Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    ICND2-Chapter6 Key Ideas

    Uploaded by

    hoang nguyen ba
    This document summarizes the logic and configuration of router access control lists (ACLs). It explains that ACLs are evaluated sequentially, either permitting or denying a packet after the first match. Extended ACLs can match additional packet fields like protocol, ports, and flags. The document provides examples of wildcard masks and explains how to configure ACLs to filter ranges of IP addresses. It also offers recommendations for ACL implementation and placement.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd

    ICND2-Chapter6 Key Ideas

    Uploaded by

    hoang nguyen ba
    8 views4 pages
    This document summarizes the logic and configuration of router access control lists (ACLs). It explains that ACLs are evaluated sequentially, either permitting or denying a packet after the first match. Extended ACLs can match additional packet fields like protocol, ports, and flags. The document provides examples of wildcard masks and explains how to configure ACLs to filter ranges of IP addresses. It also offers recommendations for ACL implementation and placement.

    Original Description:

    Original Title

    ICND2-Chapter6 Key Ideas.doc

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document summarizes the logic and configuration of router access control lists (ACLs). It explains that ACLs are evaluated sequentially, either permitting or denying a packet after the first match. Extended ACLs can match additional packet fields like protocol, ports, and flags. The document provides examples of wildcard masks and explains how to configure ACLs to filter ranges of IP addresses. It also offers recommendations for ACL implementation and placement.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    8 views4 pages

    ICND2-Chapter6 Key Ideas

    Uploaded by

    hoang nguyen ba
    This document summarizes the logic and configuration of router access control lists (ACLs). It explains that ACLs are evaluated sequentially, either permitting or denying a packet after the first match. Extended ACLs can match additional packet fields like protocol, ports, and flags. The document provides examples of wildcard masks and explains how to configure ACLs to filter ranges of IP addresses. It also offers recommendations for ACL implementation and placement.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    of 4

    ICND2 Chapter 6 Summary

    Router ACL Logic


    The logic that IOS uses with a multiple-entry ACL can be summarized as follows:
    1. The matching parameters of the access-list statement are compared to the packet.
    2. If a match is made, the action defined in this access-list statement (permit or deny) is performed.
    3. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a
    match is made.
    4. If no match is made with an entry in the access list, the deny action is performed.

    Table 6-2 Sample Access List Wildcard Masks


    Wildcard Mas Binary Version of the Mask Description
    0.0.0.0 00000000.00000000.00000000.00000000 The entire IP address must match.
    0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match.
    0.0.255.255 00000000.00000000.11111111.11111111 Just the first 16 bits must match.
    0.255.255.255 00000000.11111111.11111111.11111111 Just the first 8 bits must match.
    255.255.255.255 11111111.11111111.11111111.11111111 Automatically considered to match any and
    all addresses.
    0.0.15.255 00000000.00000000.00001111.11111111 Just the first 20 bits must match.
    0.0.3.255 00000000.00000000.00000011.11111111 Just the first 22 bits must match.

    To Match a subnet in a ACL Wildcard


    ■ Use the subnet number as the address value in the access-list command.
    ■ Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.

    Page 1 of 4
    ICND2 Chapter 6 Summary
    ACL Wildcard Shortcut
    Step 1 Use the address in the access-list command as if it were a subnet number.
    Step 2 Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask.
    Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast
    address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast
    address, inclusively.

    ACL Planning Steps


    Step 1 Plan the location (router and interface) and direction (in or out) on that interface:
    a. Standard ACLs should be placed near to the destination of the packets so that it does not
    unintentionally discard packets that should not be discarded.
    b. Because standard ACLs can only match a packet’s source IP address, identify the source IP
    addresses of packets as they go in the direction that the ACL is examining.
    Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the
    following in mind:
    a. The list is searched sequentially, using first-match logic. In other words, when a packet matches
    one of the access-list statements, the search is over, even if the packet would match subsequent
    statements.
    b. The default action, if a packet does not match any of the access-list commands, is to deny
    (discard) the packet.
    Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group
    number {in | out} interface subcommand.

    Table 6-3 Standard and Extended IP Access Lists: Matching


    Type of Access List What Can Be Matched
    Both standard and extended Source IP address
    ACLs Portions of the source IP address using a wildcard mask
    Only extended ACLs Destination IP address
    Portions of the destination IP address using a wildcard mask
    Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others)
    Source port
    Destination port
    All TCP flows except the first
    IP TOS
    IP precedence

    ACLs and Port Numbers


    ■ The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp
    keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers.
    ■ The source port and destination port parameters on the access-list command are positional. In other
    words, their location in the command determines if the parameter examines the source or destination port.
    ■ Remember that ACLs can match packets sent to a server by comparing the destination port to the well-
    known port number. However, ACLs need to match the source port for packets sent by the server.
    ■ It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed
    in Table 6-5, as shown later in this chapter.

    Page 2 of 4
    ICND2 Chapter 6 Summary

    Extended ACL Configuration Hints


    ■ Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because
    extended ACLs can be configured so that they do not discard packets that should not be discarded. So
    filtering close to the source of the packets saves some bandwidth.
    ■ All fields in one access-list command must match a packet for the packet to be considered to match that
    access-list statement.
    ■ The extended access-list command uses numbers between 100–199 and 2000–2699, with no number
    being inherently better than another.

    Table 6-7 Operators Used When Matching Port Numbers


    Operator in the access-list Command Meaning
    Eq Equal to
    Neq Not equal to
    Lt Less than
    Gt Greater than
    Range Range of port numbers

    ACL Sequence Numbers


    ■ An individual ACL permit or deny statement can be deleted just by referencing the sequence number,
    without deleting the rest of the ACL.
    ■ Newly added permit and deny commands can be configured with a sequence number, dictating the
    location of the statement within the ACL.
    ■ Newly added permit and deny commands can be configured without a sequence number, with IOS
    creating a sequence number and placing the command at the end of the ACL.

    ACL Implementation Recommendations


    ■ Create your ACLs using a text editor outside the router, and copy and paste the configurations into the
    router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will
    still likely be an easier process.)
    ■ Place extended ACLs as close as possible to the source of the packet to discard the packets quickly.
    ■ Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard
    packets that you do not want discarded when they are placed close to the source.
    ■ Place more-specific statements early in the ACL.
    ■ Disable an ACL from its interface (using the no ip access-group command) before making changes to the
    ACL.

    Page 3 of 4
    ICND2 Chapter 6 Summary

    Command Reference
    Command Description
    access-list access-list-number {deny | permit} source Global command for standard numbered access lists. Use
    [source-wildcard] [log] a number between 1 and 99 or 1300 and 1999, inclusive.
    access-list access-list-number {deny | permit} protocol Global command for extended numbered access lists. Use
    source source-wildcard destination destination-wildcard a number between 100 and 199 or 2000 and 2699,
    [log] inclusive.
    access-list access-list-number {deny | permit} tcp source A version of the access-list command with TCPspecific
    source-wildcard [operator [port]] destination destination- parameters.
    wildcard [operator [port]] [log]
    access-list access-list-number remark text Defines a remark that helps you remember what the ACL
    is supposed to do.
    ip access-group {number | name [in | out]} Interface subcommand to enable access lists.
    access-class number | name [in | out] Line subcommand to enable either standard or extended
    access lists.
    ip access-list {standard | extended} name Global command to configure a named standard or
    extended ACL and enter ACL configuration mode.
    {deny | permit} source [source-wildcard] [log] ACL mode subcommand to configure the matching
    details and action for a standard named ACL.
    {deny | permit} protocol source source-wildcard ACL mode subcommand to configure the matching
    destination destination-wildcard [log] details and action for an extended named ACL.
    {deny | permit} tcp source source-wildcard [operator ACL mode subcommand to configure the matching
    [port]] destination destination-wildcard [operator [port]] details and action for a named ACL that matches TCP
    [log] segments.
    remark text ACL mode subcommand to configure a description of a
    named ACL.
    show ip interface [type number] Includes a reference to the access lists enabled on the
    interface.
    show access-lists [access-list-number |access-list-name] Shows details of configured access lists for all protocols.
    show ip access-list [access-list-number |access-list-name] Shows IP access lists.

    Page 4 of 4

    You might also like