12-5 summarizes the different fields that can be matched with an extended IP ACL, as compared with standard IP ACLs.
Table 12-5 |
Standard and Extended IP Access Lists: Matching |
|
|
|
|
|
Type of Access List |
What Can Be Matched |
|
|
|
|
Both Standard and Extended ACLs |
Source IP address |
|
|
|
|
|
Portions of the source IP address using a wildcard mask |
|
|
|
|
Only Extended ACLs |
Destination IP address |
|
|
|
|
|
Portions of the destination IP address using a wildcard |
|
|
mask |
|
|
|
|
|
Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and |
|
|
others) |
|
|
|
|
|
Source port |
|
|
|
|
|
Destination port |
|
|
|
|
|
All TCP flows except the first |
|
|
|
|
|
IP TOS |
|
|
|
|
|
IP precedence |
|
|
|
Knowing what to look for is just half the battle. IOS checks all the matching information configured in a single access-list command. Everything must match for that single command to be considered a match and for the defined action to be taken. The options start with the protocol type (IP, TCP, UDP, and others), followed by the source IP address, source port, destination IP address, and destination port number. (Remember that the port numbers can be referenced only if the protocol type is configured as TCP or UDP.) Table 12-6 lists several sample access-list commands, with several options configured and some explanations. Only the matching options are shown in bold.
Table 12-6 Extended access-list Commands and Logic Explanations
access-list Statement |
What It Matches |
|
|
access-list 101 deny ip any host 10.1.1.1 |
Any IP packet, any source IP |
|
address, with a destination |
|
IP address of 10.1.1.1. |
|
|
access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23 |
Packets with a TCP header, |
|
any source IP address, with a |
|
source port greater than (gt) |
|
1023. The packet must have a |
|
destination IP address of |
|
10.1.1.1 and a destination port |
|
of 23. |
|
|
![](/html/1438/356/html_uxf6Zs7H1f.CGhp/htmlconvd-8gn0Rv471x1.jpg)
Extended IP Access Control Lists 439
Table 12-6 Extended access-list Commands and Logic Explanations (Continued)
access-list Statement |
What It Matches |
|
|
access-list 101 deny tcp any host 10.1.1.1 eq 23 |
The same as the preceding |
|
example, but any source port |
|
matches, because that |
|
parameter is omitted in this |
|
case. |
|
|
access-list 101 deny tcp any host 10.1.1.1 eq telnet |
The same as the preceding |
|
example. The telnet keyword is |
|
used instead of port 23. |
|
|
access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any |
A packet with a source in |
|
network 1.0.0.0, using UDP |
|
with a source port less than (lt) |
|
1023, with any destination IP |
|
address. |
|
|
The sequence of the parameters in the command affects exactly what the IOS ACL logic examines in the packet when trying to make a match. When configuring an ACL to check port numbers, the parameter in the access-list command checks the source port number when the parameter is placed immediately after the source IP address. Likewise, the parameter in the access-list command checks the destination port number when the parameter is placed immediately after the destination IP address. For example, the command access-list 101 deny tcp any eq telnet any matches all packets that use TCP and whose source TCP port is 23 (Telnet). The ACL statement matches packets whose source port equals 23 because the eq telnet parameter follows the source IP address, not the destination IP address. For similar reasons, the command access-list 101 deny tcp any any eq telnet matches all packets that use TCP and whose destination TCP port is 23
(Telnet). Depending on where you enable an extended ACL, and for which direction, you might need to check for the source or destination port number.
Extended IP ACL Configuration
Table 12-7 lists the configuration commands associated with creating extended IP access lists.
Table 12-8 lists the associated EXEC commands. Several examples follow these lists of commands.
Table 12-7 Extended IP Access List Configuration Commands
|
Configuration Mode |
Command |
and Description |
|
|
access-list access-list-number {deny | permit} protocol |
Global command for extended |
source source-wildcard destination destination-wildcard |
numbered access lists. Use a |
[log | log-input] |
number between 100 and 199 or |
|
2000 and 2699, inclusive. |
|
|
continues
![](/html/1438/356/html_uxf6Zs7H1f.CGhp/htmlconvd-8gn0Rv472x1.jpg)
440 Chapter 12: IP Access Control List Security
Table 12-7 Extended IP Access List Configuration Commands (Continued)
|
Configuration Mode |
Command |
and Description |
|
|
access-list access-list-number {deny | permit} tcp source |
A version of the access-list |
source-wildcard [operator [port]] destination destination- |
command with TCP-specific |
wildcard [operator [port]] [established] [log | log-input] |
parameters. |
|
|
access-list access-list-number remark text |
Defines a remark that helps you |
|
remember what the ACL is |
|
supposed to do. |
|
|
ip access-group {number | name [in | out]} |
Interface subcommand to enable |
|
access lists. |
|
|
access-class number | name [in | out] |
Line subcommand for standard |
|
or extended access lists. |
|
|
Table 12-8 Extended IP Access List EXEC Commands
Command |
Description |
|
|
show ip interface [type number] |
Includes a reference to the access |
|
lists enabled on the interface. |
|
|
show access-lists [access-list-number | access-list-name] |
Shows the details of configured |
|
access lists for all protocols. |
|
|
show ip access-list [access-list-number | access-list-name] |
Shows IP access lists. |
|
|
Extended IP Access Lists: Example 1
This example focuses on understanding the basic syntax. In this case, Bob is denied access to all FTP servers on R1’s Ethernet, and Larry is denied access to Server1’s web server. Figure 12-5 is a reminder of the network topology. Example 12-6 shows the configuration on R1.
Figure 12-5 Network Diagram for Extended Access List Example 1
Server1 |
|
|
|
|
|
|
|
|
|
|
|
Larry |
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
S0 R2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SW2 |
|
|
|
E0 |
SW12 |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
S0 |
S1 |
|
|
172.16.2.10 |
||||||
172.16.1.100 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
E0 R1 |
|
|
|
|
|
|
|
|
|
|
Server2 |
|
|
|
SW1 |
|
|
|
|
|
|
Bob |
||||||
|
|
|
|
S1 |
S1 |
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
S0 |
|
|
|
|
|
|
|
|
|
|
|
|
SW3 |
|
|
|
|
R3 |
E0 |
SW13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
172.16.3.10 |
|||||||||
|
|
|
|
|
|
|
|
|
|
172.16.1.102
Jimmy Jerry
172.16.3.8 172.16.3.9
![](/html/1438/356/html_uxf6Zs7H1f.CGhp/htmlconvd-8gn0Rv473x1.jpg)
Extended IP Access Control Lists 441
Example 12-6 R1’s Extended Access List: Example 1
interface Serial0
ip address 172.16.12.1 255.255.255.0 ip access-group 101 in
interface Serial1
ip address 172.16.13.1 255.255.255.0 ip access-group 101 in
access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq http access-list 101 permit ip any any
Focusing on the syntax for a moment, there are several new items to review. First, the access list number for extended access lists falls in the range of 100 to 199 or 2000 to 2699. Following the permit or deny action, the protocol parameter defines whether you want to check for all IP packets or just those with TCP or UDP headers. When you check for TCP or UDP port numbers, you must specify the TCP or UDP protocol.
You can check for specific port numbers or ranges. The eq parameter means “equals,” as shown in the example. It implies that you are checking the port numbers—in this case, the destination port numbers. You can use the numeric values—or, for the more popular options, a more obvious text version is valid. (If you were to enter eq 80, the config would show eq http.)
In Example 12-6, the first ACL statement prevents Bob’s access to FTP servers in subnet 172.16.1.0. The second statement prevents Larry’s access to web services on Server1. The final statement permits all other traffic.
In this first extended ACL example, the access lists could have been placed on R2 and R3. As you will read near the end of this chapter, Cisco makes some specific recommendations about where to locate IP ACLs. With extended IP ACLs, Cisco suggests that you locate them as close to the source of the packet as possible. Therefore, Example 12-7 achieves the same goal as Example 12-6 of stopping Bob’s access to FTP servers at the main site, and it does so with an ACL on R3.
Example 12-7 R3’s Extended Access List Stopping Bob from Reaching FTP Servers Near R1
interface Ethernet0
ip address 172.16.3.1 255.255.255.0 ip access-group 101 in
access-list 101 remark deny Bob to FTP servers in subnet 172.16.1.0/24 access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 permit ip any any