Example 15-1 Standard Access List Configuration

   

Lab Objectives

Note that you will not be testing the access lists because no host resides on any of the segments. Instead, you will configure, apply, and verify that the access lists are configured correctly with the appropriate show commands.

Here are the objectives:

  • For standard access lists, create a standard outgoing access list and apply it on R2's S0 interface so that users on network 192.168.12.0 are denied access to the Frame Relay network. (Assume that this network exists off R1.)

  • For extended access lists, create an extended incoming access list and apply it on R3's S0 interface to fulfill the following requirements:

    - Deny http (www) traffic from reaching R5's Token Ring network.

    - Deny SMTP traffic from reaching R3's E0 network.

    - Permit anything else.

The key terms to recognize in the lab objectives are outgoing and incoming. Remember, these keywords will affect how you build your access lists. Let's configure the standard access list first.

Configuring Standard Access Lists

To better understand what you must accomplish with the access lists, refer to the environment in Figure 15-1.

Figure 15-1. Standard Access List Scenario

graphics/15fig01.gif

From the lab objectives, you want to do the following:

Create a standard outgoing access list and apply it on R2's S0 interface so that users on network 192.168.12.0 are denied access to the Frame Relay network. (Assume that this network exists off R1.)

From the figure, you can see that a virtual network (192.168.12.0 /24) exists off R1; you want to keep hosts on that network segment from reaching the Frame Relay network (192.168.100.0 /24). An important issue to point out is that, because this is a standard access list, there is no way to filter on the destination address. So, when you configure the access list to filter on the source IP address of 192.168.12.0 /24, you will stop that traffic from going to the Frame Relay network, as well as all other networks behind R2's S0, the interface on which you are going to apply the access list.

Because it is an outgoing access list, you will create the access list with the source address of the network 192.168.12.0 to be denied, but you will allow all other traffic to pass. Remember, there is an implicit deny after all access lists. Create the access list on R2, as demonstrated in Example 15-1.

 Termserver#  2  [Resuming connection 2 to r2 ... ] R2#  config t  Enter configuration commands, one per line.  End with CNTL/Z. R2(config)#  access-list 1 deny 192.168.12.0 0.    0.0.255   R2(config)#  access-list 1 permit any  R2(config)# 

The most important aspect of the access-list command is the wildcard mask portion. This tells the router where to match and where not to. The first three zeros in the wildcard mask (0.0.0) signify that the first three numbers of the source IP address of a packet must match the first three numbers of the IP address previously configured (192.168.12). The final .255 portion of the mask signifies that any number in the source IP address field will not be looked at for a match. In other words, any packet that has a source IP address with 192.168.12 will be matched against the access list and, therefore, will be denied, regardless of the fourth number in the source IP address field of the IP packet (0 to 255). The second line of the access list simply permits all other traffic. Without that statement, all IP traffic would be blocked because of the implicit deny at the end of all access lists.

The second step to configuring the access list is to apply it to the appropriate interface. From the lab objectives, you want to apply this access list on the S0 interface of R2 and make it check outgoing packets. To apply the access list, you need to be in interface mode for S0 and apply the ip access- group command. Example 15-2 illustrates how to apply the access lists to the interface.

Example 15-2 Applying the Access List to the Interface
 R2(config)#  int s0  R2(config-if)#  ip access-group 1 out  R2(config-if)# 

This configuration applies access-list 1 to all outgoing packets on R2's S0 interface. Because you do not have any hosts off 192.168.12.0, you cannot verify that it is working properly. However, you can use some show commands to make sure that the access list has been applied correctly on the interface.

The first show command is this one:

 Router#  show ip access-lists  {  number  } 

The only option here is to specify the specific access list number that you want to see. If no number is specified, all access lists are shown. Example 15-3 shows sample output from this command.

Example 15-3 show ip access-list Command Output
 R2(config-if)#  end  R2#  show ip access-lists   Standard IP access list 1   deny   192.168.12.0, wildcard bits 0.0.0.255   permit any  R2# 

This show command reveals all the important information:

  • Whether it is a standard or an extended IP access list

  • The access list number

  • All the configured statements for that access list

You configured only one access list, so the output shows information for just access-list 1 that you configured in Example 15-1.

Another useful show command is this one:

 Router#  show ip interface  [  interface-type  ] [  interface-number  ] 

The option that you can use here is to specify the interface type and number.

Because you have only one access list configured on S0, use that as an example. Example 15-4 demonstrates this command.

Example 15-4 show ip interface s0 Command Output
 R2#  show ip interface s0  Serial0 is up, line protocol is up   Internet address is 192.168.100.2/24   Broadcast address is 255.255.255.255   Address determined by setup command   MTU is 1500 bytes   Helper address is not set   Directed broadcast forwarding is disabled   Multicast reserved groups joined: 224.0.0.10  Outgoing access list is 1  Inbound  access list is not set   Proxy ARP is enabled   Security level is default   Split horizon is disabled   ICMP redirects are always sent   ICMP unreachables are always sent   ICMP mask replies are never sent   IP fast switching is enabled   IP fast switching on the same interface is enabled   IP Feature Fast switching turbo vector   IP multicast fast switching is disabled   IP multicast distributed fast switching is disabled   IP route-cache flags are Fast   Router Discovery is disabled   IP output packet accounting is disabled   IP access violation accounting is disabled   TCP/IP header compression is disabled   RTP/IP header compression is disabled   Probe proxy name replies are disabled   Policy routing is disabled   Network address translation is disabled   Web Cache Redirect is disabled   BGP Policy Mapping is disabled R2# 

The command output has very useful information, but the focus here is on what IP access lists are configured for this interface. The highlighted line tells you quickly which access list(s) have been configured and whether they are incoming access lists or outgoing access lists.

Before moving on to configure the extended access list, take a look at the running configuration of R2 to see where the access list configuration commands are placed in the file. Example 15-5 displays the output of the running configuration file.

Example 15-5 R2's Running Config
 Termserver#  r2  Trying r2 (192.168.10.10, 2002)... Open R2#  show running-config  Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R2 ! enable password falcons ! username all ip subnet-zero no ip domain-lookup ip host R1 192.169.1.1 ip host R2 192.169.2.2 ip host R3 192.169.3.3 ip host R4 192.169.4.4 ip host R5 192.169.5.5 ip host R6 192.169.6.6 ipx routing 0000.0000.2222 ! ! ! interface Loopback0  ip address 192.169.2.2 255.255.255.0  no ip directed-broadcast ! interface Ethernet0  ip address 192.168.1.2 255.255.255.0  no ip directed-broadcast  ipx network 2100 ! interface Ethernet1  description This interface does not connect with another IP device  ip address 192.168.2.2 255.255.255.0  no ip directed-broadcast  ipx network 2000 ! interface Serial0  description This interface connects to R3's S0 (201)  ip address 192.168.100.2 255.255.255.0  ip access-group 1 out  no ip directed-broadcast  encapsulation frame-relay  no ip mroute-cache  ipx network 1000  frame-relay map ip 192.168.100.3 201 broadcast  frame-relay map ip 192.168.100.4 201 broadcast  frame-relay map ipx 1000.0000.0000.4444 201 broadcast  frame-relay map ipx 1000.0000.0000.3333 201 broadcast  frame-relay lmi-type ansi ! router eigrp 100  redistribute rip metric 2000 200 255 1 1500  network 192.168.100.0 ! router rip  redistribute eigrp 100 metric 1  network 192.168.1.0  network 192.168.2.0  network 192.169.2.0 ! ip classless !  access-list 1 deny   192.168.12.0 0.0.0.255   access-list 1 permit any  ! ! ! banner motd ^CCCC This is Router 2 ^C ! line con 0  exec-timeout 0 0  password falcons  logging synchronous  transport input none line vty 0 4  password falcons  login ! end R2# 

From the highlighted text, you see that the ip access-group command is located under the configuration of S0 and that the definition command lines are toward the end of the configuration file.

Configuring Extended Access Lists

The process of configuring extended access lists is much the same as that for standard access lists, except for the additional options to provide with the command. Figure 15-2 illustrates the environment that the access list should create.

Figure 15-2. Extended Access List Environment

graphics/15fig02.gif

From the lab objectives, you want to create an extended incoming access list and apply it on R3's S0 interface to fulfill the following requirements:

  • Deny http (www) traffic from reaching R5's Token Ring network.

  • Deny SMTP traffic from reaching R3's E0 network.

  • Permit anything else.

This extended access list is a little different from the standard access list. You will be filtering on the destination network address instead of the source address, and you want to filter only certain services (HTTP and FTP), not all traffic destined to these networks. Look at each requirement for the access list individually.

The first criterion is to deny TCP HTTP traffic (port 80) from reaching the Token Ring network on R5. The network address for the network is 192.168.50.0, and the wildcard mask is 0.0.0.255 because you want to match the entire network on R5's To0. Use 101 as the access list number for the extended access list. Example 15-6 demonstrates the configuration of the first line of the access list on R3.

Example 15-6 Extended Access List Configuration
 Termserver#  3  [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line.  End with CNTL/Z. R3(config)#  access-list 101 deny tcp any 192.168.50.0 0.0.0.255 eq 80  R3(config)# 

Because you are not concerned about the source IP address, you can use the any option, meaning that any source will be filtered if the destination IP address falls within the destination IP address and wildcard mask. It is interesting to note that the port on the access list may be either the port number (80) or the name for that port (www). With that objective criteria complete, look at the second portion of the access list requirement.

TIP

The well-known industry name for TCP port 80 is http, but Cisco has used www in the Cisco IOS Software code. As a practical tip, use the port numbers instead of well-known port names when configuring access lists, in case Cisco changes the well-known names in the IOS Software code.


The second criterion is to deny TCP SMTP traffic (port 25) from reaching R3's E0 network. The network address is 192.168.3.0, and the wildcard mask is 0.0.0.255 because you want to match against the entire network on R3's E0. To add to the access list, you only need to use the same access list number as previously used, 101. Remember to permit all other traffic! Example 15-7 shows the commands on R3.

Example 15-7 Extended Access List Configuration Completed
 R3(config)#  access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 25  R3(config)#  access-list 101 permit ip any any  R3(config)# 

The final command line is to permit all IP traffic, coming from anyone and going to anyone . That is why you use any for both the source and the destination addresses.

Now that the access list is configured with the correct filtering criteria, apply it to R3's S0 interface as an incoming access list. Example 15-8 demonstrates how to do this.

Example 15-8 Applying Extended Access Lists on R3
 R3(config)#  int s0  R3(config-if)#  ip access-group 101 in  R3(config-if)# 

Remember to match the ip access-group command with the correct access list number (101) that you want to apply to the interface. The in option tells the router to apply this access list to any incoming packets.

Now take a look at the interface to make sure that the configuration is correctly applied. Example 15-9 shows the output from the show ip interface s0 command.

Example 15-9 show ip interface s0 Command Output
 R3(config-if)#  end  R3#  show ip interface s0  Serial0 is up, line protocol is up   Internet address is 192.168.100.3/24   Broadcast address is 255.255.255.255   Address determined by non-volatile memory   MTU is 1500 bytes   Helper address is not set   Directed broadcast forwarding is enabled   Multicast reserved groups joined: 224.0.0.10   Outgoing access list is not set  Inbound  access list is 101  Proxy ARP is enabled   Security level is default   Split horizon is disabled   ICMP redirects are always sent   ICMP unreachables are always sent   ICMP mask replies are never sent   IP fast switching is enabled   IP fast switching on the same interface is enabled   IP multicast fast switching is enabled   Router Discovery is disabled   IP output packet accounting is disabled   IP access violation accounting is disabled   TCP/IP header compression is disabled   Probe proxy name replies are disabled   Gateway Discovery is disabled   Policy routing is disabled   Network address translation is disabled R3# 

The highlighted text confirms that the correct access list, 101, has been applied as an incoming access list. Because you do not have any Web hosts or FTP hosts on these segments, you will not be able to test the access lists. However, the configurations are correct and you have completed the lab objectives for this chapter.


   
Top


CCNA Practical Studies
CCNA Practical Studies (Cisco Certification & Training)
ISBN: 1587200465
EAN: 2147483647
Year: 2005
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net