Friday, February 3, 2012

Verifying ACLs

Verifying ACLs 
11.1.5
The show ip interface command displays IP interface information and indicates whether any ACLs are assigned to the interface. The show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also reveal the access lists on a router and the interface assignment information.
These show commands will verify the list contents and placement. It is also a good practice to test the access lists with sample traffic to ensure that the access list logic is correct.
In the Lab Activity, students will use show commands to verify ACLs on a router.
This page concludes this lesson. The next lesson will provide more information about ACLs. The first page will describe standard ACLs.
Posted by at No comments:

The function of a wildcard mask

The function of a wildcard mask
11.1.4
This page will explain what a wildcard mask is and how it is used. A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. The term wildcard mask represents the ACL mask-bit matching process and comes from an analogy of a wildcard that matches any other card in the game of poker. Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.
The subnet mask and the wildcard mask represent two different things when they are compared to an IP address. Subnet masks use binary ones and zeros to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary ones and zeros to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. The only similarity between a wildcard mask and a subnet mask is that they are both thirty-two bits long and use binary ones and zeros.
The mask in Figure would be written as 0.0.255.255. A zero indicates a value that will be checked. The Xs, or ones, are used to block values.  In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which is used to compare and see if a packet should be processed by this ACL statement, or sent to the next statement to be checked. The second part of the ACL process is that any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. The result of the IP address and the wildcard mask must equal the match value of the ACL. This process is illustrated in the animation in Figure . There are two special keywords that are used in ACLs, the any and host options. The any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. This option will match any address that it is compared against. The host option substitutes 0.0.0.0 for the mask. This mask requires that all bits of the ACL address and the packet address match. This option will match just one address. The next page will teach students how to verify ACLs.
Posted by at No comments:

The function of a wildcard mask


The function of a wildcard mask
11.1.4
This page will explain what a wildcard mask is and how it is used. A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. The term wildcard mask represents the ACL mask-bit matching process and comes from an analogy of a wildcard that matches any other card in the game of poker. Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.
The subnet mask and the wildcard mask represent two different things when they are compared to an IP address. Subnet masks use binary ones and zeros to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary ones and zeros to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. The only similarity between a wildcard mask and a subnet mask is that they are both thirty-two bits long and use binary ones and zeros.
The mask in Figure would be written as 0.0.255.255. A zero indicates a value that will be checked. The Xs, or ones, are used to block values.  In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which is used to compare and see if a packet should be processed by this ACL statement, or sent to the next statement to be checked. The second part of the ACL process is that any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. The result of the IP address and the wildcard mask must equal the match value of the ACL. This process is illustrated in the animation in Figure . There are two special keywords that are used in ACLs, the any and host options. The any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. This option will match any address that it is compared against. The host option substitutes 0.0.0.0 for the mask. This mask requires that all bits of the ACL address and the packet address match. This option will match just one address. The next page will teach students how to verify ACLs.
Posted by at No comments:

Wednesday, November 16, 2011

Creating ACLs

Creating ACLs
11.1.3 This page will explain how ACLs are created in global configuration mode. There are many types of ACLs. This lesson explains standard ACLs, extended ACLs, and named ACLs. When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list. 
After the proper command mode is entered and the list type number is decided upon, the user enters the access list statements using the keyword access-list, followed by the proper parameters. After the proper command mode is entered and the list type number is set, the user enters the access list statements with the access-list command followed by the proper parameters. This is the first of the two-step process. The second step of the process is assigning the ACL to the proper interface. 
In TCP/IP, ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic by using the ip access-group command in interface configuration mode. The access-group command is issued in the interface configuration mode. When an ACL is assigned to an interface, inbound or outbound placement should be specified. The filter direction can be set to check packets that travel into or out of an interface. To determine if an ACL controls inbound or outbound traffic, the network administrator must view the interfaces as if looking at them from inside the router. This is a very important concept. Traffic that travels into an interface is filtered by the inbound access list. Traffic going out of an interface is filtered by the outbound access list. After a numbered ACL is created, it must be assigned to an interface. An ACL containing numbered ACL statements cannot be altered. It must be deleted by using the no access-list list-number command and then recreated. 
Use the following rules to create and apply access lists:
  • There should be one access list per protocol per direction.
  • Standard access lists should be applied closest to the destination.
  • Extended access lists should be applied closest to the source.
  • The inbound or outbound interface should be referenced as if looking at the port from inside the router.
  • Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded.
  • There is an implicit deny any at the end of all access lists. This will not appear in the configuration listing.
  • Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last.
  • The match condition is examined first. The permit or deny is examined only if the match is true.
  • Never work with an access list that is actively applied.
  • A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic.
  • New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs
  • An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.
  • An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted.
  • Outbound filters do not affect traffic that originates from the local router.
The Lab Activity will help students become more familiar with the syntax that is used to create an ACL.
The next page will discuss wildcard masks.
Posted by at No comments:
Subscribe to: Posts (Atom)