Embed Size (px)
Citation preview
Synergon Informatika Rt.
Chapter 3
Managing IP Traffic
Objectives
Upon completion of this chapter you will be
able to perform the following tasks:
Configure IP standard access lists
Limit virtual terminal access
Configure IP extended access lists
Verify access list configuration
Configure an alternative to using access lists
Configure an IP helper address to manage broadcasts
Managing IP Traffic Overview
Limit traffic and restrict network use
• Enable directed forwarding of broadcasts
FTP X
XBroadcast
Access List Application
Access lists control packet movement through a network
Transmission of packets on an interface
Virtual terminal line access ( IP)
Other Access List Uses
Access lists are multipurpose
Route filteringRoutingtable
Dial-on-demand routingQueueList
Priority and custom queuing
Configuring IP Standard Access Lists
IP Standard Access Lists Overview
Use source address only
Access list range: 1 to 99
X10.0.0.3172.16.5.17
Destination Address Source Address
172.16.5.0
Inbound Access List Processing
For Standard IP Access Lists
Incoming packet Access list?
Next entry in list Does sourceaddress match?
Apply condition
More entries?
Route tointerfaceDeny Permit
No
No
No
Yes
Yes
Yes
ICMP Message Forward Packet
Outbound Access List Processing
For Standard IP Access Lists
Incoming packet Access list?
Next entry in list Does sourceaddress match?
Apply condition
More entries?
Deny Permit
No
No
No
Yes
Yes
Yes
ICMP Message Forward Packet
Route tointerface
IP Addressing Review
High-Order Bits First Octet Class Standard Mask0 1-126 A 255.0.0.010 128-191 B 255.255.0.0110 192-223 C 255.255.255.0
0 255.255.0.01 255.255.128.02 255.255.192.03 255.255.224.04 255.255.240.05 255.255.248.06 255.255.252.07 255.255.254.08 255.255.255.0 09 255.255.255.128 110 255.255.255.192 211 255.255.255.224 312 255.255.255.240 413 255.255.255.248 514 255.255.255.252 615 255.255.255.254 7
Class B Subnets
Class C Subnets
Access Lists Use Wildcard Mask
Address Mask Matches0.0.0.0 255.255.255.255 any address131.108.0.0 0.0.255.255 network 131.108.0.0131.104.7.11 0.0.0.0 exactly host 131.104.7.11255.255.255.255 0.0.0.0 local broadcast131.111.8.0 0.0.7.255 only subnet 131.111.8.0*
• 0 bit = must match bits in addresses
•1 bit = unconditional match for bits in addresses
* Assuming subnet mask of 255.255.248.0
Access List Configuration Tasks
To create an access list, perform the folowing tasks:
• Define an access list
• Apply the list to an interface
Standard Access List Commands
Router (config) #
access-list access-list-number { permit | deny } {source [source-wildcard ] | any}
access-list access-list-number { permit | deny } {source [source-wildcard ] | any}
Defines a standard access list (numbered 1-99)
Router (config-if) #
ip access-group access-list-number { in | out } ip access-group access-list-number { in | out }
• Applies an access list to a specific interface
Implicit Masks
Access-list 1 permit 131.108.5.17
!
Access-list 1 permit 0.0.0.0
access-list 1 permit 131.108.0.0
access-list 1 deny any
access-list 1 deny 0.0.0.0 255.255.255.255
Not For standard IP Access Lists
Correct
Common errors
Not needed
• Omitted mask assumed to be 0.0.0.0
• Last two lines unnecessary (implicit deny any)
Configuration Principles
Top-down processing
– Place more specific references first
Implicit deny any
– Unless access list ends with explicit permit any
New lines added to the end
– Cannot selectively add/remove lines
Undefined access list = permit any
– Need to create access list lines for implicit deny any
Standard Access List Example
36.0.0.0
36.48.0.3
36.48.0.0 36.51.0.0
Router (config)# access-list 2 permit 36.48.0.3Router (config)# access-list 2 deny 36.48.0.0 0.0.255.255Router (config)# access-list 2 permit 36.0.0.0 0.255.255.255Router (config)# !(Note: all other access implicitly denied)Router (config)# interface ethernet 0Router (config)# ip access-group 2 in
A B C D
E0
• Who can connect to A?
Internet
Location of Standard Access Lists
V W X Y Z
E0 E0 E0 E0
access-list 3 deny 10.3.0.1
access-list 3 permit any
access-list 3 deny 10.3.0.1
access-list 3 permit any
E1 E1 E1 E1
10.3.0.1
A
A B C D
• On which router should the access list be configured to deny host Z access to host V?
• How does location of a standard access list change the policy implemented?
Virtual Terminal Access Overview
Standard and extended access lists will not block access
from the router
For security, virtual terminal (vty) access can be
blocked to or from the router
XX
Router#Router#
Restricting Virtual Terminal Access
How to Control vty Access
Five virtual terminal lines (0-4)
Set identical restrictions on all the virtual terminal lines
Router#Router#
01 2 3
4 Virtual port (vty 0 4)
Physical port (E0)
Virtual Terminal Line Commands
Restricts incoming and outgoing connections between a particular
virtual terminal line *into a device( and the addresses in an access list
Router (config) #
Line { vty number | vty-range}Line { vty number | vty-range}
• Enters configuration mode for a terminal line or a range of lines
Router (config/line) #
access-class access-list-number { in | out } access-class access-list-number { in | out }
Virtual Terminal Access Example 1
Permits only hosts in network 192.89.55.0 to
connect to the virtual terminal ports on the router
Controlling Inbound Access
Access-list 12 permit 192.89.55.0 0.0.0.255!Line vty 0 4access-class 12 in
Access-list 12 permit 192.89.55.0 0.0.0.255!Line vty 0 4access-class 12 in
Virtual Terminal Access Example 2
Permits terminal line connections only to network
36.0.0.0
Controlling Outbound Access
Access-list 13 permit 36.0.0.0 0.255.255.255!Line vty 0 4access-class 13 out
Access-list 13 permit 36.0.0.0 0.255.255.255!Line vty 0 4access-class 13 out
IP Extended Access List Overview
Control traffic by application, not just address
SMTP
FTP
Manufacturing Accounting
Telnet
Sales
Internet
Configuring IP Extended Access Lists
Extended Access List Processing
Access list?
Source address
Destination address
Protocol? *
Protocol options ?
Apply condition
Deny Permit
Next entry in listNext entry in list
ICMP Message
Match
Match
Match
Match
Yes
Forward Packet
Does not match
No
* If present in access list
Extended IP Access List Command
Router (config) #
Access-list access-list-number { permit | deny }
{ protocol | protocol-keyword }
{ source source/wildcard | any }
[ protocol/specific options ]
{ destination destination-wildcard | any }
Access-list access-list-number { permit | deny }
{ protocol | protocol-keyword }
{ source source/wildcard | any }
[ protocol/specific options ]
{ destination destination-wildcard | any }
• Defines an extended access list (numbered 100 to 199)
• Protocol keywords icmp, igmp, tcp and udp define alternate syntax with protocol-specific options
Extended Mask Keywords
The keyword any can be used in place of the address
0.0.0.0 with mask 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! (altenate configuration)access-list 101 permit ip
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! (altenate configuration)access-list 101 permit ip any any
access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17 0.0.0.0 ! (altenate configuration)access-list 101 permit ip any 131.108.5.17
access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17 0.0.0.0 ! (altenate configuration)access-list 101 permit ip any 131.108.5.17host
• The keyword host preceding an ip-address can be used in place of the mask 0.0.0.0
ICMP Command Syntax
Filters based on icmp messages
Router (config) #
access-list access-list-number { permit | deny } {source source-wildcard |any}
{destination destination-wildcard | any }
access-list access-list-number { permit | deny } {source source-wildcard |any}
{destination destination-wildcard | any } [icmp-type [ icmp-code] | icmp-message ]
icmp
TCP Syntax
Filters based on tcp/tcp port number or name
access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any }
access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any }
Router (config) #
[operator destination-port | destination-port ][established]
{source source-wildcard |any}tcp
UDP Syntax
Filters based on udp protocol or udp port number or
name
access-list access-list-number { permit | deny } {source source-wildcard |any}
[ operator source-port| source-port ] {destination destination-wildcard | any }
access-list access-list-number { permit | deny } {source source-wildcard |any}
[ operator source-port| source-port ] {destination destination-wildcard | any }
Router (config) #
udp
[operator destination-port | destination-port ]
Extended Access List Example 1
access-list 103 permit tpc any 128.88.0.0 0.0.255.255 establishedaccess-list 103 permit tpc any host 128.88.1.2 eq smtp!Interface ethernet 1ip access-group 103 in
access-list 103 permit tpc any 128.88.0.0 0.0.255.255 establishedaccess-list 103 permit tpc any host 128.88.1.2 eq smtp!Interface ethernet 1ip access-group 103 in
Providing Internet Mail
A
E1
128.88.1.2
128.88.1. 128.88.3.0
Internet
Extended Access List Example 2
access-list 104 permit tpc any 128.88.0.0 0.0.255.255 establishedaccess-list 104 permit tpc any host 128.88.1.2 eq smtpaccess-list 104 permit tpc any any eq domainaccess-list 104 permit udp any any eq domainaccess-list 104 permit icmp any any echoaccess-list 104 permit icmp any any echo-reply!Interface serial 0ip access-group 104 in
access-list 104 permit tpc any 128.88.0.0 0.0.255.255 establishedaccess-list 104 permit tpc any host 128.88.1.2 eq smtpaccess-list 104 permit tpc any any eq domainaccess-list 104 permit udp any any eq domainaccess-list 104 permit icmp any any echoaccess-list 104 permit icmp any any echo-reply!Interface serial 0ip access-group 104 in
Also providing DNS and Ping
A
S0
128.88.1.2
128.88.1. 128.88.3.0
Internet B
E1E0
Location of Extended Access Lists
• Minimize distance travelled by traffic that will be denied (and ICMP unreachable messages)
•Keep denied traffic off the backbone
•Select router to receive CPU overhead from access lists
•Consider number of interfaces affected
•Consider access list management and security
•Consider network growth impacts on access list maintenance
Verifying Access List Configuration
Access List show Command
Display access lists from all protocols
Router #
show access-listsshow access-lists
• Display a specific IP access lists
Router #
show ip access-lists [access-list-number]show ip access-lists [access-list-number]
• Clear packet counts
Router #
clear access-lists counters [ access-list-number]clear access-lists counters [ access-list-number]
• Display line configuration
Router #
show lineshow line
Show ip access-list Command
Router# show ip access - list
Extended IP access list 101
deny udp any any eq ntp
permit tcp any any
permit udp any any eq tftp
permit icmp any any
permit udp any any eq domain
Router#
Router# show ip access - list
Extended IP access list 101
deny udp any any eq ntp
permit tcp any any
permit udp any any eq tftp
permit icmp any any
permit udp any any eq domain
Router#
Using an Alternative to Access Lists
Null Interface
Route to nowhere saves valuable CPU cycles
access-list ip permit 1.0.0.0 …access-list ip deny 2.0.0.0 …access-list ip permit 3.0.0.0 …access-list ip deny 4.0.0.0 …access-list ip permit 5.0.0.0 …
Packet
arrives
Access list
Null 0
Routing table
S0
E0
T0
S1
Null Interface Command
Router (config) #
ip route address mask null 0ip route address mask null 0
• Create a static route to filter unwanted traffic
• Interface name is always null 0
Null Interface Example
TokenRing
Ip route 201.222.5.0 255.255.255.0 null 0Ip route 201.222.5.0 255.255.255.0 null 0
131.108.5.0
131.108.1.0
131.108.4.0
131.108.6.1 131.108.6.2
131.108.7.0
201.222.5.0
• Eliminates traffic for 201.222.5.0 from WAN
Using Helper Addresses
Helper Addressing Overview
Routers do not forward broadcast, by default
Helper address provide selective connectivity
Diskless Workstation
Boot Server
Why Use a Helper Address?
Sometimes clients do not know the server address
Helpers change broadcast to unicast to reach server
Diskless Workstation
Boot Server
BroadcastBroadcast
Looking for boot server
XX
IP Helper Address Commands
Router (config-if) #
ip helper-address addressip helper-address address
• Enables forwarding and specifies destination address for main UDP broadcast packet
• Changes destination address from broadcast to unicast or directed broadcast address
Router (config) #
ip forward-protocl { udp [ port ] | nd | snds } ip forward-protocl { udp [ port ] | nd | snds }
• Specifies which protocols will be forwarded
Single Server - Remote Medium
Diskless Workstation Boot
Server144.253.1.1
144.253.2.2
E0
Broadcast
Forwarding Default UDP Broadcast
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.2
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.2
Single Server - Remote Medium
Forwarding Default and Other Broadcast
Diskless Workstation Boot
Server
BOOTP Broadcast
144.253.1.1144.253.2.2
E0
interface ethernet0ip address 144.253.1.100 255.255.255.0ip helper-address 144.253.2.2ip forward-protocol udp 3000no ip forward-protocol udp 69
interface ethernet0ip address 144.253.1.100 255.255.255.0ip helper-address 144.253.2.2ip forward-protocol udp 3000no ip forward-protocol udp 69
Server Location
Multiple server-remote media
Single server-remote medium
Multiple server-remote medium
Single Server - Remote Medium
Directed Broadcast into Subnet
E0
BOOTP Server 144.253.2.2
DNS Server 144.253.2.1
Broadcast Directed Broadcast to 144.253.2.255
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
Multiple Server - Remote Medium
Directed Broadcast and Unicast
E0
BOOTP Server 144.253.2.2
DNS Server 144.253.2.1
Broadcast Directed Broadcast to 144.253.2.255
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
ip helper-address 144.253.3.2
interface ethernet 0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
ip helper-address 144.253.3.2
FTP Server 144.253.3.2
Summary
You can manage IP traffic by:
Controlling packet transmission on each medium
Using a static route to the null interface in place of an access list to minimize processing overhead
Configuring helper addresses to forward broadcasts
Standard access lists are easy to configure and require lower processing overhead
Extended access list provide greater control.
