Basic Traffic

7/29/2019 Basic Traffic

1/44

11Basic Traffic

Managementwith Access Lists

CERTIFICATION OBJECTIVES

11.01 Standard IP Access Lists

11.02 Extended IP Access Lists

11.03 Named Access Lists

11.04 Standard IPX Access Lists

11.05 IPX SAP Filters

Two-Minute Drill

Q&A Self Test


2/44

Traffic filtering controls the flow of data across a network. By separating outtransmissions through a router, network traffic can be limited to reduce bandwidthconsumption by unnecessary protocol traffic, traffic flow can be managed, and certainusers or devices can be restricted from accessing network segments or network services for

security purposes. Filtering is performed on Cisco routers through the use of access lists.

An access list will dictate whether routed packets are blocked at a routers interfaceor forwarded to its destination. Routers check each routed packet to determine whether

it is to continue on its current segment or if it is to be forwarded, and then where toforward it to.

The router will base a forward or drop decision on the conditions in the access

list. These conditions can include:

Source address

Destination address

The protocol being used

Other information, which is dependent on the access list and protocol types

An access list will provide a method of restricting the traffic on the internetwork.The restriction can reduce bandwidth consumption, limit the contents of routing

updates, and provide a method of securing the network. Securing a network withaccess lists is effective for most users. However, network-savvy individuals may beable to evade or get around an access list because it does not have a user

authentication level of security.Access lists can be used for many things: controlling the transmission of packets

across an interface, restricting traffic across virtual terminal lines, or restrictingrouting updates. Each list is a series of permit or deny statements about the type

of traffic you wish to filter, and a unique number identifies the access list. Eachpermit and deny statement within a single list must have the same number, and

must be on a separate line of the configuration. The number used is up to you, butit must fall within the ranges listed in Table 11-1, depending on what service you

are applying the access list to. The protocols marked with an asterisk (*) are the onesthat are discussed in this chapter, and are covered on the CCNA test.

476 Chapter 11: Basic Traffic Management with Access Lists


3/44

One use for access lists is to enable a router to forward or drop packets based on

the type of protocol it uses. In Figure 11-1, the router permits E-mail traffic basedon Simple Mail Transport Protocol (SMTP) on TCP port 25, but it denies all File

Transfer Protocol (FTP) traffic. A network design should always provide for accesslists on routers that connect to networks outside the enterprise, and between secured

network areasfor example, human resources serversand the remaining network.As a general rule, access lists should be created for each protocol, such as IP or IPX,

that the router uses.This chapter explains how to create access lists and how to apply them to

interfaces and services. There are two basic steps involved in this process:

Creating the access list

Applying the access list to a router interface

477

Protocol Range

IP* 199

13001999 (IOS 12.0 expanded range)

Extended IP* 100199


Ethernet type code 200299

DECnet 300399

XNS 400499

Extended XNS 500599

AppleTalk 600699

48-bit MAC address 700799


IPX* 800899

Extended IPX 900999

IPX SAP* 10001099

NLSP Filters 12001299

TABLE 11-1 Number Ranges for Access Lists


4/44

The main way to create an access list is to begin with the protocol that will befiltered and use the correct number based on that protocol for the access list. A

unique name may be assigned to the access list, if named access lists are supportedfor that protocol. The criteria to filter packets is defined through permit or deny

statements, of which there can be multiple statements of each in a particular order.The order of statements is important because the router executes them sequentially.

If, for example, a statement denies all FTP traffic and the next statement permitsFTP traffic from a specific host, then all FTP traffic will be denied because the

router will drop the packet before it gets to the permit statement. If a statement is

added in the wrong order to an access list, then the access list must be deleted anda new access list created for it to be correct. The final statement in any access list is


FIGURE 11-1 A traffic-based access list selects packets based on protocol types


5/44

not specified by an administrator, because it is an implied Deny all statement thatblocks all traffic that is not explicitly permitted in the access list.

After an access list is created, it should be applied to an interface. An interface can

use a single access list to filter inbound traffic, and another to filter outbound traffic.Or, an interface can use a single access list to filter both inbound and outbound traffic.

When an access list filters inbound traffic, it checks the packet when it is received bythe router to distinguish whether to forward or drop it. When an access list filters

outbound traffic, it checks the packet to be forwarded or dropped on its way out ofthe router to the network.

CERTIFICATION OBJECTIVE 11.01

Standard IP Access Lists

A standard IP access list is a collection of permit and deny rules that are appliedto IP addresses. The router processes each access list statement in sequence against

each packet. If the router reaches the end of the list and has found no match for thepacket, the packet is discarded. This is known as the implicit deny any. Therefore,

it is important that each access list contains at least one permit statement. Andbecause the first match is the one followed, it is critical to pay attention to the order.

One analogy that I particularly like when trying to describe how an access list

operates is as follows. The router is just like a bouncer that stands out in front of

the fancy nightclub holding his clipboard with a list of names. Now anytime that

someone wants to get into the club they have to go up to the bouncer and tell

him their name or what party they are with. With this information the bouncer

starts at the top and goes down his list until he finds a match. If there is a match

the person is let into the club, but if there is no match then youre going home

for the night because you are not getting in. The router operates in much the

same way. The packet arrives and gives the router his information and the router

compares this to his access list(s). If there is a match the packet is routed to its

final destination. If there is no match the packet is discarded.

There are three basic types of IP access lists: standard, extended, and dynamicextended. Standard access lists use source addresses for applying rules. This providesa very basic form of filtering. Extended access lists can use both source and destination

Standard IP Access Lists 479


6/44

addresses, protocol numbers, and even the port numbers of the application. This allowsa more granular method of controlling data flow. Finally, dynamic extended access listsgrant access to destinations on a per-user basis, through an authentication process.

The router uses awildcard mask(also known as an inverse mask), along with thesource or destination IP address, to identify a range of addresses to match. This

mask is known as inverse because it works completely opposite from a standardsubnet mask. Where a standard subnet mask would have a 0 bit, the inverse mask

has a 1 bit, and vice versa. A subnet mask tells the router which bits of the IPaddress belong to the network number and which belong to the host address. The

wildcard mask tells the router how many bits of the IP address it needs to examinein order to make a matching determination. This address mask pair allows the

administrator to specify a range of IP addresses, or an individual IP address, givingquite a bit of flexibility.

In a subnet mask, a mask bit set to 1 means that the corresponding bit in the IPaddress belongs to the network part of the address. With a wildcard mask bits set to

0 identify corresponding bits in the IP address that the router must match exactly.Wildcard mask bit set to 1 in an access list mean the corresponding bit in the IP

address can be either a 1 or a 0. Sometimes these bits are referred to as do not-carebits, because the router does not care about them as it tries to make a match. Here

are some sample address mask pairs as they might appear in an access list:

124.220.7.0 0.0.0.255

The last octet of the mask is all ones, so the router allows any value for the bitsof the corresponding address. It must match the first three octets exactly. This pair(address and mask) matches all the IP addresses between 124.220.7.0 and124.220.7.255.

193.62.0.0 0.0.255.255

The last two octets of this mask are all ones, so the router allows any value in the

corresponding bits. That is, the last two octets of the IP address we are matching couldbe anything, as long as the first two octets are 193.62 exactly. This address/mask pair

matches every IP address between 193.62.0.0 and 193.62.255.255.

172.16.16.0 0.0.7.255

Not all masks have the boundary between match-exactly bits and do not-care

bits on the octet boundary. This sometimes makes it tough to figure out what



7/44

matches and what does not. It always helps to work out the binary on these, and intime the powers of two become easy. Here is the breakdown, in binary, of just thethird octet of the last example.

Address bits: 16 = 00010000

Mask bits: 7 = 00000111

The mask does not care about corresponding bits in the address where the maskbits are ones. Thus, this pair of numbers describes a range of eight possible

numbers, 16 through 23. You can prove this by counting up from 16 through 24,in binary, as follows:

= 00000111 Given Wildcard (inverse) mask

= 00010000 Good match








= 00011000 Bad match

When 24 is reached, the 23

bit in the address changes from a zero to a one. The 23

bit does not fall under the mask, so it is not within the range we are describing withthis pair.

Looking at the entire address mask pair, you can see that the full range of IPaddresses described is 172.16.16.0 through 172.16.23.255.

The matching process for an access list statement actually has three steps. Inpacket filtering, IP packet header is examined for its IP addresses in order to make

a match. Assume that the access list statement contains the address mask pair172.16.0.0 0.0.255.255. If a packet comes in with a source IP address of

172.16.10.22., the router does the following:

1. Performs a logical XOR against the address and mask in the access list

statement. This means that any bit with a one in either the address or the

mask will be a one in the result. The result of this operation is172.16.255.255.



8/44

2. Performs a logical XOR against the IP address in the packet header and themask in the access list statement. The result is 172.16.255.255.

3. Subtracts the two results. If the two results are identical, the result of thesubtraction is exactly zero, and we have a match, as we have in this example.

If the result of the subtraction is not zero, there is no match and we go onand repeat these steps for the address/mask pair in the next statement.

There are two keywords that can be used to save some typing with the IP access list

address/mask pairs. The first is any, which can be used in place of the address/maskpair 0.0.0.0 255.255.255.255. As seen from the address/mask pair, this combination

allows any combination of address bits to match. The other keyword is host, which

can be used in extended access lists only, to replace the 0.0.0.0 mask. In a standardaccess list, omitting the 0.0.0.0 mask is the same as specifying it. If you omit the mask,the address will be considered a host address. In other words, 0.0.0.0 is a default mask.

All access lists are defined in global configuration mode. The basic format forcreating a standard IP access list is as follows:

access-list access-list-number deny | permit source-address [source-wildcard] | any

The access-list-number is a number within a specific range that signifies which

list the command you are entering is to join. Next, the action of either permit ordeny is specified for any traffic from the specified address. source-address is just

as it sounds, dictating the source IP address the access list rule applies to. The

optional source-wildcard identifies which bits in the address field are matched.The argument any at the end implies the addresses 0.0.0.0 with a subnet mask of255.255.255.255, which matches any address. Here is an example of a standard IP

access list that might be found in a network such as that depicted in Figure 11-1:

Router(config)# access-list 1 permit 10.10.10.101

There is a new Cisco IOS parameter at the end of the access list commandthe log parameter. The log parameter will enable save logging messages about the

packets that were forwarded or dropped based on the access list command. Anadministrator specifies the level of details that are logged using the logging console

command. An example of implementing this is the command:

Router(config)# access-list 1 permit 10.10.10.101 log



9/44

Another parameter that Cisco has now enabled in the IOS for the access listcommand is the ability to place comments into the access lists. Placing commentsinto an access list facilitates documenting the configuration later on, as well as

letting other administrators know the purpose of each statement. To place acomment after a statement in an access list, use the following syntax in global

configuration mode:

Access-listaccess-list-number remarkcomment

Access-listaccess-list-number permit | denysource-address [source-wildcard]

|any [log]

This syntax creates two statements for each permit or deny statement in the accesslist. Each permit or deny statement is preceded by a comment that states what thatstatement is intended to perform. The way that this would work in a situation where

a lab workstation needs to access E-mail, but the server should not be permitted tointeract with the production network is shown here:

Router(config)# access-list 1 remark Let Jack Jones lab workstation into thenetwork

Router(config)# access-list 1 permit 10.10.10.2

Router(config)# access-list 1 remark Keep the lab server out of the production

network

Router(config)# access-list 1 deny 10.10.10.4

Now, creating an access list alone does not totally accomplish what is needed. Accesslist configuration is a two-step process, and it can be done in any order. Not only mustthe access list be built, but it must also be specifically applied to each interface in use.

One thing to remember is that if the list is applied to an interface before the list is built,or if an applied list is removed, an undefined list is created. Undefined access lists

(meaning that there is a reference to an access list on an interface but no such access list)permit all traffic.

There are two choices to apply the list above as a packet filter. It can be applied

as an inbound filter on Router As interface to subnet 10.10.10.0, or as an outboundfilter on Router As interface to subnet 10.10.20.0.



10/44

At the interface configuration mode for the appropriate interface, use the commandip access-group 1 to access list one to an interface. By default, access lists are applied

as outbound. If an inbound access list is needed, simply add the command in at theend of the interface command. A single access list can be applied on many different

interfaces in the same router if that is a requirementthere is no need to define anidentical list for each interface that needs it. And since out is the default, there is no

need to use this command if this is the intention. So, ip access-group 1 out wouldmean exactly the same thing as the initial command shown.


John was given the task of blocking traffic from aparticular host on a network, but he had to allow therest devices on that network access. He implementedthe following access list:

access-list 1 permit 10.10.10.0access-list 1 deny 10.10.10.100

After applying this access list to the interface, henoticed that the host he wanted to block still hasaccess to the network. Why did his access listnot work?

By looking at the access list it should be obviouswhy it did not work. The first statement indicatesthat the network 10.10.10.0 is to be permitted andthe next line states that 10.10.10.100 will be denied.Remember that an access list goes in order and goesoff of the first match that it comes to. For the accesslist to be effective, it should be implemented in thefollowing order:

access-list 1 deny 10.10.10.100access-list 1 permit 10.10.10.0

This will allow the match to occur on the firststatement; thus, the host will be denied and the restof the network will be allowed.

Later that day, John was given the task of finding away to block an entire network from gaining accessto the Internet. Now that John had some confidencein how access lists work he strolled up to the routerin questions and implemented the followingaccess list.

access-list 1 deny 10.10.20.0After John applied the list to the interface, he wentback to his desk just in time to start answering calls

wanting to know why nobody could access theInternet. Why did the access list affect everyone, not

just the 10.10.20.0 network?

The one thing that John forgot about was that whenyou implement an access list, you have an implicitdeny all statement at the end of the access list.This has come back to bite more than one person, soall that John has to do to fix his access list is changeit to look like this.

access-list 1 deny 10.10.20.0access-list 1 permit any

By putting 10.10.20.0 first you ensure that thenetwork is blocked, and the permit statement willallow everyone else access to the Internet, and thatpesky implicit deny all does not bother anyone.

SCENARIO & SOLUTION


11/44

If an inbound packet filter on the interface to network 10.10.10.0 is needed, thecommand ip access-group 1 in is used.

In this example, since Workstation 1 is explicitly accepted, it is allowed to pass to

Server A. The second server, however, falls under the next statement, where any systemon the 10.10.10.0 network is denied. At first, it would seem that Workstation 1 would

fall under this rule also. This would be the case if the deny statement were listed first.However, in IP access lists, the order of listing is very important.

Another interesting feature of most access lists (including all IP lists) is the implicitdeny statement at the end. As mentioned earlier, one must to explicitly permit traffic,

otherwise it is automatically denied. With this knowledge, in Figure 11-1, the last line isnot needed; it has already been inferred. Remember that this is not the case with the

absence of access lists. If an access list is not applied to an interface, or if an undefinedaccess list is applied to an interface, all traffic is passed by default.

After any access list is created, any additions to that list number are placed at theend. Unfortunately, what this means is that you cannot selectively add or remove

items. The only removing that can be done is to remove the entire access list; it canbe a nuisance if you have extensive lists. To save time, you can cut and paste the list

to a text document for editing. If a named access list is used, semi-selective editing isallowed. Certain lines can be removed with named access lists. However, lines to be

inserted are still appended to the end of the access list.As noted already, once the access list has been created, it then must be associated

with an interface. The syntax for this is ip access-group access-list-numberin | out.

The command is entered in interface configuration mode, at the appropriateinterface.

Most of the arguments are self-explanatory. The access-list-number is theexisting access list that is to be applied. The in | out options specify whether this

list applies inbound or outbound on the interface. If the access list is to be appliedin both directions, two statements are needed, one for in and one for out. In

practically any situation, it makes no sense to apply the same list in two differentdirections. Also, you can apply only one access list per protocol per interface

per direction.You can also use access lists to restrict traffic on virtual terminal lines (Telnet sessions

to and from the router). This is accomplished with the access-class command:



12/44

access-class access-list-numberin | out

The following example of this shows that only those hosts in the 10.10.10.0subnet are allowed to telnet to the router.

Router# config termRouter(config)# access-list 1 permit 10.10.10.0 0.0.0.255

Router(config)# line vty 0 4Router(config-line)# access-class 1 in


Watch Where You are Pointing that Thing

When dealing with access lists, you should

very careful on how you design and implementthem. It is always a good idea before you try to

implement an access list to write it out onpaper or in a text file. Once you are finished,

take a long hard line by line look at each accesslist and then ask yourself this question, What

will this list impact? If you understand whateffect each line will have when the router is

making its routing decisions, you willaccomplish a couple of things:

You will have a better understanding of howthe access lists are implemented and how each

list effects traffic in its own way. This will

allow you to have an intimate knowledge of

your networks functionality and this is the

overall goal of every Network Engineer andAdministrator.

By writing each access list out and taking along hard look at the implications that each

may have you are eliminating the possibilityof misinterpreting a command or typing in the

wrong network statement. This will createfewer headaches for you when things are not

working 100 percent. In addition, it will instillconfidence in yourself and will let your boss

and coworkers know that you know what yourdoing, which is not a bad thing.

Eric L. McMasters, CCNP,CCDA

FROM THE CLASSROOM


13/44

EXERCISE 11-1

Creating and Applying a Standard IP Access List

Complete the following steps to create and apply a standard IP access list that will

permit traffic from the 10.1.1.0 network, and deny everything else.

1. Enter global configuration mode.

2. Create a standard access list by entering the following command:Router#(config) access list 1 permit 10.1.1.0

3. Now that the access list is created you need to apply it to the interface

(Ethernet 0). To accomplish this, enter the following command from theinterface prompt:

Router#(config-int) ip access-group 1 in

4. Access list 1 is now configured and applied to an interface that will permitnetwork 10.1.1.0 and the implicit deny all will block all other networks.

By completing this exercise you have successfully created and applied an access

list that will allow the 10.1.1.0 network and deny all other networks.


Extended IP Access Lists

Extended IP access lists allow you to control traffic at a more granular level than the

standard IP access lists. Extended IP access lists can use both the source and destinationIP addresses when it tries to match up packets to the list. This feature can effectively

block traffic between two specific hosts, but enable each host to access other services onthe segments. Additionally other options exist for filtering the traffic. Some of these are

protocol number filtering within the IP header and port number filtering at the

transport layer.

Extended IP Access Lists 487


14/44

All of the rules learned from standard IP apply in Extended IP. A few of them areas follows:

One cannot selectively add to a numeric access list. Named access lists allowyou to selectively remove lines.

New lines are always placed at the bottom of the list and are then executed

sequentially after any previous lines.

The access list itself does nothing. It must be applied it to an interface to be

used.

By default, at the end of every access list is an implicit deny any statement.

The syntax for adding and removing a generic extended IP access lists isas follows:

[no] access-list access-list-numberdeny | permit protocol source source-wildcard

destination destination-wildcard

The access-list command is first followed by the number of the list. Next comes

the action of either permit or deny. Next comes the type of protocol that is to bematched, such as TCP, UDP, ICMP, or IP (to name a few). And finally, the source

and destination addresses and masks must be specified. Either or both can be replacewith the keyword any.

The network manager configures Router 2 with the following access list:

Router(config)# access-list102permit tcp172.16.1.0 0.0.0.255 host 172.17.1.1 eq 23



Router(config)# access-list 102permittcp172.16.2.0 0.0.0.255host 172.17.1.1 gt1023

Router(config)# access-list 102 permit icmp 172.16.0.0 0.0.255.255 any

Implicit deny any



15/44

Note that the implicit deny anyis a default in the router; an administrator wouldnever type this command. This access list is applied as a traffic filter outbound onEthernet 0 using the ip access-group command:

Router(config)# int e 0Router(config-if)# ip access-group 102

This list is extremely restrictive. The only traffic permitted on 172.17.1.0 isTelnet traffic from network 172.16.1.0, FTP traffic from network 172.16.2.0

destined for the host 172.17.1.1, and ICMP traffic to any destination. All othertraffic is denied explicitly. If the deny ip any any line had not been configured,

the list would operate in the same way, as any traffic that is not explicitly permitted

is denied by default. Notice the keywords for the TCP and ICMP protocols, andfor the TCP applications Telnet and FTP.

Notice that with the list applied as a filter on Router 2s Ethernet 0 interface,

hosts on networks 172.16.1.0 and 172.16.2.0 can still access other networksthrough Router 1s serial 1 interface. Consider the different effect if the same list

were configured on Router 1 and applied using the ip access-group 102 outcommand on Router 1s serial 0 interface. With this new configuration in place,

hosts on networks 172.16.1.0 and 172.16.2.0 are only allowed to send ICMPtraffic (PING, most likely) to other networks, as well as the previous allowances

for Telnet and FTP traffic to host 172.17.1.1.

When removing an access list from a routers configuration you need tomake sure that the access group is not applied to any interfaces. If the

access list is applied to an interface or multiple interfaces and the list is

removed from the global configuration this may cause problems. This can

block traffic on interfaces, and cause problems on the network that could

result in major traffic problems. It is always a good idea to play it safe

and remove the access list from the interface before removing it from the

global configuration.

Extended IP Access Lists 489


16/44

EXERCISE 11-2

Create and Apply an Extended IP Access List

Create and apply an extended IP access list that will permit only Telnet traffic from

the 10.1.1.0 network to anywhere else on the network.

1. Enter global configuration mode.

2. Create an extended IP access list that will meet the goals stated above byentering the following command:

Router#(config) access-list 101 permit tcp 10.1.1.0 any eq telnet

3. Now that access-list 101 is created you will need to apply it to an interface(Ethernet 0). Do this by entering the following command:


4. Now that the access-list is applied to the interface, you have successfullypermitted telnet traffic from the 10.1.1.0 network to all other networks, and

denied everything else.

By completing this exercise you have successfully created and applied an accesslist that will allow the 10.1.1.0 network to telnet anywhere that they need while

denying all other network traffic.


Named Access Lists

With the advent of IOS release 11.2, named access lists were introduced. Since it is

new in version 11.2, it is not backward compatible with older releases. With namedlists you can identify IP access lists, whether standard or extended, with an alphanumeric

name instead of a number. This allows you to exceed the previous limit of 99 forstandard and 100 for extended (not that this count was really an issue). If you choose

to use this method the mode and command syntax is a little different.

To use this type of access list, you first enter a command that puts you in a mode toenter named access lists: ip access-list standard name or ip access-list extended name.

You then enter your commands as follows: deny | permit protocol source

source-wildcard destination destination-wildcard.



17/44

The same rules apply as did with regular standard and extended lists whendefining the attributes of the list. However, selective removal of a specific line ispermitted, unlike the numeric access lists recently covered. The syntax example

above is for an extended named list and would be changed to match the syntaxof standard, if that is appropriate.

Verifying IP Access Lists

Once configured, IP access lists should be verified. Verification of IP access lists is

done with the show access-lists command and the show ip interfaces command.The show access-lists command provides a display of all access lists configured

in the router, including IP and IPX. Here is some sample output for the showaccess-lists command, showing IP standard and extended access lists configured in

this router.

Router1#show access-lists

Standard IP access-list 40

deny 12.1.0.0, wildcard bits 0.0.255.255

permit any

Standard IP access-list list1

deny 13.0.0.0, wildcard bits 0.255.255.255

permit 172.16.0.0, wildcard bits 0.0.255.255

Extended IP access-list 130

permit ospf any any (452 matches)

permit icmp any any echo (63 matches)

permit icmp any any echo-reply (10 matches)permit tcp any any eq ftp

permit tcp any any eq telnet (958 matches)

Extended IP access-list list2

permit ospf any any (12 matches)

permit ip 136.25.16.0 0.0.7.255 any

permit tcp host 10.1.0.1 any

Extended IP access-list list3

permit ospf any any

deny tcp any any eq telnet

permit igrp any any

Router1#

Figure 11-2 shows a network that limits certain kinds of IP traffic, an example of

how you might use an extended IP access list.

Named Access Lists 491


18/44

The show access-lists command displays the configuration details for all accesslists in the router, not just IP access lists. An access list number on the command

line can be specified to see an individual list in isolation from all others.This example shows the configurations of various IP access lists. List 40 is a

standard IP access list, denying any packets from subnet 12.1.0.0, and permitting allothers. List 130 is an Extended IP access list. Again, examine the various keywordsused. What is being denied in list 130? Every other IP packet other than those

specifically permitted. Remember the implicit deny any. This is an IP extendedaccess list, not just TCP or ICMP. The deny any applies to all of IP.

Notice the notations in parentheses, indicating matches for each line. For extendedaccess lists only, the router keeps track of the number of times packets have come across


FIGURE 11-2 Restricting IP traffic in a small network


19/44

the interface matching each of the IP access list statements. Here is how to read theoutput for IP access list 130:

452 OSPF packets have used this interface since we applied this access list tothe interface

63 echos (first half of a PING or TraceRoute)

10 echo responses (second half of a PING)

958 Telnet packets have come to this interface

We can also see three named IP access lists: list1, list2, and list3. List1 is astandard IP access list. List2 has been applied, and has some matches. List3 has been

defined in the router configuration, however there are no matches against list3. Thiscould be due to the list not being applied to an interface or the traffic being filteredby list 3 does not match any of the defined parameters within list 3.

The show ip interfaces command provides information on IP-specific aspectsof the interface configuration. In this context, it is used specifically to see what packet

filters are applied on the interface. It does not show the contents of the list, only the listnumber. The show access-list number is used to see the filtering rules for the list.

Packet filters are indicated in the lines Inbound access-list is and Outgoing access-listis. Here we see that we have applied list 130, an IP extended access list, as a packet filter

inbound on interface serial 1.

Router1# show ip interface serial 1

Serial1 is up, line protocol is up

Internet address is 10.1.0.2/16

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is enabled

Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Outgoing access-list is not set

Inbound access-list is 130

(remainder deleted )

Named Access Lists 493


20/44

EXERCISE 11-3

Verifying Access List Configuration

Now that you have configured and applied an access list in the previous exercise,

you will need to verify that they are configured properly and operating the waythat you wish. Complete the following steps to verify that your access lists are

configured properly.

1. Execute the following command: Show ip Access-Lists

This command will display all access lists that are currently configured on therouter. You should see that your access list is configured.

2. Execute the following command: Show ip Interface Ethernet 0This command will verify that the access list is properly applied to the

interface that you want it to be.

You have now verified that your access lists are properly configured and applied

to the interface(s) that they should be.


Standard IPX Access Lists

IPX access lists permit or deny traffic across interfaces based on either specified

network nodes or messages sent using particular protocols and services. Just as in IPaccess lists, the order of rules applied in the access list is critical. The first matching

entry, whether it is a permit or a deny, is followed. As with IP lists, if you do notexplicitly enter a permit everything at the end, an implicit deny all is made.

There are two caveats to IPX access lists. First, while you can filter at the boundaryof NLSP, RIP, and SAP, you cannot filter route updates within an NLSP area.

Second, IPX standard access lists are different from IP in that they filter on both

source and destination.You can break down IPX access list types into five main categories, as described in

Table 11-2.



21/44

This chapter covers only two types of IPX filters: standard and SAP.

Standard IPX access lists permit or deny traffic based on the source networknumber. You can also restrict by optionally specifying a destination address, and

even by applying address masks on both. The access list number for standard IPXcan be anything between 800 and 899.

access-list access-list-numberdeny | permit source-network [options]

The source-network variable is the eight-digit hexadecimal address, rangingfrom 1 to FFFFFFFD, of the network where the packet originated. You can also use0 for the local network and 1 to specify all networks. Leading zeros do not need to

be stated =>> 1 equals 00000001. Additionally, if necessary, the twelve-digithexadecimal address of a specific node can be added for filtering specific devices and

not just networks. Using a wildcard mask in the options field allows for filtering of arange of networks or hosts on a network.

Look at the example in Figure 11-3. Users on Network AA cannot access theservices on Network BB, but the users on BB should be able to use the services on

AA. If the access-list is applied as a packet filter outbound on Ethernet 1, it blocksthe packets from Network AA. If a standard access list using only a network number

is used, it would also filter out the response packets coming from servers onNetwork AA to the users on BB. In order to filter packets requesting services, and

Standard IPX Access Lists 495

Type

Traffic Is Restricted Based

on . . . Access List Number Range

Standard access lists Source and destination network and node address

800-899

Extended access lists Complete source and destinationaddress (network, node, socket,and protocol)

900-999

SAP access lists SAP type, service name, andnetwork/node address of service

1000-1099

NLSP Route Network areas 1200-1299NetBIOS access lists Host filter on names, bytes

filter on numbersName

TABLE 11-2 IPX Access List Types


22/44

not filter responses coming back to users, the node address of the server must beknown. Here is the configuration:

access-list 850 deny aa.0000.0000.0000 00.ffff.ffff.ffff bb.072c.fa34.007500.0000.0000.0000

access-list 850 permit 1

We apply this list using the ipx access-group command as a packet filter on

Ethernet 1.The effect of this list is that all packets from Network AA destined for Server B are

blocked when they are forwarded to Router As Ethernet 1 interface. The response packets

coming back from Server A to the users on Network BB are permitted by the laststatement. permit 1 is the same in the IPX world as permit any is in the world of IP.


FIGURE 11-3 Standard IPX access lists used as packet filters


23/44


IPX SAP Filters

All servers on a NetWare network dynamically advertise their services and addressesusing the Service Advertising Protocol (SAP). The other components on a network suchas routers, keep a complete list of the services available across the network. These service

advertisements synchronize the list of available services.Each SAP service is identified by a hexadecimal number. Several common

examples are File Server4, Printer Server7, and Remote Bridge-Server (router)24.

A Cisco router does not forward each broadcast it receives. Rather, it will advertisethe entire SAP table at scheduled intervals, with the default being every 60 seconds,but only seven entries per packet. Cisco routers do act like NetWare servers though,

in that they listen to the SAP broadcasts from other servers and routers to build theirinternal SAP tables.

Enhanced IGRP has the functionality to send SAP updates only when the SAP

table changes. This can be especially useful when trying to control SAP

updates over low-speed WAN links.

Since WANs usually have limited bandwidth in comparison to LANs, excessive

traffic should be avoided as much as possible. As such, SAPs should be filtered. Filtering

can be done for both inbound and outbound traffic. To help make this functionalitymore scalable, the Cisco IOS allows you to specify which services are added to the SAP

table. This is accomplished with the command ipx input-sap-filter access-list-number|name. An example of this is found in Figure 11-4.

To configure a SAP filter for Router 1 that would filter Server As advertisements,but allow advertisements from the other servers on the segment, use the following

commands, in global configuration mode:

access-list 1001 deny 1A01

access-list 1001 permit 1

IPX SAP Filters 497


24/44

The first statement denies all services originating from the internal IPX network

1a01. In a Novell network all servers use internal networks to host the services theysupport. The node address of 0000.0000.0001 always refers to the internal IPX network

number of a NetWare server, and this is the address for all of the servers services. Eachinternal network number must be unique to the entire Novell network. So, the effect of

this statement is to deny all services from the server whose internal IPX network numberis 1a01. The second statement permits all other services. The 1 is the way to specify all

networks in an IPX access list.This access list can be used in one of two ways. If Server As service entries should

not be accepted into Router1s SAP table at all, apply the list as an input SAP filter


FIGURE 11-4 SAP filtering in an IPX network


25/44

using the command ipx input-sap-filter 1001 in interface configuration mode forEthernet 0.

The number 1001 refers to the list number. This command causes Router 1 to

examine all SAP packets it receives on its Ethernet 0 interface, and filter only theentries whose service addresses specify 1a01. Note that the router is examining the

individual entries inside the SAP packet to find this address, not the source addressin the SAP packets IPX header.

The second way to use this list is as an output SAP filter. Suppose the servicesfrom Network 1a01 needed to be advertised on Network 2a but not on Network

3a. If an input SAP filter was used on Ethernet 0, it would block the advertisementsaltogether. But if an output SAP filter is put on Ethernet 1, the router filters out the

SAP entries with service addresses of 1a01 as it constructs the SAP packets itbroadcasts on that interface. The command needed to configure an output sap filter

is ipx output-sap-filter 1001. This command, like the input-sap-filter, is aninterface configuration command.

There are two other options available for filtering in the SAP access list. Both theservice type and service name can be used. The service type matches a particular

SAP. Only single entries are allowed, and there is no way to match a range of SAPnumbers. However, since all Novell servers are uniquely known by their internal

network numbers now, the service name is rarely used today.Again, 1 means any network, and the lack of any specific service type means

all service types. SERVERA is the string that the router matches when examining

SAP entries for filtering. These strings are case sensitive, so always check the outputof the show ipx servers screen to see exactly how you need to configure this string.

Suppose an administrator needed to filter only file services, type 4, from Server A.The necessary command is access-list 1001 deny 1a01 4.

1A01 is the IPX internal network number for Server A, the network address of itsservices. The node address is not needed. When referring to the internal IPX

network number, the node is always 0000.0000.0001.; there are no other nodes onthat network, so it could be left out. 4 represents type 4 services, so only Server As

file services are denied.Do not forget: all access lists have an implicit deny any at the end, so if you do

not permit some services in another statement in this list, all SAPs are filtered out.Another part of IPX SAP is a Get Nearest Server (GNS) request. A GNS packet is

sent out by Novell clients to request a non-server-specific service. The closest NetWare

IPX SAP Filters 499


26/44

server that offers the requested service responds with another SAP. The GNS responsedesignates a servers resources as available to the client, which then logs into the server.Once the client has attached to the server, it can access the servers service directly; no

further GNS is needed. If a Cisco router receives a GNS request, it has the capability torespond with the first server in its SAP table. However, Cisco routers do not respond to

a GNS if a local server is present on the interface the GNS is initiated on. A GNS filteris created with the command ipx output-gns-filter access-list-number.

The local servers should be the first to respond. If this does not occur on the NovellIPX network, you can configure a GNS delay. The delay is measured in milliseconds,

with the default being zero (No Delay): ipx gns-response-delaymilliseconds. Thiscommand is only needed on older IOS releases. Modern IOS routers do not respond

to GNS requests if there is a local IPX server.To view the list of IPX servers on the network that have been discovered through

SAP use the command show ipx servers unsorted | sorted. By default, the outputdisplayed is listed numerically by SAP service type.

You can change this default with the optional unsorted and sorted argumentslisted above. unsorted does just as it says; it displays the IPX servers without any form

of sorting. sorted allows you to sort by server name, by network number, or by thedefault SAP service type.

Here is a sample output of show ipx servers:

east#show ipx servers

Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + =

detail

10 Total IPX Servers

Table ordering is based on routing and server info

Type Name Net Address Port Route Hops Itf

S 4 EAST-D04 B00D.0000.0000.0001:0451 conn 2 Lo13

S 4 EAST-F04 B00F.0000.0000.0001:0451 conn 2 Lo15

P 4 DABNEY BBBB0002.0000.0000.0001:0451 2/01 1 Et0.2

P 4 DESTINY AAAA0001.0000.0000.0001:0451 2/01 1 Et0.2



27/44

N 4 WEST-D04 C00D.0000.0000.0001:0451 82/02 4 Se0N 4 WEST-F04 C00F.0000.0000.0001:0451 82/02 4 Se0

P 47 PRINTSRV BBBB0002.0000.0000.0001:8060 2/01 2 Et0.2

P 107 DABNEY BBBB0002.0000.0000.0001:8104 2/01 2 Et0.2

P 26B UNIVERSE_1________ AAAA0001.0000.0000.0001:0005 2/01 1 Et0.2

P 278 UNIVERSE_1________ AAAA0001.0000.0000.0001:4006 2/01 1 Et0.2

Servers are displayed in numeric order by service type. Type 4 is file service, whichis required for login (known as general service in Novell terms). These are the servers

that will be used in GNS responses by the router.The net.address columns are where to look to construct a SAP filter for these

services based on their address. Notice that the node addresses are all 0000.0000.0001.This is because services are advertised with an address of the internal IPX network

number of the server, not the physical address of the NIC on the wire. This internalIPX network number is the one that must be filtered on for your SAP filters to operate

properly.

Verifying IPX Access List Configuration

The show ipx interfaces command allows you to view all the various types of filtersthat can be set for IPX packets, routes, routers, SAPs, and NetBIOS packets. The

Cisco IOS is rich in commands that help you to manage IPX traffic on yournetwork, and all these parameters are configurable.

east#show ipx interface ethernet 0.2

Ethernet0.2 is up, line protocol is up

IPX address is D.0000.0c47.6643, NOVELL-ETHER [up]

Delay of this IPX network, in ticks is 1 throughput 0 link delay 0

IPXWAN processing not enabled on this interface.

IPX SAP update interval is 1 minute(s)

IPX type 20 propagation packet forwarding is disabled

Incoming access-list is 800

IPX SAP Filters 501


28/44

Outgoing access-list is not setIPX helper access-list is not set

SAP GNS processing disabled, delay 500 ms, output filter list

is 1000

SAP Input filter list is not set

SAP Output filter list is 1013

SAP Router filter list is not set

Input filter list is not set

Output filter list is not set

Router filter list is not set

Netbios Input host access-list is not set

Netbios Input bytes access-list is not set

Netbios Output host access-list is not set

Netbios Output bytes access-list is not set

Updates each 60 seconds, aging multiples RIP: 3 SAP: 3SAP interpacket delay is 55 ms, maximum size is 480 bytes

RIP interpacket delay is 55 ms, maximum size is 432 bytes

IPX accounting is disabled

IPX fast switching is configured (enabled)

RIP packets received 294, RIP packets sent 152

SAP packets received 295, SAP packets sent 150

Notice the lines in boldface. Incoming access-list is 800 indicates a packet filterapplied inbound to the router with the ipx access-group 800 in command. SAP

Output filter list is 1013 indicates that access list 1013 has been applied as an outputSAP filter with the ipx output-sap-filter 1013 command.

The show access-lists command shows all access lists, not just IP or IPX.

In the following example, both IPX and IP access lists are configured in therouter. To view a specific IPX access list in isolation, use the list number as anargument for the command.

Router1# sh access-lists

IPX access-list 800

deny C011

permit FFFFFFFF

IPX access-list 900

permit any

permit any any all AA11.00cf.b200.0000 0000.00ff.ffff all

permit any BB22 all AA11



29/44

IPX SAP access-list 1000deny B00F 47

permit FFFFFFFF

IPX SAP access-list 1009

deny FFFFFFFF 0 parallel

permit FFFFFFFF

IPX SAP access-list 1013

deny C000.0000.0000.0000 F.ffff.ffff.ffff

deny FFFFFFFF 47 E*

permit FFFFFFFF

Occasionally an access list is misconfigured and the result is that RIP connectivity

is not able to take place between NetWare servers and their clients through a router.The recommended procedures to use to troubleshoot this situation is as follows:

Type enable to place the router into privileged EXEC mode.Type show access-lists command to see what IPX access lists are on the router.

Type show running-configto see if there are access lists specified for the ipxinput-network-filters or ipx output-network-filters.

For any access lists that are configured, type no ipx input-network-filteror noipx output-network-filterto remove them.

Check to see if the RIP communication is working so that servers and clientscan access each other through the router. If so, then the access list that was disabled

must be checked for errors and corrected. An access list can be configured withexplicit permit statements in order to enable communication. If there was more

than one access list, then the access lists must be re-enabled and then disabled

individually in order to isolate them. If RIP communication still does not work,then check to see if another router may be the cause of the problem.

EXERCISE 11-4

Remove all Access Lists From the Routers Configuration

Now that you have properly configured and applied various types of access lists, it

is always good to know how to remove them in the event that they are no longer

IPX SAP Filters 503


30/44

needed. Complete the following steps to properly remove all configured access listsfrom your router.

1. Enter interface configuration mode by typing the following command:

Router#(config) interface ethernet 0

2. Remove access-lists 1 and 101 from the interface by entering these commands:

Router#(config-int) no ip access-group 1 in

Router#(config-int) no ip access-group 101 in

3. Now that the access-lists are removed from the interface, you cansafely remove them from the global configuration by entering the

following commands:Router#(config) no access-list 1

Router#(config) no access-list 101

You have now successfully removed both access lists that you previously

configured on the router. Remember that when removing access lists it is bestto remove them from the interface before you remove them from the global

configuration.



31/44

IPX SAP Filters 505

When creating a filter, it is imperative that youunderstand the way the protocol or application

being filtered works. As an example, say thatwe wish to limit all access to server 10.1.2.3

with the exception of allowing TFTP (TrivialFile Transfer Protocol) connections. Let us

further assume that the server is the onlydevice on interface Ethernet 0. If the

administrator is unfamiliar with how TFTPworks they might create the following access

list thinking that it will work:

Router(config)# access-list 101 permit

udp any host 10.1.2.3 eq tftp

Router(config)# interface e0

Router(config-if)# ip access-

group 101 out

This may look correct to you as you read it.However, you and the administrator who

created this list will be banging your headswondering why the TFTP connections always

fail. The answer comes from understandinghow TFTP works.

TFTP uses UDP port number 69 as alistening port. This means that the first

packet (the request for a TFTP transfer) sentto a server will use port 69. However, once the

server gets this request it changes the serverport to a random value greater than 1023 and

less than 65,535 (the random port number

range). All subsequent packets between the

server and client will be sent between theclients random port number and this new

random port number that the server selected.This frees up the original listening port

(69) for additional requests of the server fromother client devices.

This means that the correct configurationshould look similar to the following:

Router(config)# access-list 101 permitudp any host 10.1.2.3 gt 1023

Router(config)# access-list 101 permit

udp any host 10.1.2.3 eq tftp

Router(config)# interface e0

Router(config-if)# ip access-group101 out

Notice the first line allows for packets fromany source to the server 10.1.2.3 as long as the

servers port is greater than that of 1023. Thereason for putting this line first instead of

second is that more packets will be sent to thisdestination address and port number than to

the listening port number 69. Putting it firstreduces the number of CPU interrupts

required to determine if the packet is eligibleto be permitted.

Many a network administrator has failed to

accomplish filtering tasks due to a lack ofknowledge. Do not be caught off guard.

Mark A. Buchmann, CCIE, CCSI

FROM THE CLASSROOM


32/44

CERTIFICATION SUMMARYAccess lists are used to filter traffic on Cisco routers. The purpose of filtering traffic

can be to reduce certain protocol type traffic, manage the flow of traffic through thenetwork and securing the network. Access lists can deny or permit traffic based on the

protocol, based on the source address or the destination address, and based on itsinbound or outbound status.

In an IP access list, a source or destination address is tested against each item in thelist. The first match found is the one that is used to determine whether the packet is

permitted or disregarded. Because the first match is the one followed, it is critical to payattention to the order. When a list is interrogated, if no applicable rule is found, the

packet is implicitly denied. The correct syntax for permitting or denying packets acrossinterfaces is as follows:

access-list access-list-number deny | permit source-address [source-wildcard] | any

IPX access lists permit or deny traffic based on either specified network nodes or

messages sent using particular protocols and services. Just as in IP access lists, theorder of rules applied in the access list is critical. The first matching entry, whether

it is a permit or a deny, is followed. And also like IP lists, if you do not explicitlyenter a permit everything at the end, an implicit deny all is made. The syntax for

a basic IPX access list is as follows:

access-list access-list-numberdeny | permit source-network [options]

All servers on a NetWare-type network can dynamically advertise their services andaddresses using the Service Advertisement Protocol (SAP). The other components on a

network besides the remainder servers, such as routers, keep a complete list of theservices available across the network. These service advertisements synchronize the list of

available services. SAP-type traffic can be denied with the command access-list 1001deny 1A01 4.

After an access list is created, it must be applied to the interface using anaccess-group command.



33/44

Two-Minute Drill 507

TWO-MINUTE DRILL


Packet filtering is performed on Cisco routers through the use of access

lists. Access lists can be used to control the transmission of packets acrossan interface, to restrict traffic across virtual terminal lines, or to restrict

routing updates.

An IP access list is a collection of permit and deny rules that are appliedto IP addresses.

There are three basic types of IP access lists: standard, extended, and

dynamic extended.

The basic format for adding a standard access list is:

ACCESS-LIST access-list-numberDENY|PERMIT SOURCE[source-wildcard]|ANY


Extended IP uses both the source and destination address when it tries tomatch up packets to your list, and you can optionally use protocol type

information for even finer control.

The syntax for adding and removing access lists is:

NO ACCESS-LIST access-list-numberDENY | PERMIT protocol sourcesource-wildcard destination destination-wildcard

Named Access Lists

With Named lists you can identify IP access lists, whether standard orextended, with an alphanumeric name instead of a number.

You can verify your IP access lists with the SHOW ACCESS-LISTScommand and the SHOW IP INTERFACES command.


34/44

Standard IPX Access Lists IPX access lists permit or deny traffic across interfaces based on either

specified network nodes or messages sent using particular protocolsand services.

IPX standard access lists use the access-list range of 800-899.

IPX SAP Filters

All servers on a NetWare-type network can dynamically advertise their

services and addresses using the Service Advertising Protocol (SAP).

Show ipx Interfaces allows you to view all the various types of

filters that can be set for IPX packets, routes, routers, SAPs, andNetBIOS packets.

Show access-lists will show all access-lists, not just IP or IPX.



35/44

Self Test 509

SELF TESTThe following questions will help you measure your understanding of the material presented in thischapter. Read all the choices carefully, as there may be more than one correct answer. Choose all

correct answers for each question.


1. Which of the following commands adds a statement to a standard IP access list?

A. Router(config)#access-list 8 permit 127.8.108.0 0.0.63.255

B. Router# access-list 88 permit 127.8.108.0 0.0.63.255

C. Router> access-list 999 permit 127.8.108.0 0.0.63.255

Router(config)#access-list 108 permit 127.8.108.0 0.0.63.255 inbound

2. What is always the last forward or drop decision performed when using an access list?

A. The last configured statement of the access list

B. The statement in the access list that is designated with the last parameter

C. The implicit deny any statement

D. The implicit permit any statement

3. What type of criteria can a standard IP access list filter traffic for?

A.Source address

B. Destination address

C. Protocol type

D. Inbound or outbound traffic

4. Noelle is a new network administrator and is reviewing each routers configuration. Noelle

discovers that there is an access list number 79 applied to a routers serial interface. Whattype of access list is it?

A. Standard IPX

B. Standard IP

C. SAP

D. Extended IP


36/44


5. Which of the following statements are true regarding IP access lists (Select all that apply)?

A. After an access list is created, any additions to that list are placed at the end

B. You cannot selectively add or remove items

C. You need to explicitly associate the access list to whatever it is you are intending to use itfor, such as an interface

D. There is an implicit DENY statement at the end

6. What command removes an access list from a router?

A. Remove access-list 1

B. Delete access-list 1

C. No access-list 1D. Deny access-list 1


7. Which of the following commands will add a statement to an extended IP access list?

A. Router(config)# access-list 102 permit tcp 172.16.1.0 0.0.0.255 host 172.17.1.1 eq 23

B. Router(config)# access-list 8 permit any

C. Router(config)# access-list 850 permit 1

Router>access-list 102 permit udp 172.16.1.0 0.0.0.255

8. Noelle finds an inbound access list applied to the Ethernet interface of another router and ithas a number of 122. What type of access list is it?

A. Standard IPX

B. Standard IP

C. SAP

D. Extended IP

9. The following access list, containing only one line, is applied as a packet filter on an interface:ACCESS-LIST 100 PERMIT TCP 145.22.3.0 0.0.0.255 ANY EQ TELNET

What is the best description of the traffic that is denied by the implicit DENY ALL?

A. All IP trafficB. All Telnet traffic

C. All TCP traffic

D. All TCP traffic except Telnet


37/44

10. The following statement appears in an IP extended access list:ACCESS-LIST 125 PERMIT IP ANY HOST 136.25.2.128What does this line permit?

A. Any IP traffic from host 136.25.2.128

B. IP traffic to any host on network 136.25.2.128

C. IP traffic from any address to the host at 136.25.2.128

D. The statement is invalid because there is no mask.

11. The address mask pair 172.16.64.0 0.0.3.255 specifies which range of IP addresses?

A. 172.16.64.255 through 172.16.67.255

B. 172.16.67.0 through 172.16.70.255C. 172.16.64.0 through 172.16.67.255

D. 172.16.63.0 through 172.16.64.255

12. Which command would be used to configure an inbound packet filter for TCP traffic?

A. Router(config-if)#tcp packet-filter 101

B. ROUTER(CONFIG-IF)#IP PACKET-FILTER 101 IN

C. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 99 IN

D. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 100 IN

E. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 100

13. What would be the wildcard mask in an access list that permits all traffic from a classC network address?

A. 0.0.255.255

B. 0.255.255.255

C. 0.0.3.255

D. 0.0.0.255

Named Access Lists

14. What type of access lists can utilize the name function?

A. IPX Standard

B. IP Standard

Self Test 511


38/44

C. IPX ExtendedD. IP Extended

15. Which command will display all the access lists configured on a router?

A. Show all

B. Show access-lists

C. Show filters

D. Display access-lists


16. Noelle further discovers that the router has an access list number 860 applied to the sameinterface. What type of access list is this?

A. Standard IPX

B. Standard IP

C. SAP

D. Extended IP

17. On what basis do IPX access lists permit or deny traffic?

A. Specified network nodes

B. Messages sent using a particular ICMP

C. Messages sent using a particular protocol

D. Messages sent using a particular service

IPX SAP Filters

18. Company A has a site in Sydney Australia with NetWare servers, and two sites (one with

NetWare servers, one without) in Los Angeles California. Company A wants to make surethat no servers in Sydney respond to get nearest server requests from clients in Los Angeles

at the site that has no servers. What type of filter should Company A apply?

A. An outbound SAP filter on the Los Angeles site with servers on the interface to the otherLos Angeles site

B. An inbound SAP filter on the Los Angeles site without servers on the interface to theSydney site



39/44

C. An outbound GNS filter on Los Angeles site without servers but only on the interface tothe Sydney site

D. An outbound GNS filter on the Los Angeles site without servers but on the interface tothe other Los Angeles site

19. Which command will apply an SAP filter for outbound traffic?

A. Router> ipx output-sap-filter 1001

B. Router(config-if)# ipx output-sap-filter 1001

C. Router# ipx output-sap-filter 1001

D. Router(config)# ipx output-sap-filter 1001

20. SAP traffic is filtered using what access list command?A. Router>access-list 860 permit sap any

B. Router#access-list 1000 permit sap any

C. Router(config)#access-list 801 permit sap any

D. Router(config)# access-list 1001 deny 1A01

LAB QUESTION

You were advised that certain networks (10.10.1.0 and 10.10.2.0) no longer need access to the ftpserver (10.10.20.50) located back in the main office. You are told that these networks were not to

have access to the ftp server, but you will still need access to all of the other servers located on thesame network. Your task is to implement an access list scheme that will meet these goals, without

affecting any other traffic. Detail how you will configure and apply these access list, and explain why.

Lab Question 513


40/44

SELF-TEST ANSWERS


1. A. The global configuration command access-list 8 permit 127.8.108.0 0.0.63.255 adds apermit statement to a standard IP access list.

B. The router is not in configuration mode. C is incorrect because the router is not in execmode. Once you are in privileged mode you will have the # sign after the host name. D is

incorrect because the access-list number is 108, which makes it an extended IP access-list andnot a standard, which is what the question asks for.

2. C. The last forward or drop decision that is performed by a router when using an access

list is the implicit deny any statement. If no match is found to forward data with using theaccess list, the router drops the packet. A. The last configured statement still comes before the implicit deny all statement. B is

incorrect because there is no such thing as the last parameter. D is incorrect because there isno such thing as an implicit permit any statement.

3. A.A standard IP access list can filter traffic based on source address.

B and C. These are parameters that are associated with extended IP access-lists, notstandard IP access lists. D is incorrect because the specification for inbound or outbound is

specified on the interface, not in the access-list.

4. B. The access list is a standard IP access list. Standard IP access-lists use the numeric

range of 1-99. A. Standard IPX access lists use the numeric range of 800-899. C is incorrect because SAP

access lists use the numeric range of 1000-1099. D is incorrect because Extended IP access listsuse the numeric range of 100-199.

5. A, B, C, D.All are correct statements regarding IP access lists.

6. C. The command no access-list 1 will remove the access-list numbered 1 from the

router. This command must be entered into the router from the configuration mode. A, B, and D. They all use invalid commands.


7. A. The global configuration command access-list 102 permit tcp 172.16.1.0 0.0.0.255host 172.17.1.1 eq 23 will add a statement to an extended IP access list.



41/44

B. This command would specify a standard IP access list, and not an extended IP accesslist. C is incorrect because this would specify a standard IPX access list, and not an extendedIP access list. D is incorrect because the route is not in exec mode, or configuration mode for

that matter.

8. D.An access list with the number 122 is an Extended IP access-list, since they are in the

range of 100-199. A. The Standard IPX access list numeric range is 800-899. B is incorrect because the

Standard IP access list numeric range is 1-99. C is incorrect because the SAP access list numericrange is 1000-1099.

9. A. Even though the statement explicitly refers to TCP and Telnet traffic, the implicit

DENY ALL applies to all IP traffic. B. The access list specifies that Telnet traffic will be allowed from the 145.22.3.0 network.C and D are incorrect because the implicit deny all statement will deny all traffic, not just

TCP traffic.

10. C. The ANY argument represents any source network. The HOST keyword replaces themask 0.0.0.0 for the destination IP address 136.25.2.128.

A. The address of 136.25.2.128 is the destination not the source. B is incorrect becausethe address 136.25.2.128 specifies a host address by using the HOST command. D is incorrect

because you do not need to specify a mask when using the HOST command to specify aspecific device.

11. C. The range begins at 172.16.64.0 and includes all IP addresses through172.16.67.255.

All bits in the address corresponding to 0 bits in the wildcard mask will always be the samethroughout the range, while all bits in the address corresponding to 1 bits in the mask maybe any value.

A. The network of 172.16.64.0 is specified, not the broadcast address of 172.16.64.255. Bis incorrect because the beginning network is incorrect. The beginning network should be

172.16.64.0, not 172.16.67.0. D is incorrect because for this statement to be true the maskwould have to read 0.0.1.255.

12. D.A packet filter to filter TCP traffic would be applied using the ip access-groupcommand, using an IP extended access-list.

A. There is no such command as tcp packet-filter. B is incorrect because there is no suchcommand as IP PACKET-FILTER. C is incorrect because list 99 would be a standard IP access

list, which cannot specifically filter TCP traffic. E is incorrect because the keyword IN needs tobe specified. The default direction is outbound.

Self-Test Answers 515


42/44

13. D. The wildcard mask in an access list that permits all traffic from a Class C networkaddress would be 0.0.0.255 on a router. A. This mask of 0.0.255.255 would specify a Class B network. B is incorrect because this

would specify a Class A network. C is incorrect because it would indicate that a Class Bnetwork has been divided up and is not an entire Class C.

Named Access Lists

14. B and D.When Cisco implemented this function into their IOS it is only applicable tostandard and extended IP access lists.

Aand C. The IOS does not support the named access list feature for these types ofaccess lists.

15. B. The show access-lists command will display all the access lists configured on a router.

A, B, and C. They use commands that are not valid.


16. A. This access list is a standard IPX access list numeric range.

B. Standard IP access lists use the numeric range of 199. C is incorrect because SAPaccess lists use the numeric range of 10001099. D is incorrect because extended

IP access lists use the numeric range of 100199.

17. A, C, and D. Packets are permitted or denied based on specified network nodes or

messages sent using a particular service or protocol. B. ICMP is a PING.

IPX SAP Filters

18. C. Company A should apply an outbound gns filter on the router at the Los Angeles site

on the interface that connects it to the Sydney site. This will effectively prevent any get nearestserver requests to travel to Sydney.

Aand B. This would prevent SAPs, but not GNS requests. D is incorrect because thiswould block the Los Angeles servers from responding, but not the Sydney servers.

19. B. The interface configuration command ipx output-sap-filter 1001 will apply a SAP

filter for outbound traffic to a routers interface. A. The router is not in exec or configuration mode. C is incorrect because the router is not



43/44

Lab Answer 517

in configuration mode. D is incorrect because the command is not applying the filter toan interface.

20. D. The global configuration command Access-list 1001 Deny 1A01 is a SAP access list

used to filter SAP traffic. A. The router is not in exec or configuration mode, it is also using a standard IPX access

list range. B is incorrect because the router is not in configuration mode. C is incorrect becausethe access list is using a standard IPX access list and not a SAP access list number.

LAB ANSWER

The following steps detail how this scenario can be met.1. Determine what will need to be accomplished, which we have already defined.

2. On a notepad or text editor write out what you think will be the correct access-listconfigurations to meet your overall goals.

3. Once you have come up with an initial idea of how your access lists should be configured youwill want to verify that they are correct and possibly have another coworker do a sanity check

for you.

4. Now that the access lists look like they should you can go ahead an configure them on

your router.

5. Log on to the router and enter global configuration mode.6. You will start entering the access lists into the routers configuration, and they should look

something like this:

Router#(config) access-list 101 deny tcp 10.10.1.0 host 10.10.20.50 eq ftp

Router#(config) access-list 101 deny tcp 10.10.2.0 host 10.10.20.50 eq ftp

Router#(config) access-list 101 permit any any

7. With this configuration you are doing the following things:

Denying the 10.10.1.0 network ftp access to 10.10.20.50.

Denying the 10.10.2.0 network ftp access to 10.10.20.50.


44/44

Permitting all other traffic to go anywhere else.Implicit deny all statement.

8. Once these access lists are configured globally on the router they will need to be applied to aninterface for final completion.

9. You will start by entering the following commands on interface ethernet 2:


10. With this statement you have just applied access list 101 to the router Interface and traffic is

now being compared to your access lists.

You have now successfully configured, applied, and explained what these access lists willaccomplish in the overall scheme of your network.


Documents

Basic Traffic