Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.

Published byCynthia Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access."— Presentation transcript:

1 Chapter 3 Managing IP Traffic

2 Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access lists Limit virtual terminal access Configure IP extended access lists Verify access list configuration Configure an alternative to using access lists Configure an IP helper address to manage broadcasts

3 Managing IP Traffic Overview  Limit traffic and restrict network use Enable directed forwarding of broadcasts FTP Broadcast

4 Access List Application n Access lists control packet movement through a network Transmission of packets on an interface Virtual terminal line access ( IP)

5 Other Access List Uses n Access lists are multipurpose Route filtering Routing table Dial-on-demand routingQueue List Priority and custom queuing

6 Configuring IP Standard Access Lists

7 IP Standard Access Lists Overview  Use source address only  Access list range: 1 to 99 10.0.0.3172.16.5.17 Destination AddressSource Address 172.16.5.0

8 Inbound Access List Processing For Standard IP Access Lists Incoming packetAccess list? Next entry in list Does source address match? Apply condition More entries? Route to interface DenyPermit No Yes ICMP MessageForward Packet

9 Outbound Access List Processing For Standard IP Access Lists Incoming packet Access list? Next entry in list Does source address match? Apply condition More entries? DenyPermit No Yes ICMP MessageForward Packet Route to interface

10 IP Addressing Review High-Order BitsFirst OctetClassStandard Mask 01-126A255.0.0.0 10128-191B255.255.0.0 110192-223C255.255.255.0 0255.255.0.0 1255.255.128.0 2255.255.192.0 3255.255.224.0 4255.255.240.0 5255.255.248.0 6255.255.252.0 7255.255.254.0 8255.255.255.00 9255.255.255.1281 10255.255.255.1922 11255.255.255.2243 12255.255.255.2404 13255.255.255.2485 14255.255.255.2526 15255.255.255.2547 Class B Subnets Class C Subnets

11 Access Lists Use Wildcard Mask AddressMaskMatches 0.0.0.0255.255.255.255any address 131.108.0.00.0.255.255network 131.108.0.0 131.104.7.110.0.0.0exactly host 131.104.7.11 255.255.255.2550.0.0.0local broadcast 131.111.8.00.0.7.255only subnet 131.111.8.0 * 0 bit = must match bits in addresses 1 bit = unconditional match for bits in addresses * Assuming subnet mask of 255.255.248.0

12 Access List Configuration Tasks To create an access list, perform the folowing tasks: Define an access list Apply the list to an interface

13 Standard Access List Commands Router (config) # access-list access-list-number { permit | deny } {source [source- wildcard ] | any}  Defines a standard access list (numbered 1-99) Router (config-if) # ip access-group access-list-number { in | out } Applies an access list to a specific interface

14 Implicit Masks Access-list 1permit131.108.5.17 ! Access-list 1permit0.0.0.0 access-list 1permit 131.108.0.0 access-list 1denyany access-list 1deny0.0.0.0 255.255.255.255 Not For standard IP Access Lists Correct Common errors Not needed Omitted mask assumed to be 0.0.0.0 Last two lines unnecessary (implicit deny any)

15 Configuration Principles  Top-down processing –Place more specific references first  Implicit deny any –Unless access list ends with explicit permit any  New lines added to the end –Cannot selectively add/remove lines  Undefined access list = permit any –Need to create access list lines for implicit deny any

16 Standard Access List Example 36.0.0.0 36.48.0.3 36.48.0.036.51.0.0 Router (config)# access-list 2 permit36.48.0.3 Router (config)# access-list 2 deny36.48.0.0 0.0.255.255 Router (config)# access-list 2 permit36.0.0.0 0.255.255.255 Router (config)# !(Note: all other access implicitly denied) Router (config)# interface ethernet 0 Router (config)# ip access-group 2 in A BCD E0 Who can connect to A? Internet

17 Location of Standard Access Lists VWXYZ E0 access-list 3 deny 10.3.0.1 access-list 3 permit any access-list 3 deny 10.3.0.1 access-list 3 permit any E1 10.3.0.1 A ABCD On which router should the access list be configured to deny host Z access to host V? How does location of a standard access list change the policy implemented?

18 Virtual Terminal Access Overview Standard and extended access lists will not block access from the router n For security, virtual terminal (vty) access can be blocked to or from the router Router#

19 Restricting Virtual Terminal Access

20 How to Control vty Access n Five virtual terminal lines (0-4) n Set identical restrictions on all the virtual terminal lines Router# 0 123 4 Virtual port (vty 0 4) Physical port (E0)

21 Virtual Terminal Line Commands n Restricts incoming and outgoing connections between a particular virtual terminal line *into a device( and the addresses in an access list Router (config) # Line { vty number | vty-range} Enters configuration mode for a terminal line or a range of lines Router (config/line) # access-class access-list-number { in | out }

22 Virtual Terminal Access Example 1 n Permits only hosts in network 192.89.55.0 to connect to the virtual terminal ports on the router Controlling Inbound Access Access-list 12 permit 192.89.55.0 0.0.0.255 ! Line vty 0 4 access-class 12 in Access-list 12 permit 192.89.55.0 0.0.0.255 ! Line vty 0 4 access-class 12 in

23 Virtual Terminal Access Example 2 n Permits terminal line connections only to network 36.0.0.0 Controlling Outbound Access Access-list 13 permit 36.0.0.0 0.255.255.255 ! Line vty 0 4 access-class 13 out Access-list 13 permit 36.0.0.0 0.255.255.255 ! Line vty 0 4 access-class 13 out

24 IP Extended Access List Overview n Control traffic by application, not just address SMTP FTP Manufacturing Accounting Telnet Sales Internet

25 Configuring IP Extended Access Lists

26 Extended Access List Processing Access list? Source address Destination address Protocol? * Protocol options ? Apply condition DenyPermit Next entry in list ICMP Message Match Yes Forward Packet Does not match No * If present in access list

27 Extended IP Access List Command Router (config) # Access-list access-list-number { permit | deny } { protocol | protocol-keyword } { source source/wildcard | any } [ protocol/specific options ] { destination destination-wildcard | any } Access-list access-list-number { permit | deny } { protocol | protocol-keyword } { source source/wildcard | any } [ protocol/specific options ] { destination destination-wildcard | any } Defines an extended access list (numbered 100 to 199) Protocol keywords icmp, igmp, tcp and udp define alternate syntax with protocol-specific options

28 Extended Mask Keywords n The keyword any can be used in place of the address 0.0.0.0 with mask 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! (altenate configuration) access-list 101 permit ip access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! (altenate configuration) access-list 101 permit ip any access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17 0.0.0.0 ! (altenate configuration) access-list 101 permit ip any 131.108.5.17 access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17 0.0.0.0 ! (altenate configuration) access-list 101 permit ip any 131.108.5.17 host The keyword host preceding an ip-address can be used in place of the mask 0.0.0.0

29 ICMP Command Syntax n Filters based on icmp messages Router (config) # access-list access-list-number { permit | deny } {source source-wildcard |any} {destination destination-wildcard | any } [icmp-type [ icmp-code] | icmp-message ] icmp

30 TCP Syntax n Filters based on tcp/tcp port number or name access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any } Router (config) # [operator destination-port | destination-port ] [established] {source source-wildcard |any} tcp

31 UDP Syntax n Filters based on udp protocol or udp port number or name access-list access-list-number { permit | deny } {source source-wildcard |any} [ operator source-port| source-port ] {destination destination-wildcard | any } Router (config) # udp [operator destination-port | destination-port ]

32 Extended Access List Example 1 access-list 103 permittpcany128.88.0.0 0.0.255.255 established access-list 103 permittpcanyhost 128.88.1.2 eq smtp ! Interface ethernet 1 ip access-group 103 in access-list 103 permittpcany128.88.0.0 0.0.255.255 established access-list 103 permittpcanyhost 128.88.1.2 eq smtp ! Interface ethernet 1 ip access-group 103 in Providing Internet Mail A E1 128.88.1.2 128.88.1. 128.88.3.0 Internet

33 Extended Access List Example 2 access-list 104 permittpcany128.88.0.0 0.0.255.255 established access-list 104 permittpcanyhost 128.88.1.2 eq smtp access-list 104 permittpcanyany eq domain access-list 104 permitudpanyany eq domain access-list 104 permiticmpanyany echo access-list 104 permiticmpanyany echo-reply ! Interface serial 0 ip access-group 104 in access-list 104 permittpcany128.88.0.0 0.0.255.255 established access-list 104 permittpcanyhost 128.88.1.2 eq smtp access-list 104 permittpcanyany eq domain access-list 104 permitudpanyany eq domain access-list 104 permiticmpanyany echo access-list 104 permiticmpanyany echo-reply ! Interface serial 0 ip access-group 104 in Also providing DNS and Ping A S0 128.88.1.2 128.88.1. 128.88.3.0 Internet B E1E0

34 Location of Extended Access Lists Minimize distance travelled by traffic that will be denied (and ICMP unreachable messages) Keep denied traffic off the backbone Select router to receive CPU overhead from access lists Consider number of interfaces affected Consider access list management and security Consider network growth impacts on access list maintenance

35 Verifying Access List Configuration

36 Access List show Command n Display access lists from all protocols Router # show access-lists Display a specific IP access lists Router # show ip access-lists [access-list-number] Clear packet counts Router # clear access-lists counters [ access-list-number] Display line configuration Router # show line

37 Show ip access-list Command Router# show ip access - list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain Router# Router# show ip access - list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain Router#

38 Using an Alternative to Access Lists

39 Null Interface n Route to nowhere saves valuable CPU cycles access-list ip permit 1.0.0.0 … access-list ip deny 2.0.0.0 … access-list ip permit 3.0.0.0 … access-list ip deny 4.0.0.0 … access-list ip permit 5.0.0.0 … Packet arrives Access list Null 0 Routing table S0 E0 T0 S1

40 Null Interface Command Router (config) # ip route address mask null 0 Create a static route to filter unwanted traffic Interface name is always null 0

41 Null Interface Example Ip route 201.222.5.0 255.255.255.0 null 0 131.108.5.0 131.108.1.0 131.108.4.0 131.108.6.1131.108.6.2 131.108.7.0 201.222.5.0 Eliminates traffic for 201.222.5.0 from WAN

42 Using Helper Addresses

43 Helper Addressing Overview n Routers do not forward broadcast, by default n Helper address provide selective connectivity Diskless Workstation Boot Server

44 Why Use a Helper Address? n Sometimes clients do not know the server address n Helpers change broadcast to unicast to reach server Diskless Workstation Boot Server Broadcast Looking for boot server

45 IP Helper Address Commands Router (config-if) # ip helper-address address Enables forwarding and specifies destination address for main UDP broadcast packet Changes destination address from broadcast to unicast or directed broadcast address Router (config) # ip forward-protocl { udp [ port ] | nd | snds } Specifies which protocols will be forwarded

46 Single Server - Remote Medium Diskless Workstation Boot Server 144.253.1.1 144.253.2.2 E0 Broadcast Forwarding Default UDP Broadcast interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.2 interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.2

47 Single Server - Remote Medium Forwarding Default and Other Broadcast Diskless Workstation Boot Server BOOTP Broadcast 144.253.1.1 144.253.2.2 E0 interface ethernet0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.2 ip forward-protocol udp 3000 no ip forward-protocol udp 69 interface ethernet0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.2 ip forward-protocol udp 3000 no ip forward-protocol udp 69

48 Server Location Multiple server-remote media Single server-remote medium Multiple server-remote medium

49 Single Server - Remote Medium Directed Broadcast into Subnet E0 BOOTP Server 144.253.2.2 DNS Server 144.253.2.1 Broadcast Directed Broadcast to 144.253.2.255 interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.255 interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.255

50 Multiple Server - Remote Medium Directed Broadcast and Unicast E0 BOOTP Server 144.253.2.2 DNS Server 144.253.2.1 Broadcast Directed Broadcast to 144.253.2.255 interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.255 ip helper-address 144.253.3.2 interface ethernet 0 ip address 144.253.1.100 255.255.255.0 ip helper-address 144.253.2.255 ip helper-address 144.253.3.2 FTP Server 144.253.3.2

51 Summary You can manage IP traffic by: Controlling packet transmission on each medium Using a static route to the null interface in place of an access list to minimize processing overhead Configuring helper addresses to forward broadcasts Standard access lists are easy to configure and require lower processing overhead Extended access list provide greater control.

Download ppt "Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access."

Similar presentations

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
Access Control List (ACL)

Access Control List (ACL)
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google