Creating ACLs 11.1.3 This page will explain how ACLs are created in global configuration mode. There are many types of ACLs. This lesson explains standard ACLs, extended ACLs, and named ACLs. When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list. After the proper command mode is entered and the list type number is decided upon, the user enters the access list statements using the keyword access-list , followed by the proper parameters. After the proper command mode is entered and the list type number is set, the user enters the access list statements with the access-list command followed by the proper parameters. This is the first of the two-step process. The second step of the process is assigning the ACL to the proper interface. In TCP/IP, ACLs are assigned to one or more int...
Posts
How ACLs work 11.1.2 An ACL is made up of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. This page will explain how these statements are edited and added to an ACL. These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement. The order in which ACL statements are placed is important. The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked. If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements. To make the process of revising an AC...
Access Control List Fundamentals Introduction to ACLs 11.1.1 This page will explain what ACLs are and how they are used. ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network. ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet. To filter network traffic, ACLs determine if routed packets are forwarded or blocked at the router interfaces. The router examines each packet and will forward or discard it based on the conditions specified in the ACL. An ACL makes routing decisions based on source address, destination address, protocols, and upper-layer port numbers. ACLs must be defined on a per prot...
Overview Network administrators must be able to deny unwanted access to a network and allow authorized users to access necessary services. Security tools such as passwords, callback equipment, and physical security devices are helpful. However, they often lack the flexibility of basic traffic filters and the specific controls that most administrators prefer. For example, a network administrator may want to allow users access to the Internet, but not permit external users Telnet access into the LAN. Routers provide the capability to filter traffic, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. This module will introduce standard and extended ACLs as a way to control network traffic and explain how they are used as part of a security solution. This module includes tips, considerations, recommendations, and general guidelines on how to use ACLs. It also includ...
Summary This page summarizes the topics discussed in this module. The transport layer of the OSI model is responsible for the reliable transport and regulation of data flow from a source to a destination. TCP makes sure that each host on the network is ready and willing to communicate. A three-way handshake is a process that ensures that each side is ready for data transmission and allows each device to determine the initial sequence number. A three-way handshake starts with a host initiating a connection. The other host receives a packet, records a sequence number and then replies with an ACK. The initiating host then responds back and finalizes the connection. DoS attacks are designed to deny services to legitimate hosts that attempt to establish connections. It is used by hackers to halt system response. SYN flooding is one type of DoS attack. It exploits the normal three-way handshake...
Comparison of MAC addresses, IP addresses, and port numbers 10.2.6 This page will describe the three types of addresses in reference to the OSI model. Port numbers are located at the transport layer and are serviced by the network layer. The network layer assigns the logical address, or IP address, and is then serviced by the data link layer, which assigns the physical address, or MAC address. A good analogy can be made with a normal letter. The address on a letter consists of a name, street, city, and state. These can be compared to the port, MAC, and IP address used for network data. The name on the envelope would be equivalent to a port number, the street address is the MAC, and the city and state is the IP address. Multiple letters can be mailed to the same street address, city and state, but contain different names on the letters. For instance, two letters could be mailed to the same house with one addressed to “ John Doe ” and the other to “ Jane Doe ” . This is an...
Port numbering and well-known port numbers 10.2.4 This page will discuss the three categories of port numbers. Port numbers are represented by 2 bytes in the header of a TCP or UDP segment. This 16-bit value can result in port numbers ranging from 0 to 65535. The three categories of port numbers are well-known ports, registered ports, and dynamic or private ports. The first 1023 ports are well-known ports. These ports are used for well-known network services such as FTP, Telnet, or DNS. Registered ports range from 1024 to 49151. Ports between 49152 and 65535 are defined as dynamic or private ports. The Interactive Media Activity will help students become more familiar with port numbers. The next page will give an example of multiple sessions. Example of multiple sessions between hosts 10.2.5 This page will explain how port numbers are used to track multiple sessions that can occur between hosts. The source and destination port numbers combine with the network ad...
Ports for clients 10.2.3 This page will discuss source ports, which are set by clients. Whenever a client connects to a service on a server, a source and destination port must be specified. TCP and UDP segments contain fields for source and destination ports. Destination ports, or ports for services, are normally defined using the well-known ports. Source ports set by the client are determined dynamically. In general, a client determines the source port by randomly assigning a number above 1023. For example, a client that attempts to communicate with a Web server will use TCP and assign the destination port as 80 and the source port as 1045. When the packet arrives at the server, it moves up to the transport layer and eventually to the HTTP service, which operates at port 80. The HTTP server responds to the clients request with a segment that uses port 80 as the source and 1045 as the destination. Clients and servers use ports to distinguish which process each segment is associated ...
Ports for services 10.2.2 Services running on hosts must have a port number assigned to them so communication can occur. A remote host attempting to connect to a service expects that service to use specific transport layer protocols and ports. Some ports, which are defined in RFC 1700, are known as the well-known ports. These ports are reserved in both TCP and UDP. These well-known ports define applications that run above the transport layer protocols. For example, a server that runs FTP will use ports 20 and 21 to forward TCP connections from clients to its FTP application. This allows the server to determine which service a client requests. TCP and UDP use port numbers to determine the correct service to which requests are forwarded. The next page will discuss ports in greater detail.
Multiple conversations between hosts 10.2.1 At any given moment, thousands of packets that provide hundreds of different services travel through a modern network. Many servers use a multitude of services and this causes unique problems for the addressing of packets. If a server is running both SMTP and HTTP, it uses the destination port field to determine what service the source is requesting. The source cannot construct a packet destined for just the server IP address because the destination would not know what service was being requested. A port number must be associated with the conversation between hosts to ensure that the packet reaches the appropriate service on the server. If a server could not distinguish between different conversations, a client could not send an e-mail and browse a Web page at the same time. A method for transport layer conversations to be separated must be used. Hosts running TCP/IP associate ports at the transport layer with certain applications. Por...
UDP operation 10.1.7 This page will explain the similarities and differences between TCP and UDP. The TCP/IP protocol stack contains many different protocols, each designed to perform a certain task. IP provides Layer 3 connectionless transport through an internetwork. TCP enables connection-oriented, reliable transmission of packets at Layer 4 of the OSI model. UDP provides connectionless, unreliable transmission of packets at Layer 4 of the OSI model. Both TCP and UDP use IP as their Layer 3 protocol. In addition, TCP and UDP are used by various application layer protocols. TCP provides services for applications such as FTP, HTTP, SMTP, and DNS. UDP is the transport layer protocol used by DNS, TFTP, SNMP, and DHCP. TCP must be used when applications need to guarantee that a packet arrives intact, in sequence, and unduplicated. The overhead necessary to ensure delivery of a packet is sometimes a problem with TCP. Not all applications need to guarantee delivery of the data...
Positive acknowledgments 10.1.6 Acknowledgment is a common step in the synchronization process, which includes sliding windows and data sequencing. In a TCP segment, the sequence number field is followed by the Acknowledgment Number field. This field is where tracking of transmitted and received bytes are indicated. One problem with the IP protocol is that there is no verification method to determine if data segments reach their destination. So data segments may be constantly forwarded with no knowledge as to whether or not they were actually received. TCP uses positive acknowledgment and retransmission (PAR) to control data flow and confirm data delivery. Many protocols use PAR to provide reliability. With PAR, the source sends a packet, starts a timer, and waits for an acknowledgment before it sends the next packet in the session. If the timer expires before the source receives an acknowledgment, the source retransmits the packet and resets the timer. The acknowledgment is prov...
Sequencing numbers 10.1.5 TCP breaks data into segments. After the synchronization process occurs and the window size has been established, the data segments are transported from the sender to the receiver. The data segments must be reassembled after all the data is received. There is no guarantee that the data will arrive in the order it was transmitted. TCP applies sequence numbers to the data segments that are transmitted so that the receiver can reassemble the bytes in their original order. This way, if TCP segments arrive out of order, the segments will still be assembled correctly. These sequencing numbers also act as reference numbers so that the receiver will know if it has received all of the data. They also identify the missing data pieces to the sender so it can retransmit the missing data. This offers increased efficiency since the sender only needs to resend the missing segments instead of the entire set of data. Each TCP segment is numbered before transmission...
Windowing and window size 10.1.4 The amount of data that needs to be transmitted is often too large to be sent in a single data segment. In this case, the data must be broken into smaller pieces to allow for proper data transmission. TCP is responsible for breaking data into segments. This can be compared to the way that small children are fed. Their food is cut into smaller pieces that their mouths can accommodate. Additionally, a device may not be able to receive data as quickly as the source can send it. The device may be busy with other tasks or the sender may be a more robust device. Once the data is segmented, it must be transmitted to the destination device. One of the services provided by TCP is flow control, which regulates how much data is sent during a given transmission period. The process of flow control is known as windowing. Window size determines the amount of data that can be transmitted at one time before the destination responds with an acknowledgment. A...
Denial of service attacks 10.1.3 his page will teach students about denial of service (DoS) attacks. DoS attacks are designed to deny services to legitimate hosts that try to establish connections. DoS attacks are commonly used by hackers to halt system responses. One type of DoS is known as SYN flooding. SYN flooding exploits the normal three-way handshake and causes targeted devices to acknowledge to source addresses that will not complete the handshake. The three-way handshake begins when the initiating host sends a SYN packet. The SYN packet includes the source IP address and the destination IP address. This source and destination address information is used by the recipient to send the acknowledgment packet back to the initiating device. In a DoS attack, the hacker initiates a SYN but spoofs the source IP address. Spoofing is a term used when the receiving device replies to a non-existent, unreachable IP address and then is placed in a wait state until it receiv...
Synchronization or three-way handshake 10.1.2 This page will explain the synchronization process that TCP uses. The process is also called a three-way handshake. TCP is a connection-oriented protocol. Prior to data transmission, the two communicating hosts go through a synchronization process to establish a virtual connection for each session between hosts. This synchronization process ensures that both sides are ready for data transmission and allows the devices to determine the initial sequence numbers for that session. This process is known as a three-way handshake. This is a three-step process that establishes the virtual connection between the two devices. It is also important to note that the three-way handshake is initiated by a client host. To establish a TCP session, the client host will use the well-known port number of the service it wishes to contact on a server host. In step one, the initiating host (client) sends a synchronization (SYN flag set) packet to ini...
TCP Operation 10.1.1 This page will explain how the transport layer provides reliability and flow control. IP addresses allow for the routing of packets between networks. However, IP makes no guarantees about delivery. The transport layer is responsible for the reliable transport of and regulation of data flow from source to destination. This is accomplished through the use of sliding windows and sequencing numbers along with a synchronization process. This process ensures that each host is ready and willing to communicate. To understand reliability and flow control, think of a student who studies a foreign language for one year. Now imagine the student visits a country where the language is used. The student must ask people to repeat their words for reliability and to speak slowly for comprehension, which relates to the concept of flow control. The transport layer, which is Layer 4 of the OSI model, uses TCP to provide these services to Layer 5. The next page will descr...
Module 10: Intermediate TCP/IP Overview Routers use the IP address information in an IP packet header to determine the interface to which a packet should be switched based on its destination. Since IP does not ensure that the packet reaches the destination, it is described as an unreliable, connectionless protocol, that uses best-effort delivery. If packets are dropped in route, arrive in the wrong order, or are transmitted faster than the receiver can accept them, IP alone cannot correct the problem. To address these problems, IP relies on TCP. This module describes TCP and its functions and introduces UDP, another important Layer 4 protocol. Each layer within the OSI reference model has various functions. These functions are independent of the other layers. Each layer expects to receive services from the layer beneath it, and each layer provides certain services to the layer above it. The application, presentation, and session layers of the OSI model, which are all cons...
Summary The show ip route command is used to gather detailed information about the routes installed on the router. It displays the contents of the IP routing table. New routes may be added with static routing, which allows an administrator to manually define routes, or with dynamic routing, which uses the rules defined by a routing protocol to exchange information and determine the best path. Default routes are used when the router is unable to match a destination network with a more specific entry in the routing table. The router uses this default route to reach the gateway of last resort in an effort to forward the packet. The path determination function occurs at the network layer of the OSI model. It enables a router to evaluate the available paths to a destination and to establish the preferred handling of a packet. This information is configured manually or collected dynamically. The administrative distance of the route is used by the router to decide what the best path is t...
Introduction to debug 9.3.7 This page will explain the functions of the debug command. The debug commands assist in the isolation of protocol and configuration problems. The debug command is used to display dynamic data and events. Since the show commands only display static information, they provide a historical picture of the router operation. The debug command output gives more insight into the current events of the router. These events could be traffic on an interface, error messages generated by nodes on the network, protocol-specific diagnostic packets, and other useful troubleshooting data. The dynamic output of the debug command creates performance issues. This command produces high processor overhead that may disrupt normal router operation. For this reason, debug should be used conservatively. Use debug commands to examine specific types of traffic or problems after likely problems have been narrowed a few causes. The debug command should be used to isol...