Upload
abdulhamidnbd
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 Basic Traffic
1/44
11Basic Traffic
Managementwith Access Lists
CERTIFICATION OBJECTIVES
11.01 Standard IP Access Lists
11.02 Extended IP Access Lists
11.03 Named Access Lists
11.04 Standard IPX Access Lists
11.05 IPX SAP Filters
Two-Minute Drill
Q&A Self Test
7/29/2019 Basic Traffic
2/44
Traffic filtering controls the flow of data across a network. By separating outtransmissions through a router, network traffic can be limited to reduce bandwidthconsumption by unnecessary protocol traffic, traffic flow can be managed, and certainusers or devices can be restricted from accessing network segments or network services for
security purposes. Filtering is performed on Cisco routers through the use of access lists.
An access list will dictate whether routed packets are blocked at a routers interfaceor forwarded to its destination. Routers check each routed packet to determine whether
it is to continue on its current segment or if it is to be forwarded, and then where toforward it to.
The router will base a forward or drop decision on the conditions in the access
list. These conditions can include:
Source address
Destination address
The protocol being used
Other information, which is dependent on the access list and protocol types
An access list will provide a method of restricting the traffic on the internetwork.The restriction can reduce bandwidth consumption, limit the contents of routing
updates, and provide a method of securing the network. Securing a network withaccess lists is effective for most users. However, network-savvy individuals may beable to evade or get around an access list because it does not have a user
authentication level of security.Access lists can be used for many things: controlling the transmission of packets
across an interface, restricting traffic across virtual terminal lines, or restrictingrouting updates. Each list is a series of permit or deny statements about the type
of traffic you wish to filter, and a unique number identifies the access list. Eachpermit and deny statement within a single list must have the same number, and
must be on a separate line of the configuration. The number used is up to you, butit must fall within the ranges listed in Table 11-1, depending on what service you
are applying the access list to. The protocols marked with an asterisk (*) are the onesthat are discussed in this chapter, and are covered on the CCNA test.
476 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
3/44
One use for access lists is to enable a router to forward or drop packets based on
the type of protocol it uses. In Figure 11-1, the router permits E-mail traffic basedon Simple Mail Transport Protocol (SMTP) on TCP port 25, but it denies all File
Transfer Protocol (FTP) traffic. A network design should always provide for accesslists on routers that connect to networks outside the enterprise, and between secured
network areasfor example, human resources serversand the remaining network.As a general rule, access lists should be created for each protocol, such as IP or IPX,
that the router uses.This chapter explains how to create access lists and how to apply them to
interfaces and services. There are two basic steps involved in this process:
Creating the access list
Applying the access list to a router interface
477
Protocol Range
IP* 199
13001999 (IOS 12.0 expanded range)
Extended IP* 100199
20002699 (IOS 12.0 expanded range)
Ethernet type code 200299
DECnet 300399
XNS 400499
Extended XNS 500599
AppleTalk 600699
48-bit MAC address 700799
11001199 (IOS 12.0 expanded range)
IPX* 800899
Extended IPX 900999
IPX SAP* 10001099
NLSP Filters 12001299
TABLE 11-1 Number Ranges for Access Lists
7/29/2019 Basic Traffic
4/44
The main way to create an access list is to begin with the protocol that will befiltered and use the correct number based on that protocol for the access list. A
unique name may be assigned to the access list, if named access lists are supportedfor that protocol. The criteria to filter packets is defined through permit or deny
statements, of which there can be multiple statements of each in a particular order.The order of statements is important because the router executes them sequentially.
If, for example, a statement denies all FTP traffic and the next statement permitsFTP traffic from a specific host, then all FTP traffic will be denied because the
router will drop the packet before it gets to the permit statement. If a statement is
added in the wrong order to an access list, then the access list must be deleted anda new access list created for it to be correct. The final statement in any access list is
478 Chapter 11: Basic Traffic Management with Access Lists
FIGURE 11-1 A traffic-based access list selects packets based on protocol types
7/29/2019 Basic Traffic
5/44
not specified by an administrator, because it is an implied Deny all statement thatblocks all traffic that is not explicitly permitted in the access list.
After an access list is created, it should be applied to an interface. An interface can
use a single access list to filter inbound traffic, and another to filter outbound traffic.Or, an interface can use a single access list to filter both inbound and outbound traffic.
When an access list filters inbound traffic, it checks the packet when it is received bythe router to distinguish whether to forward or drop it. When an access list filters
outbound traffic, it checks the packet to be forwarded or dropped on its way out ofthe router to the network.
CERTIFICATION OBJECTIVE 11.01
Standard IP Access Lists
A standard IP access list is a collection of permit and deny rules that are appliedto IP addresses. The router processes each access list statement in sequence against
each packet. If the router reaches the end of the list and has found no match for thepacket, the packet is discarded. This is known as the implicit deny any. Therefore,
it is important that each access list contains at least one permit statement. Andbecause the first match is the one followed, it is critical to pay attention to the order.
One analogy that I particularly like when trying to describe how an access list
operates is as follows. The router is just like a bouncer that stands out in front of
the fancy nightclub holding his clipboard with a list of names. Now anytime that
someone wants to get into the club they have to go up to the bouncer and tell
him their name or what party they are with. With this information the bouncer
starts at the top and goes down his list until he finds a match. If there is a match
the person is let into the club, but if there is no match then youre going home
for the night because you are not getting in. The router operates in much the
same way. The packet arrives and gives the router his information and the router
compares this to his access list(s). If there is a match the packet is routed to its
final destination. If there is no match the packet is discarded.
There are three basic types of IP access lists: standard, extended, and dynamicextended. Standard access lists use source addresses for applying rules. This providesa very basic form of filtering. Extended access lists can use both source and destination
Standard IP Access Lists 479
7/29/2019 Basic Traffic
6/44
addresses, protocol numbers, and even the port numbers of the application. This allowsa more granular method of controlling data flow. Finally, dynamic extended access listsgrant access to destinations on a per-user basis, through an authentication process.
The router uses awildcard mask(also known as an inverse mask), along with thesource or destination IP address, to identify a range of addresses to match. This
mask is known as inverse because it works completely opposite from a standardsubnet mask. Where a standard subnet mask would have a 0 bit, the inverse mask
has a 1 bit, and vice versa. A subnet mask tells the router which bits of the IPaddress belong to the network number and which belong to the host address. The
wildcard mask tells the router how many bits of the IP address it needs to examinein order to make a matching determination. This address mask pair allows the
administrator to specify a range of IP addresses, or an individual IP address, givingquite a bit of flexibility.
In a subnet mask, a mask bit set to 1 means that the corresponding bit in the IPaddress belongs to the network part of the address. With a wildcard mask bits set to
0 identify corresponding bits in the IP address that the router must match exactly.Wildcard mask bit set to 1 in an access list mean the corresponding bit in the IP
address can be either a 1 or a 0. Sometimes these bits are referred to as do not-carebits, because the router does not care about them as it tries to make a match. Here
are some sample address mask pairs as they might appear in an access list:
124.220.7.0 0.0.0.255
The last octet of the mask is all ones, so the router allows any value for the bitsof the corresponding address. It must match the first three octets exactly. This pair(address and mask) matches all the IP addresses between 124.220.7.0 and124.220.7.255.
193.62.0.0 0.0.255.255
The last two octets of this mask are all ones, so the router allows any value in the
corresponding bits. That is, the last two octets of the IP address we are matching couldbe anything, as long as the first two octets are 193.62 exactly. This address/mask pair
matches every IP address between 193.62.0.0 and 193.62.255.255.
172.16.16.0 0.0.7.255
Not all masks have the boundary between match-exactly bits and do not-care
bits on the octet boundary. This sometimes makes it tough to figure out what
480 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
7/44
matches and what does not. It always helps to work out the binary on these, and intime the powers of two become easy. Here is the breakdown, in binary, of just thethird octet of the last example.
Address bits: 16 = 00010000
Mask bits: 7 = 00000111
The mask does not care about corresponding bits in the address where the maskbits are ones. Thus, this pair of numbers describes a range of eight possible
numbers, 16 through 23. You can prove this by counting up from 16 through 24,in binary, as follows:
= 00000111 Given Wildcard (inverse) mask
= 00010000 Good match
= 00010001 Good match
= 00010010 Good match
= 00010011 Good match
= 00010100 Good match
= 00010101 Good match
= 00010110 Good match
= 00010111 Good match
= 00011000 Bad match
When 24 is reached, the 23
bit in the address changes from a zero to a one. The 23
bit does not fall under the mask, so it is not within the range we are describing withthis pair.
Looking at the entire address mask pair, you can see that the full range of IPaddresses described is 172.16.16.0 through 172.16.23.255.
The matching process for an access list statement actually has three steps. Inpacket filtering, IP packet header is examined for its IP addresses in order to make
a match. Assume that the access list statement contains the address mask pair172.16.0.0 0.0.255.255. If a packet comes in with a source IP address of
172.16.10.22., the router does the following:
1. Performs a logical XOR against the address and mask in the access list
statement. This means that any bit with a one in either the address or the
mask will be a one in the result. The result of this operation is172.16.255.255.
Standard IP Access Lists 481
7/29/2019 Basic Traffic
8/44
2. Performs a logical XOR against the IP address in the packet header and themask in the access list statement. The result is 172.16.255.255.
3. Subtracts the two results. If the two results are identical, the result of thesubtraction is exactly zero, and we have a match, as we have in this example.
If the result of the subtraction is not zero, there is no match and we go onand repeat these steps for the address/mask pair in the next statement.
There are two keywords that can be used to save some typing with the IP access list
address/mask pairs. The first is any, which can be used in place of the address/maskpair 0.0.0.0 255.255.255.255. As seen from the address/mask pair, this combination
allows any combination of address bits to match. The other keyword is host, which
can be used in extended access lists only, to replace the 0.0.0.0 mask. In a standardaccess list, omitting the 0.0.0.0 mask is the same as specifying it. If you omit the mask,the address will be considered a host address. In other words, 0.0.0.0 is a default mask.
All access lists are defined in global configuration mode. The basic format forcreating a standard IP access list is as follows:
access-list access-list-number deny | permit source-address [source-wildcard] | any
The access-list-number is a number within a specific range that signifies which
list the command you are entering is to join. Next, the action of either permit ordeny is specified for any traffic from the specified address. source-address is just
as it sounds, dictating the source IP address the access list rule applies to. The
optional source-wildcard identifies which bits in the address field are matched.The argument any at the end implies the addresses 0.0.0.0 with a subnet mask of255.255.255.255, which matches any address. Here is an example of a standard IP
access list that might be found in a network such as that depicted in Figure 11-1:
Router(config)# access-list 1 permit 10.10.10.101
There is a new Cisco IOS parameter at the end of the access list commandthe log parameter. The log parameter will enable save logging messages about the
packets that were forwarded or dropped based on the access list command. Anadministrator specifies the level of details that are logged using the logging console
command. An example of implementing this is the command:
Router(config)# access-list 1 permit 10.10.10.101 log
482 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
9/44
Another parameter that Cisco has now enabled in the IOS for the access listcommand is the ability to place comments into the access lists. Placing commentsinto an access list facilitates documenting the configuration later on, as well as
letting other administrators know the purpose of each statement. To place acomment after a statement in an access list, use the following syntax in global
configuration mode:
Access-listaccess-list-number remarkcomment
Access-listaccess-list-number permit | denysource-address [source-wildcard]
|any [log]
This syntax creates two statements for each permit or deny statement in the accesslist. Each permit or deny statement is preceded by a comment that states what thatstatement is intended to perform. The way that this would work in a situation where
a lab workstation needs to access E-mail, but the server should not be permitted tointeract with the production network is shown here:
Router(config)# access-list 1 remark Let Jack Jones lab workstation into thenetwork
Router(config)# access-list 1 permit 10.10.10.2
Router(config)# access-list 1 remark Keep the lab server out of the production
network
Router(config)# access-list 1 deny 10.10.10.4
Now, creating an access list alone does not totally accomplish what is needed. Accesslist configuration is a two-step process, and it can be done in any order. Not only mustthe access list be built, but it must also be specifically applied to each interface in use.
One thing to remember is that if the list is applied to an interface before the list is built,or if an applied list is removed, an undefined list is created. Undefined access lists
(meaning that there is a reference to an access list on an interface but no such access list)permit all traffic.
There are two choices to apply the list above as a packet filter. It can be applied
as an inbound filter on Router As interface to subnet 10.10.10.0, or as an outboundfilter on Router As interface to subnet 10.10.20.0.
Standard IP Access Lists 483
7/29/2019 Basic Traffic
10/44
At the interface configuration mode for the appropriate interface, use the commandip access-group 1 to access list one to an interface. By default, access lists are applied
as outbound. If an inbound access list is needed, simply add the command in at theend of the interface command. A single access list can be applied on many different
interfaces in the same router if that is a requirementthere is no need to define anidentical list for each interface that needs it. And since out is the default, there is no
need to use this command if this is the intention. So, ip access-group 1 out wouldmean exactly the same thing as the initial command shown.
484 Chapter 11: Basic Traffic Management with Access Lists
John was given the task of blocking traffic from aparticular host on a network, but he had to allow therest devices on that network access. He implementedthe following access list:
access-list 1 permit 10.10.10.0access-list 1 deny 10.10.10.100
After applying this access list to the interface, henoticed that the host he wanted to block still hasaccess to the network. Why did his access listnot work?
By looking at the access list it should be obviouswhy it did not work. The first statement indicatesthat the network 10.10.10.0 is to be permitted andthe next line states that 10.10.10.100 will be denied.Remember that an access list goes in order and goesoff of the first match that it comes to. For the accesslist to be effective, it should be implemented in thefollowing order:
access-list 1 deny 10.10.10.100access-list 1 permit 10.10.10.0
This will allow the match to occur on the firststatement; thus, the host will be denied and the restof the network will be allowed.
Later that day, John was given the task of finding away to block an entire network from gaining accessto the Internet. Now that John had some confidencein how access lists work he strolled up to the routerin questions and implemented the followingaccess list.
access-list 1 deny 10.10.20.0After John applied the list to the interface, he wentback to his desk just in time to start answering calls
wanting to know why nobody could access theInternet. Why did the access list affect everyone, not
just the 10.10.20.0 network?
The one thing that John forgot about was that whenyou implement an access list, you have an implicitdeny all statement at the end of the access list.This has come back to bite more than one person, soall that John has to do to fix his access list is changeit to look like this.
access-list 1 deny 10.10.20.0access-list 1 permit any
By putting 10.10.20.0 first you ensure that thenetwork is blocked, and the permit statement willallow everyone else access to the Internet, and thatpesky implicit deny all does not bother anyone.
SCENARIO & SOLUTION
7/29/2019 Basic Traffic
11/44
If an inbound packet filter on the interface to network 10.10.10.0 is needed, thecommand ip access-group 1 in is used.
In this example, since Workstation 1 is explicitly accepted, it is allowed to pass to
Server A. The second server, however, falls under the next statement, where any systemon the 10.10.10.0 network is denied. At first, it would seem that Workstation 1 would
fall under this rule also. This would be the case if the deny statement were listed first.However, in IP access lists, the order of listing is very important.
Another interesting feature of most access lists (including all IP lists) is the implicitdeny statement at the end. As mentioned earlier, one must to explicitly permit traffic,
otherwise it is automatically denied. With this knowledge, in Figure 11-1, the last line isnot needed; it has already been inferred. Remember that this is not the case with the
absence of access lists. If an access list is not applied to an interface, or if an undefinedaccess list is applied to an interface, all traffic is passed by default.
After any access list is created, any additions to that list number are placed at theend. Unfortunately, what this means is that you cannot selectively add or remove
items. The only removing that can be done is to remove the entire access list; it canbe a nuisance if you have extensive lists. To save time, you can cut and paste the list
to a text document for editing. If a named access list is used, semi-selective editing isallowed. Certain lines can be removed with named access lists. However, lines to be
inserted are still appended to the end of the access list.As noted already, once the access list has been created, it then must be associated
with an interface. The syntax for this is ip access-group access-list-numberin | out.
The command is entered in interface configuration mode, at the appropriateinterface.
Most of the arguments are self-explanatory. The access-list-number is theexisting access list that is to be applied. The in | out options specify whether this
list applies inbound or outbound on the interface. If the access list is to be appliedin both directions, two statements are needed, one for in and one for out. In
practically any situation, it makes no sense to apply the same list in two differentdirections. Also, you can apply only one access list per protocol per interface
per direction.You can also use access lists to restrict traffic on virtual terminal lines (Telnet sessions
to and from the router). This is accomplished with the access-class command:
Standard IP Access Lists 485
7/29/2019 Basic Traffic
12/44
access-class access-list-numberin | out
The following example of this shows that only those hosts in the 10.10.10.0subnet are allowed to telnet to the router.
Router# config termRouter(config)# access-list 1 permit 10.10.10.0 0.0.0.255
Router(config)# line vty 0 4Router(config-line)# access-class 1 in
486 Chapter 11: Basic Traffic Management with Access Lists
Watch Where You are Pointing that Thing
When dealing with access lists, you should
very careful on how you design and implementthem. It is always a good idea before you try to
implement an access list to write it out onpaper or in a text file. Once you are finished,
take a long hard line by line look at each accesslist and then ask yourself this question, What
will this list impact? If you understand whateffect each line will have when the router is
making its routing decisions, you willaccomplish a couple of things:
You will have a better understanding of howthe access lists are implemented and how each
list effects traffic in its own way. This will
allow you to have an intimate knowledge of
your networks functionality and this is the
overall goal of every Network Engineer andAdministrator.
By writing each access list out and taking along hard look at the implications that each
may have you are eliminating the possibilityof misinterpreting a command or typing in the
wrong network statement. This will createfewer headaches for you when things are not
working 100 percent. In addition, it will instillconfidence in yourself and will let your boss
and coworkers know that you know what yourdoing, which is not a bad thing.
Eric L. McMasters, CCNP,CCDA
FROM THE CLASSROOM
7/29/2019 Basic Traffic
13/44
EXERCISE 11-1
Creating and Applying a Standard IP Access List
Complete the following steps to create and apply a standard IP access list that will
permit traffic from the 10.1.1.0 network, and deny everything else.
1. Enter global configuration mode.
2. Create a standard access list by entering the following command:Router#(config) access list 1 permit 10.1.1.0
3. Now that the access list is created you need to apply it to the interface
(Ethernet 0). To accomplish this, enter the following command from theinterface prompt:
Router#(config-int) ip access-group 1 in
4. Access list 1 is now configured and applied to an interface that will permitnetwork 10.1.1.0 and the implicit deny all will block all other networks.
By completing this exercise you have successfully created and applied an access
list that will allow the 10.1.1.0 network and deny all other networks.
CERTIFICATION OBJECTIVE 11.02
Extended IP Access Lists
Extended IP access lists allow you to control traffic at a more granular level than the
standard IP access lists. Extended IP access lists can use both the source and destinationIP addresses when it tries to match up packets to the list. This feature can effectively
block traffic between two specific hosts, but enable each host to access other services onthe segments. Additionally other options exist for filtering the traffic. Some of these are
protocol number filtering within the IP header and port number filtering at the
transport layer.
Extended IP Access Lists 487
7/29/2019 Basic Traffic
14/44
All of the rules learned from standard IP apply in Extended IP. A few of them areas follows:
One cannot selectively add to a numeric access list. Named access lists allowyou to selectively remove lines.
New lines are always placed at the bottom of the list and are then executed
sequentially after any previous lines.
The access list itself does nothing. It must be applied it to an interface to be
used.
By default, at the end of every access list is an implicit deny any statement.
The syntax for adding and removing a generic extended IP access lists isas follows:
[no] access-list access-list-numberdeny | permit protocol source source-wildcard
destination destination-wildcard
The access-list command is first followed by the number of the list. Next comes
the action of either permit or deny. Next comes the type of protocol that is to bematched, such as TCP, UDP, ICMP, or IP (to name a few). And finally, the source
and destination addresses and masks must be specified. Either or both can be replacewith the keyword any.
The network manager configures Router 2 with the following access list:
Router(config)# access-list102permit tcp172.16.1.0 0.0.0.255 host 172.17.1.1 eq 23
Router(config)# access-list102permit tcp172.16.2.0 0.0.0.255 host 172.17.1.1 eq 21
Router(config)# access-list102permit tcp172.16.2.0 0.0.0.255 host 172.17.1.1 eq 20
Router(config)# access-list 102permittcp172.16.2.0 0.0.0.255host 172.17.1.1 gt1023
Router(config)# access-list 102 permit icmp 172.16.0.0 0.0.255.255 any
Implicit deny any
488 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
15/44
Note that the implicit deny anyis a default in the router; an administrator wouldnever type this command. This access list is applied as a traffic filter outbound onEthernet 0 using the ip access-group command:
Router(config)# int e 0Router(config-if)# ip access-group 102
This list is extremely restrictive. The only traffic permitted on 172.17.1.0 isTelnet traffic from network 172.16.1.0, FTP traffic from network 172.16.2.0
destined for the host 172.17.1.1, and ICMP traffic to any destination. All othertraffic is denied explicitly. If the deny ip any any line had not been configured,
the list would operate in the same way, as any traffic that is not explicitly permitted
is denied by default. Notice the keywords for the TCP and ICMP protocols, andfor the TCP applications Telnet and FTP.
Notice that with the list applied as a filter on Router 2s Ethernet 0 interface,
hosts on networks 172.16.1.0 and 172.16.2.0 can still access other networksthrough Router 1s serial 1 interface. Consider the different effect if the same list
were configured on Router 1 and applied using the ip access-group 102 outcommand on Router 1s serial 0 interface. With this new configuration in place,
hosts on networks 172.16.1.0 and 172.16.2.0 are only allowed to send ICMPtraffic (PING, most likely) to other networks, as well as the previous allowances
for Telnet and FTP traffic to host 172.17.1.1.
When removing an access list from a routers configuration you need tomake sure that the access group is not applied to any interfaces. If the
access list is applied to an interface or multiple interfaces and the list is
removed from the global configuration this may cause problems. This can
block traffic on interfaces, and cause problems on the network that could
result in major traffic problems. It is always a good idea to play it safe
and remove the access list from the interface before removing it from the
global configuration.
Extended IP Access Lists 489
7/29/2019 Basic Traffic
16/44
EXERCISE 11-2
Create and Apply an Extended IP Access List
Create and apply an extended IP access list that will permit only Telnet traffic from
the 10.1.1.0 network to anywhere else on the network.
1. Enter global configuration mode.
2. Create an extended IP access list that will meet the goals stated above byentering the following command:
Router#(config) access-list 101 permit tcp 10.1.1.0 any eq telnet
3. Now that access-list 101 is created you will need to apply it to an interface(Ethernet 0). Do this by entering the following command:
Router#(config-int) ip access-group 101 in
4. Now that the access-list is applied to the interface, you have successfullypermitted telnet traffic from the 10.1.1.0 network to all other networks, and
denied everything else.
By completing this exercise you have successfully created and applied an accesslist that will allow the 10.1.1.0 network to telnet anywhere that they need while
denying all other network traffic.
CERTIFICATION OBJECTIVE 11.03
Named Access Lists
With the advent of IOS release 11.2, named access lists were introduced. Since it is
new in version 11.2, it is not backward compatible with older releases. With namedlists you can identify IP access lists, whether standard or extended, with an alphanumeric
name instead of a number. This allows you to exceed the previous limit of 99 forstandard and 100 for extended (not that this count was really an issue). If you choose
to use this method the mode and command syntax is a little different.
To use this type of access list, you first enter a command that puts you in a mode toenter named access lists: ip access-list standard name or ip access-list extended name.
You then enter your commands as follows: deny | permit protocol source
source-wildcard destination destination-wildcard.
490 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
17/44
The same rules apply as did with regular standard and extended lists whendefining the attributes of the list. However, selective removal of a specific line ispermitted, unlike the numeric access lists recently covered. The syntax example
above is for an extended named list and would be changed to match the syntaxof standard, if that is appropriate.
Verifying IP Access Lists
Once configured, IP access lists should be verified. Verification of IP access lists is
done with the show access-lists command and the show ip interfaces command.The show access-lists command provides a display of all access lists configured
in the router, including IP and IPX. Here is some sample output for the showaccess-lists command, showing IP standard and extended access lists configured in
this router.
Router1#show access-lists
Standard IP access-list 40
deny 12.1.0.0, wildcard bits 0.0.255.255
permit any
Standard IP access-list list1
deny 13.0.0.0, wildcard bits 0.255.255.255
permit 172.16.0.0, wildcard bits 0.0.255.255
Extended IP access-list 130
permit ospf any any (452 matches)
permit icmp any any echo (63 matches)
permit icmp any any echo-reply (10 matches)permit tcp any any eq ftp
permit tcp any any eq telnet (958 matches)
Extended IP access-list list2
permit ospf any any (12 matches)
permit ip 136.25.16.0 0.0.7.255 any
permit tcp host 10.1.0.1 any
Extended IP access-list list3
permit ospf any any
deny tcp any any eq telnet
permit igrp any any
Router1#
Figure 11-2 shows a network that limits certain kinds of IP traffic, an example of
how you might use an extended IP access list.
Named Access Lists 491
7/29/2019 Basic Traffic
18/44
The show access-lists command displays the configuration details for all accesslists in the router, not just IP access lists. An access list number on the command
line can be specified to see an individual list in isolation from all others.This example shows the configurations of various IP access lists. List 40 is a
standard IP access list, denying any packets from subnet 12.1.0.0, and permitting allothers. List 130 is an Extended IP access list. Again, examine the various keywordsused. What is being denied in list 130? Every other IP packet other than those
specifically permitted. Remember the implicit deny any. This is an IP extendedaccess list, not just TCP or ICMP. The deny any applies to all of IP.
Notice the notations in parentheses, indicating matches for each line. For extendedaccess lists only, the router keeps track of the number of times packets have come across
492 Chapter 11: Basic Traffic Management with Access Lists
FIGURE 11-2 Restricting IP traffic in a small network
7/29/2019 Basic Traffic
19/44
the interface matching each of the IP access list statements. Here is how to read theoutput for IP access list 130:
452 OSPF packets have used this interface since we applied this access list tothe interface
63 echos (first half of a PING or TraceRoute)
10 echo responses (second half of a PING)
958 Telnet packets have come to this interface
We can also see three named IP access lists: list1, list2, and list3. List1 is astandard IP access list. List2 has been applied, and has some matches. List3 has been
defined in the router configuration, however there are no matches against list3. Thiscould be due to the list not being applied to an interface or the traffic being filteredby list 3 does not match any of the defined parameters within list 3.
The show ip interfaces command provides information on IP-specific aspectsof the interface configuration. In this context, it is used specifically to see what packet
filters are applied on the interface. It does not show the contents of the list, only the listnumber. The show access-list number is used to see the filtering rules for the list.
Packet filters are indicated in the lines Inbound access-list is and Outgoing access-listis. Here we see that we have applied list 130, an IP extended access list, as a packet filter
inbound on interface serial 1.
Router1# show ip interface serial 1
Serial1 is up, line protocol is up
Internet address is 10.1.0.2/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access-list is not set
Inbound access-list is 130
(remainder deleted )
Named Access Lists 493
7/29/2019 Basic Traffic
20/44
EXERCISE 11-3
Verifying Access List Configuration
Now that you have configured and applied an access list in the previous exercise,
you will need to verify that they are configured properly and operating the waythat you wish. Complete the following steps to verify that your access lists are
configured properly.
1. Execute the following command: Show ip Access-Lists
This command will display all access lists that are currently configured on therouter. You should see that your access list is configured.
2. Execute the following command: Show ip Interface Ethernet 0This command will verify that the access list is properly applied to the
interface that you want it to be.
You have now verified that your access lists are properly configured and applied
to the interface(s) that they should be.
CERTIFICATION OBJECTIVE 11.04
Standard IPX Access Lists
IPX access lists permit or deny traffic across interfaces based on either specified
network nodes or messages sent using particular protocols and services. Just as in IPaccess lists, the order of rules applied in the access list is critical. The first matching
entry, whether it is a permit or a deny, is followed. As with IP lists, if you do notexplicitly enter a permit everything at the end, an implicit deny all is made.
There are two caveats to IPX access lists. First, while you can filter at the boundaryof NLSP, RIP, and SAP, you cannot filter route updates within an NLSP area.
Second, IPX standard access lists are different from IP in that they filter on both
source and destination.You can break down IPX access list types into five main categories, as described in
Table 11-2.
494 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
21/44
This chapter covers only two types of IPX filters: standard and SAP.
Standard IPX access lists permit or deny traffic based on the source networknumber. You can also restrict by optionally specifying a destination address, and
even by applying address masks on both. The access list number for standard IPXcan be anything between 800 and 899.
access-list access-list-numberdeny | permit source-network [options]
The source-network variable is the eight-digit hexadecimal address, rangingfrom 1 to FFFFFFFD, of the network where the packet originated. You can also use0 for the local network and 1 to specify all networks. Leading zeros do not need to
be stated =>> 1 equals 00000001. Additionally, if necessary, the twelve-digithexadecimal address of a specific node can be added for filtering specific devices and
not just networks. Using a wildcard mask in the options field allows for filtering of arange of networks or hosts on a network.
Look at the example in Figure 11-3. Users on Network AA cannot access theservices on Network BB, but the users on BB should be able to use the services on
AA. If the access-list is applied as a packet filter outbound on Ethernet 1, it blocksthe packets from Network AA. If a standard access list using only a network number
is used, it would also filter out the response packets coming from servers onNetwork AA to the users on BB. In order to filter packets requesting services, and
Standard IPX Access Lists 495
Type
Traffic Is Restricted Based
on . . . Access List Number Range
Standard access lists Source and destination network and node address
800-899
Extended access lists Complete source and destinationaddress (network, node, socket,and protocol)
900-999
SAP access lists SAP type, service name, andnetwork/node address of service
1000-1099
NLSP Route Network areas 1200-1299NetBIOS access lists Host filter on names, bytes
filter on numbersName
TABLE 11-2 IPX Access List Types
7/29/2019 Basic Traffic
22/44
not filter responses coming back to users, the node address of the server must beknown. Here is the configuration:
access-list 850 deny aa.0000.0000.0000 00.ffff.ffff.ffff bb.072c.fa34.007500.0000.0000.0000
access-list 850 permit 1
We apply this list using the ipx access-group command as a packet filter on
Ethernet 1.The effect of this list is that all packets from Network AA destined for Server B are
blocked when they are forwarded to Router As Ethernet 1 interface. The response packets
coming back from Server A to the users on Network BB are permitted by the laststatement. permit 1 is the same in the IPX world as permit any is in the world of IP.
496 Chapter 11: Basic Traffic Management with Access Lists
FIGURE 11-3 Standard IPX access lists used as packet filters
7/29/2019 Basic Traffic
23/44
CERTIFICATION OBJECTIVE 11.05
IPX SAP Filters
All servers on a NetWare network dynamically advertise their services and addressesusing the Service Advertising Protocol (SAP). The other components on a network suchas routers, keep a complete list of the services available across the network. These service
advertisements synchronize the list of available services.Each SAP service is identified by a hexadecimal number. Several common
examples are File Server4, Printer Server7, and Remote Bridge-Server (router)24.
A Cisco router does not forward each broadcast it receives. Rather, it will advertisethe entire SAP table at scheduled intervals, with the default being every 60 seconds,but only seven entries per packet. Cisco routers do act like NetWare servers though,
in that they listen to the SAP broadcasts from other servers and routers to build theirinternal SAP tables.
Enhanced IGRP has the functionality to send SAP updates only when the SAP
table changes. This can be especially useful when trying to control SAP
updates over low-speed WAN links.
Since WANs usually have limited bandwidth in comparison to LANs, excessive
traffic should be avoided as much as possible. As such, SAPs should be filtered. Filtering
can be done for both inbound and outbound traffic. To help make this functionalitymore scalable, the Cisco IOS allows you to specify which services are added to the SAP
table. This is accomplished with the command ipx input-sap-filter access-list-number|name. An example of this is found in Figure 11-4.
To configure a SAP filter for Router 1 that would filter Server As advertisements,but allow advertisements from the other servers on the segment, use the following
commands, in global configuration mode:
access-list 1001 deny 1A01
access-list 1001 permit 1
IPX SAP Filters 497
7/29/2019 Basic Traffic
24/44
The first statement denies all services originating from the internal IPX network
1a01. In a Novell network all servers use internal networks to host the services theysupport. The node address of 0000.0000.0001 always refers to the internal IPX network
number of a NetWare server, and this is the address for all of the servers services. Eachinternal network number must be unique to the entire Novell network. So, the effect of
this statement is to deny all services from the server whose internal IPX network numberis 1a01. The second statement permits all other services. The 1 is the way to specify all
networks in an IPX access list.This access list can be used in one of two ways. If Server As service entries should
not be accepted into Router1s SAP table at all, apply the list as an input SAP filter
498 Chapter 11: Basic Traffic Management with Access Lists
FIGURE 11-4 SAP filtering in an IPX network
7/29/2019 Basic Traffic
25/44
using the command ipx input-sap-filter 1001 in interface configuration mode forEthernet 0.
The number 1001 refers to the list number. This command causes Router 1 to
examine all SAP packets it receives on its Ethernet 0 interface, and filter only theentries whose service addresses specify 1a01. Note that the router is examining the
individual entries inside the SAP packet to find this address, not the source addressin the SAP packets IPX header.
The second way to use this list is as an output SAP filter. Suppose the servicesfrom Network 1a01 needed to be advertised on Network 2a but not on Network
3a. If an input SAP filter was used on Ethernet 0, it would block the advertisementsaltogether. But if an output SAP filter is put on Ethernet 1, the router filters out the
SAP entries with service addresses of 1a01 as it constructs the SAP packets itbroadcasts on that interface. The command needed to configure an output sap filter
is ipx output-sap-filter 1001. This command, like the input-sap-filter, is aninterface configuration command.
There are two other options available for filtering in the SAP access list. Both theservice type and service name can be used. The service type matches a particular
SAP. Only single entries are allowed, and there is no way to match a range of SAPnumbers. However, since all Novell servers are uniquely known by their internal
network numbers now, the service name is rarely used today.Again, 1 means any network, and the lack of any specific service type means
all service types. SERVERA is the string that the router matches when examining
SAP entries for filtering. These strings are case sensitive, so always check the outputof the show ipx servers screen to see exactly how you need to configure this string.
Suppose an administrator needed to filter only file services, type 4, from Server A.The necessary command is access-list 1001 deny 1a01 4.
1A01 is the IPX internal network number for Server A, the network address of itsservices. The node address is not needed. When referring to the internal IPX
network number, the node is always 0000.0000.0001.; there are no other nodes onthat network, so it could be left out. 4 represents type 4 services, so only Server As
file services are denied.Do not forget: all access lists have an implicit deny any at the end, so if you do
not permit some services in another statement in this list, all SAPs are filtered out.Another part of IPX SAP is a Get Nearest Server (GNS) request. A GNS packet is
sent out by Novell clients to request a non-server-specific service. The closest NetWare
IPX SAP Filters 499
7/29/2019 Basic Traffic
26/44
server that offers the requested service responds with another SAP. The GNS responsedesignates a servers resources as available to the client, which then logs into the server.Once the client has attached to the server, it can access the servers service directly; no
further GNS is needed. If a Cisco router receives a GNS request, it has the capability torespond with the first server in its SAP table. However, Cisco routers do not respond to
a GNS if a local server is present on the interface the GNS is initiated on. A GNS filteris created with the command ipx output-gns-filter access-list-number.
The local servers should be the first to respond. If this does not occur on the NovellIPX network, you can configure a GNS delay. The delay is measured in milliseconds,
with the default being zero (No Delay): ipx gns-response-delaymilliseconds. Thiscommand is only needed on older IOS releases. Modern IOS routers do not respond
to GNS requests if there is a local IPX server.To view the list of IPX servers on the network that have been discovered through
SAP use the command show ipx servers unsorted | sorted. By default, the outputdisplayed is listed numerically by SAP service type.
You can change this default with the optional unsorted and sorted argumentslisted above. unsorted does just as it says; it displays the IPX servers without any form
of sorting. sorted allows you to sort by server name, by network number, or by thedefault SAP service type.
Here is a sample output of show ipx servers:
east#show ipx servers
Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + =
detail
10 Total IPX Servers
Table ordering is based on routing and server info
Type Name Net Address Port Route Hops Itf
S 4 EAST-D04 B00D.0000.0000.0001:0451 conn 2 Lo13
S 4 EAST-F04 B00F.0000.0000.0001:0451 conn 2 Lo15
P 4 DABNEY BBBB0002.0000.0000.0001:0451 2/01 1 Et0.2
P 4 DESTINY AAAA0001.0000.0000.0001:0451 2/01 1 Et0.2
500 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
27/44
N 4 WEST-D04 C00D.0000.0000.0001:0451 82/02 4 Se0N 4 WEST-F04 C00F.0000.0000.0001:0451 82/02 4 Se0
P 47 PRINTSRV BBBB0002.0000.0000.0001:8060 2/01 2 Et0.2
P 107 DABNEY BBBB0002.0000.0000.0001:8104 2/01 2 Et0.2
P 26B UNIVERSE_1________ AAAA0001.0000.0000.0001:0005 2/01 1 Et0.2
P 278 UNIVERSE_1________ AAAA0001.0000.0000.0001:4006 2/01 1 Et0.2
Servers are displayed in numeric order by service type. Type 4 is file service, whichis required for login (known as general service in Novell terms). These are the servers
that will be used in GNS responses by the router.The net.address columns are where to look to construct a SAP filter for these
services based on their address. Notice that the node addresses are all 0000.0000.0001.This is because services are advertised with an address of the internal IPX network
number of the server, not the physical address of the NIC on the wire. This internalIPX network number is the one that must be filtered on for your SAP filters to operate
properly.
Verifying IPX Access List Configuration
The show ipx interfaces command allows you to view all the various types of filtersthat can be set for IPX packets, routes, routers, SAPs, and NetBIOS packets. The
Cisco IOS is rich in commands that help you to manage IPX traffic on yournetwork, and all these parameters are configurable.
east#show ipx interface ethernet 0.2
Ethernet0.2 is up, line protocol is up
IPX address is D.0000.0c47.6643, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 1 minute(s)
IPX type 20 propagation packet forwarding is disabled
Incoming access-list is 800
IPX SAP Filters 501
7/29/2019 Basic Traffic
28/44
Outgoing access-list is not setIPX helper access-list is not set
SAP GNS processing disabled, delay 500 ms, output filter list
is 1000
SAP Input filter list is not set
SAP Output filter list is 1013
SAP Router filter list is not set
Input filter list is not set
Output filter list is not set
Router filter list is not set
Netbios Input host access-list is not set
Netbios Input bytes access-list is not set
Netbios Output host access-list is not set
Netbios Output bytes access-list is not set
Updates each 60 seconds, aging multiples RIP: 3 SAP: 3SAP interpacket delay is 55 ms, maximum size is 480 bytes
RIP interpacket delay is 55 ms, maximum size is 432 bytes
IPX accounting is disabled
IPX fast switching is configured (enabled)
RIP packets received 294, RIP packets sent 152
SAP packets received 295, SAP packets sent 150
Notice the lines in boldface. Incoming access-list is 800 indicates a packet filterapplied inbound to the router with the ipx access-group 800 in command. SAP
Output filter list is 1013 indicates that access list 1013 has been applied as an outputSAP filter with the ipx output-sap-filter 1013 command.
The show access-lists command shows all access lists, not just IP or IPX.
In the following example, both IPX and IP access lists are configured in therouter. To view a specific IPX access list in isolation, use the list number as anargument for the command.
Router1# sh access-lists
IPX access-list 800
deny C011
permit FFFFFFFF
IPX access-list 900
permit any
permit any any all AA11.00cf.b200.0000 0000.00ff.ffff all
permit any BB22 all AA11
502 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
29/44
IPX SAP access-list 1000deny B00F 47
permit FFFFFFFF
IPX SAP access-list 1009
deny FFFFFFFF 0 parallel
permit FFFFFFFF
IPX SAP access-list 1013
deny C000.0000.0000.0000 F.ffff.ffff.ffff
deny FFFFFFFF 47 E*
permit FFFFFFFF
Occasionally an access list is misconfigured and the result is that RIP connectivity
is not able to take place between NetWare servers and their clients through a router.The recommended procedures to use to troubleshoot this situation is as follows:
Type enable to place the router into privileged EXEC mode.Type show access-lists command to see what IPX access lists are on the router.
Type show running-configto see if there are access lists specified for the ipxinput-network-filters or ipx output-network-filters.
For any access lists that are configured, type no ipx input-network-filteror noipx output-network-filterto remove them.
Check to see if the RIP communication is working so that servers and clientscan access each other through the router. If so, then the access list that was disabled
must be checked for errors and corrected. An access list can be configured withexplicit permit statements in order to enable communication. If there was more
than one access list, then the access lists must be re-enabled and then disabled
individually in order to isolate them. If RIP communication still does not work,then check to see if another router may be the cause of the problem.
EXERCISE 11-4
Remove all Access Lists From the Routers Configuration
Now that you have properly configured and applied various types of access lists, it
is always good to know how to remove them in the event that they are no longer
IPX SAP Filters 503
7/29/2019 Basic Traffic
30/44
needed. Complete the following steps to properly remove all configured access listsfrom your router.
1. Enter interface configuration mode by typing the following command:
Router#(config) interface ethernet 0
2. Remove access-lists 1 and 101 from the interface by entering these commands:
Router#(config-int) no ip access-group 1 in
Router#(config-int) no ip access-group 101 in
3. Now that the access-lists are removed from the interface, you cansafely remove them from the global configuration by entering the
following commands:Router#(config) no access-list 1
Router#(config) no access-list 101
You have now successfully removed both access lists that you previously
configured on the router. Remember that when removing access lists it is bestto remove them from the interface before you remove them from the global
configuration.
504 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
31/44
IPX SAP Filters 505
When creating a filter, it is imperative that youunderstand the way the protocol or application
being filtered works. As an example, say thatwe wish to limit all access to server 10.1.2.3
with the exception of allowing TFTP (TrivialFile Transfer Protocol) connections. Let us
further assume that the server is the onlydevice on interface Ethernet 0. If the
administrator is unfamiliar with how TFTPworks they might create the following access
list thinking that it will work:
Router(config)# access-list 101 permit
udp any host 10.1.2.3 eq tftp
Router(config)# interface e0
Router(config-if)# ip access-
group 101 out
This may look correct to you as you read it.However, you and the administrator who
created this list will be banging your headswondering why the TFTP connections always
fail. The answer comes from understandinghow TFTP works.
TFTP uses UDP port number 69 as alistening port. This means that the first
packet (the request for a TFTP transfer) sentto a server will use port 69. However, once the
server gets this request it changes the serverport to a random value greater than 1023 and
less than 65,535 (the random port number
range). All subsequent packets between the
server and client will be sent between theclients random port number and this new
random port number that the server selected.This frees up the original listening port
(69) for additional requests of the server fromother client devices.
This means that the correct configurationshould look similar to the following:
Router(config)# access-list 101 permitudp any host 10.1.2.3 gt 1023
Router(config)# access-list 101 permit
udp any host 10.1.2.3 eq tftp
Router(config)# interface e0
Router(config-if)# ip access-group101 out
Notice the first line allows for packets fromany source to the server 10.1.2.3 as long as the
servers port is greater than that of 1023. Thereason for putting this line first instead of
second is that more packets will be sent to thisdestination address and port number than to
the listening port number 69. Putting it firstreduces the number of CPU interrupts
required to determine if the packet is eligibleto be permitted.
Many a network administrator has failed to
accomplish filtering tasks due to a lack ofknowledge. Do not be caught off guard.
Mark A. Buchmann, CCIE, CCSI
FROM THE CLASSROOM
7/29/2019 Basic Traffic
32/44
CERTIFICATION SUMMARYAccess lists are used to filter traffic on Cisco routers. The purpose of filtering traffic
can be to reduce certain protocol type traffic, manage the flow of traffic through thenetwork and securing the network. Access lists can deny or permit traffic based on the
protocol, based on the source address or the destination address, and based on itsinbound or outbound status.
In an IP access list, a source or destination address is tested against each item in thelist. The first match found is the one that is used to determine whether the packet is
permitted or disregarded. Because the first match is the one followed, it is critical to payattention to the order. When a list is interrogated, if no applicable rule is found, the
packet is implicitly denied. The correct syntax for permitting or denying packets acrossinterfaces is as follows:
access-list access-list-number deny | permit source-address [source-wildcard] | any
IPX access lists permit or deny traffic based on either specified network nodes or
messages sent using particular protocols and services. Just as in IP access lists, theorder of rules applied in the access list is critical. The first matching entry, whether
it is a permit or a deny, is followed. And also like IP lists, if you do not explicitlyenter a permit everything at the end, an implicit deny all is made. The syntax for
a basic IPX access list is as follows:
access-list access-list-numberdeny | permit source-network [options]
All servers on a NetWare-type network can dynamically advertise their services andaddresses using the Service Advertisement Protocol (SAP). The other components on a
network besides the remainder servers, such as routers, keep a complete list of theservices available across the network. These service advertisements synchronize the list of
available services. SAP-type traffic can be denied with the command access-list 1001deny 1A01 4.
After an access list is created, it must be applied to the interface using anaccess-group command.
506 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
33/44
Two-Minute Drill 507
TWO-MINUTE DRILL
Standard IP Access Lists
Packet filtering is performed on Cisco routers through the use of access
lists. Access lists can be used to control the transmission of packets acrossan interface, to restrict traffic across virtual terminal lines, or to restrict
routing updates.
An IP access list is a collection of permit and deny rules that are appliedto IP addresses.
There are three basic types of IP access lists: standard, extended, and
dynamic extended.
The basic format for adding a standard access list is:
ACCESS-LIST access-list-numberDENY|PERMIT SOURCE[source-wildcard]|ANY
Extended IP Access Lists
Extended IP uses both the source and destination address when it tries tomatch up packets to your list, and you can optionally use protocol type
information for even finer control.
The syntax for adding and removing access lists is:
NO ACCESS-LIST access-list-numberDENY | PERMIT protocol sourcesource-wildcard destination destination-wildcard
Named Access Lists
With Named lists you can identify IP access lists, whether standard orextended, with an alphanumeric name instead of a number.
You can verify your IP access lists with the SHOW ACCESS-LISTScommand and the SHOW IP INTERFACES command.
7/29/2019 Basic Traffic
34/44
Standard IPX Access Lists IPX access lists permit or deny traffic across interfaces based on either
specified network nodes or messages sent using particular protocolsand services.
IPX standard access lists use the access-list range of 800-899.
IPX SAP Filters
All servers on a NetWare-type network can dynamically advertise their
services and addresses using the Service Advertising Protocol (SAP).
Show ipx Interfaces allows you to view all the various types of
filters that can be set for IPX packets, routes, routers, SAPs, andNetBIOS packets.
Show access-lists will show all access-lists, not just IP or IPX.
508 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
35/44
Self Test 509
SELF TESTThe following questions will help you measure your understanding of the material presented in thischapter. Read all the choices carefully, as there may be more than one correct answer. Choose all
correct answers for each question.
Standard IP Access Lists
1. Which of the following commands adds a statement to a standard IP access list?
A. Router(config)#access-list 8 permit 127.8.108.0 0.0.63.255
B. Router# access-list 88 permit 127.8.108.0 0.0.63.255
C. Router> access-list 999 permit 127.8.108.0 0.0.63.255
Router(config)#access-list 108 permit 127.8.108.0 0.0.63.255 inbound
2. What is always the last forward or drop decision performed when using an access list?
A. The last configured statement of the access list
B. The statement in the access list that is designated with the last parameter
C. The implicit deny any statement
D. The implicit permit any statement
3. What type of criteria can a standard IP access list filter traffic for?
A.Source address
B. Destination address
C. Protocol type
D. Inbound or outbound traffic
4. Noelle is a new network administrator and is reviewing each routers configuration. Noelle
discovers that there is an access list number 79 applied to a routers serial interface. Whattype of access list is it?
A. Standard IPX
B. Standard IP
C. SAP
D. Extended IP
7/29/2019 Basic Traffic
36/44
510 Chapter 11: Basic Traffic Management with Access Lists
5. Which of the following statements are true regarding IP access lists (Select all that apply)?
A. After an access list is created, any additions to that list are placed at the end
B. You cannot selectively add or remove items
C. You need to explicitly associate the access list to whatever it is you are intending to use itfor, such as an interface
D. There is an implicit DENY statement at the end
6. What command removes an access list from a router?
A. Remove access-list 1
B. Delete access-list 1
C. No access-list 1D. Deny access-list 1
Extended IP Access Lists
7. Which of the following commands will add a statement to an extended IP access list?
A. Router(config)# access-list 102 permit tcp 172.16.1.0 0.0.0.255 host 172.17.1.1 eq 23
B. Router(config)# access-list 8 permit any
C. Router(config)# access-list 850 permit 1
Router>access-list 102 permit udp 172.16.1.0 0.0.0.255
8. Noelle finds an inbound access list applied to the Ethernet interface of another router and ithas a number of 122. What type of access list is it?
A. Standard IPX
B. Standard IP
C. SAP
D. Extended IP
9. The following access list, containing only one line, is applied as a packet filter on an interface:ACCESS-LIST 100 PERMIT TCP 145.22.3.0 0.0.0.255 ANY EQ TELNET
What is the best description of the traffic that is denied by the implicit DENY ALL?
A. All IP trafficB. All Telnet traffic
C. All TCP traffic
D. All TCP traffic except Telnet
7/29/2019 Basic Traffic
37/44
10. The following statement appears in an IP extended access list:ACCESS-LIST 125 PERMIT IP ANY HOST 136.25.2.128What does this line permit?
A. Any IP traffic from host 136.25.2.128
B. IP traffic to any host on network 136.25.2.128
C. IP traffic from any address to the host at 136.25.2.128
D. The statement is invalid because there is no mask.
11. The address mask pair 172.16.64.0 0.0.3.255 specifies which range of IP addresses?
A. 172.16.64.255 through 172.16.67.255
B. 172.16.67.0 through 172.16.70.255C. 172.16.64.0 through 172.16.67.255
D. 172.16.63.0 through 172.16.64.255
12. Which command would be used to configure an inbound packet filter for TCP traffic?
A. Router(config-if)#tcp packet-filter 101
B. ROUTER(CONFIG-IF)#IP PACKET-FILTER 101 IN
C. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 99 IN
D. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 100 IN
E. ROUTER(CONFIG-IF)#IP ACCESS-GROUP 100
13. What would be the wildcard mask in an access list that permits all traffic from a classC network address?
A. 0.0.255.255
B. 0.255.255.255
C. 0.0.3.255
D. 0.0.0.255
Named Access Lists
14. What type of access lists can utilize the name function?
A. IPX Standard
B. IP Standard
Self Test 511
7/29/2019 Basic Traffic
38/44
C. IPX ExtendedD. IP Extended
15. Which command will display all the access lists configured on a router?
A. Show all
B. Show access-lists
C. Show filters
D. Display access-lists
Standard IPX Access Lists
16. Noelle further discovers that the router has an access list number 860 applied to the sameinterface. What type of access list is this?
A. Standard IPX
B. Standard IP
C. SAP
D. Extended IP
17. On what basis do IPX access lists permit or deny traffic?
A. Specified network nodes
B. Messages sent using a particular ICMP
C. Messages sent using a particular protocol
D. Messages sent using a particular service
IPX SAP Filters
18. Company A has a site in Sydney Australia with NetWare servers, and two sites (one with
NetWare servers, one without) in Los Angeles California. Company A wants to make surethat no servers in Sydney respond to get nearest server requests from clients in Los Angeles
at the site that has no servers. What type of filter should Company A apply?
A. An outbound SAP filter on the Los Angeles site with servers on the interface to the otherLos Angeles site
B. An inbound SAP filter on the Los Angeles site without servers on the interface to theSydney site
512 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
39/44
C. An outbound GNS filter on Los Angeles site without servers but only on the interface tothe Sydney site
D. An outbound GNS filter on the Los Angeles site without servers but on the interface tothe other Los Angeles site
19. Which command will apply an SAP filter for outbound traffic?
A. Router> ipx output-sap-filter 1001
B. Router(config-if)# ipx output-sap-filter 1001
C. Router# ipx output-sap-filter 1001
D. Router(config)# ipx output-sap-filter 1001
20. SAP traffic is filtered using what access list command?A. Router>access-list 860 permit sap any
B. Router#access-list 1000 permit sap any
C. Router(config)#access-list 801 permit sap any
D. Router(config)# access-list 1001 deny 1A01
LAB QUESTION
You were advised that certain networks (10.10.1.0 and 10.10.2.0) no longer need access to the ftpserver (10.10.20.50) located back in the main office. You are told that these networks were not to
have access to the ftp server, but you will still need access to all of the other servers located on thesame network. Your task is to implement an access list scheme that will meet these goals, without
affecting any other traffic. Detail how you will configure and apply these access list, and explain why.
Lab Question 513
7/29/2019 Basic Traffic
40/44
SELF-TEST ANSWERS
Standard IP Access Lists
1. A. The global configuration command access-list 8 permit 127.8.108.0 0.0.63.255 adds apermit statement to a standard IP access list.
B. The router is not in configuration mode. C is incorrect because the router is not in execmode. Once you are in privileged mode you will have the # sign after the host name. D is
incorrect because the access-list number is 108, which makes it an extended IP access-list andnot a standard, which is what the question asks for.
2. C. The last forward or drop decision that is performed by a router when using an access
list is the implicit deny any statement. If no match is found to forward data with using theaccess list, the router drops the packet. A. The last configured statement still comes before the implicit deny all statement. B is
incorrect because there is no such thing as the last parameter. D is incorrect because there isno such thing as an implicit permit any statement.
3. A.A standard IP access list can filter traffic based on source address.
B and C. These are parameters that are associated with extended IP access-lists, notstandard IP access lists. D is incorrect because the specification for inbound or outbound is
specified on the interface, not in the access-list.
4. B. The access list is a standard IP access list. Standard IP access-lists use the numeric
range of 1-99. A. Standard IPX access lists use the numeric range of 800-899. C is incorrect because SAP
access lists use the numeric range of 1000-1099. D is incorrect because Extended IP access listsuse the numeric range of 100-199.
5. A, B, C, D.All are correct statements regarding IP access lists.
6. C. The command no access-list 1 will remove the access-list numbered 1 from the
router. This command must be entered into the router from the configuration mode. A, B, and D. They all use invalid commands.
Extended IP Access Lists
7. A. The global configuration command access-list 102 permit tcp 172.16.1.0 0.0.0.255host 172.17.1.1 eq 23 will add a statement to an extended IP access list.
514 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
41/44
B. This command would specify a standard IP access list, and not an extended IP accesslist. C is incorrect because this would specify a standard IPX access list, and not an extendedIP access list. D is incorrect because the route is not in exec mode, or configuration mode for
that matter.
8. D.An access list with the number 122 is an Extended IP access-list, since they are in the
range of 100-199. A. The Standard IPX access list numeric range is 800-899. B is incorrect because the
Standard IP access list numeric range is 1-99. C is incorrect because the SAP access list numericrange is 1000-1099.
9. A. Even though the statement explicitly refers to TCP and Telnet traffic, the implicit
DENY ALL applies to all IP traffic. B. The access list specifies that Telnet traffic will be allowed from the 145.22.3.0 network.C and D are incorrect because the implicit deny all statement will deny all traffic, not just
TCP traffic.
10. C. The ANY argument represents any source network. The HOST keyword replaces themask 0.0.0.0 for the destination IP address 136.25.2.128.
A. The address of 136.25.2.128 is the destination not the source. B is incorrect becausethe address 136.25.2.128 specifies a host address by using the HOST command. D is incorrect
because you do not need to specify a mask when using the HOST command to specify aspecific device.
11. C. The range begins at 172.16.64.0 and includes all IP addresses through172.16.67.255.
All bits in the address corresponding to 0 bits in the wildcard mask will always be the samethroughout the range, while all bits in the address corresponding to 1 bits in the mask maybe any value.
A. The network of 172.16.64.0 is specified, not the broadcast address of 172.16.64.255. Bis incorrect because the beginning network is incorrect. The beginning network should be
172.16.64.0, not 172.16.67.0. D is incorrect because for this statement to be true the maskwould have to read 0.0.1.255.
12. D.A packet filter to filter TCP traffic would be applied using the ip access-groupcommand, using an IP extended access-list.
A. There is no such command as tcp packet-filter. B is incorrect because there is no suchcommand as IP PACKET-FILTER. C is incorrect because list 99 would be a standard IP access
list, which cannot specifically filter TCP traffic. E is incorrect because the keyword IN needs tobe specified. The default direction is outbound.
Self-Test Answers 515
7/29/2019 Basic Traffic
42/44
13. D. The wildcard mask in an access list that permits all traffic from a Class C networkaddress would be 0.0.0.255 on a router. A. This mask of 0.0.255.255 would specify a Class B network. B is incorrect because this
would specify a Class A network. C is incorrect because it would indicate that a Class Bnetwork has been divided up and is not an entire Class C.
Named Access Lists
14. B and D.When Cisco implemented this function into their IOS it is only applicable tostandard and extended IP access lists.
Aand C. The IOS does not support the named access list feature for these types ofaccess lists.
15. B. The show access-lists command will display all the access lists configured on a router.
A, B, and C. They use commands that are not valid.
Standard IPX Access Lists
16. A. This access list is a standard IPX access list numeric range.
B. Standard IP access lists use the numeric range of 199. C is incorrect because SAPaccess lists use the numeric range of 10001099. D is incorrect because extended
IP access lists use the numeric range of 100199.
17. A, C, and D. Packets are permitted or denied based on specified network nodes or
messages sent using a particular service or protocol. B. ICMP is a PING.
IPX SAP Filters
18. C. Company A should apply an outbound gns filter on the router at the Los Angeles site
on the interface that connects it to the Sydney site. This will effectively prevent any get nearestserver requests to travel to Sydney.
Aand B. This would prevent SAPs, but not GNS requests. D is incorrect because thiswould block the Los Angeles servers from responding, but not the Sydney servers.
19. B. The interface configuration command ipx output-sap-filter 1001 will apply a SAP
filter for outbound traffic to a routers interface. A. The router is not in exec or configuration mode. C is incorrect because the router is not
516 Chapter 11: Basic Traffic Management with Access Lists
7/29/2019 Basic Traffic
43/44
Lab Answer 517
in configuration mode. D is incorrect because the command is not applying the filter toan interface.
20. D. The global configuration command Access-list 1001 Deny 1A01 is a SAP access list
used to filter SAP traffic. A. The router is not in exec or configuration mode, it is also using a standard IPX access
list range. B is incorrect because the router is not in configuration mode. C is incorrect becausethe access list is using a standard IPX access list and not a SAP access list number.
LAB ANSWER
The following steps detail how this scenario can be met.1. Determine what will need to be accomplished, which we have already defined.
2. On a notepad or text editor write out what you think will be the correct access-listconfigurations to meet your overall goals.
3. Once you have come up with an initial idea of how your access lists should be configured youwill want to verify that they are correct and possibly have another coworker do a sanity check
for you.
4. Now that the access lists look like they should you can go ahead an configure them on
your router.
5. Log on to the router and enter global configuration mode.6. You will start entering the access lists into the routers configuration, and they should look
something like this:
Router#(config) access-list 101 deny tcp 10.10.1.0 host 10.10.20.50 eq ftp
Router#(config) access-list 101 deny tcp 10.10.2.0 host 10.10.20.50 eq ftp
Router#(config) access-list 101 permit any any
7. With this configuration you are doing the following things:
Denying the 10.10.1.0 network ftp access to 10.10.20.50.
Denying the 10.10.2.0 network ftp access to 10.10.20.50.
7/29/2019 Basic Traffic
44/44
Permitting all other traffic to go anywhere else.Implicit deny all statement.
8. Once these access lists are configured globally on the router they will need to be applied to aninterface for final completion.
9. You will start by entering the following commands on interface ethernet 2:
Router#(config-int) ip access-group 101 in
10. With this statement you have just applied access list 101 to the router Interface and traffic is
now being compared to your access lists.
You have now successfully configured, applied, and explained what these access lists willaccomplish in the overall scheme of your network.
518 Chapter 11: Basic Traffic Management with Access Lists