Filtering by Source or Destination IP Address
Problem
You want to block packets to or from certain IP addresses.
Solution
You can use standard access-lists to block packets from specified IP source addresses:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 50 deny host 10.2.2.2 Router1(config)#access-list 50 permit any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 50 in Router1(config-if)#exit Router1(config)#end Router1#
You can filter packets based on both the source and destination addresses with an extended access-list:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 150 deny ip host 10.2.2.2host 172.25.25.1 Router1(config)#access-list 150 permit ip any any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 150 in Router1(config-if)#exit Router1(config)#end Router1#
Discussion
The most obvious use for access-lists is traffic filtering. The two examples in this recipe both show how to use access control lists for filtering inbound packets. The first example uses the following access-list:
Router1(config)#access-list 50 deny host 10.2.2.2 Router1(config)#access-list 50 permit any
This is a numbered ACL with a value between 1 and 99, making it a standard access-list. Using a standard access like this allows you to filter only based on the source IP address. In the example, we have chosen to deny a single host address, 10.2.2.2, to prevent the router from accepting packets from this device. All other packets are permitted. This is a somewhat artificial thing to do, of course. It is more likely that you would want to allow only a limited group of devices and block all of the others. For example, you might want to allow all of the devices on 10.2.2.0/24, except the host 10.2.2.2, and drop packets from any other devices. You could do this with the following standard ACL:
Router1(config)#access-list 50 deny host 10.2.2.2 Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255 Router1(config)#access-list 50 deny any
The order of the statements in an access-list is critical. Consider what would have happened if we had put line that permitted 10.2.2.0/24 before the line that denied the specific host 10.2.2.2. Each time the router received a packet from the forbidden host, it would compare it to the ACL. Because this host is part of the permitted range, the router would accept the packet and not look any further.
Also, because the router will stop processing an ACL as soon as it finds a match, you can save the processor a lot of work by putting the most common rules near the top. You want the router to find a match as early as possible while parsing the ACL most of the time it uses this ACL. All of the examples in this chapter are relatively short, but if you have an ACL that is several hundred lines long, a good ordering can make a significant improvement in processing time. This will affect router CPU load, and could also improve jitter and latency issues.
The other important thing to look out for when constructing an ACL like this is the fact that they use wildcard bits rather than netmask format when defining ranges of addresses. In this example, we wanted to specify the range 10.2.2.0/24. This means that we want to fix all of the bits in the first three octets of the address, and allow any pattern of bits in the last octet. We can achieve this with a wildcard pattern of 0.0.0.255. Please refer to Recipe 5.3 for a more detailed discussion of the differences between wildcards and netmasks.
The basic notation is an IP address followed by a wildcard pattern. But there are two special cases. Suppose you want to match on a single IP address for particular devices, such as 10.2.2.2. You can write this as follows:
Router1(config)#access-list 50 deny 10.2.2.2 0.0.0.0
This wildcard pattern means that there are no free bits in the address, so we are looking for an exact match. Alternatively, you can use the more intuitive version that we used earlier in this recipe, with the host keyword:
Router1(config)#access-list 50 deny host 10.2.2.2
The two forms have an identical effect. And, in fact, for Standard IP ACLs like this one, the router will replace both of these with the following:
Router1(config)#access-list 50 deny 10.2.2.2
The host keyword is not redundant, however, for Extended IP ACLs, which we discuss below.
Alternatively, if you want to match any device, you could write this as follows:
Router1(config)#access-list 50 deny 0.0.0.0 255.255.255.255
Because all of the wildcard bits in this pattern are set, it means that any bit may have a value of either 0 or 1. So this pattern will match any IP address. The router will rewrite this ACL with the following simpler form:
Router1(config)#access-list 50 deny any
As we mentioned in the Introduction to this chapter, there are many different ways to apply an ACL. In this case, we want to apply this ACL to filter IP packets received on a particular router interface. To do this, we use the ip access-group command on the interface that will receive the data stream that we want to filter:
Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 50 in
In this command, the keyword in tells the router to apply the filter to inbound packets that is, packets received by this interface. In some cases, you might want to filter outbound packets instead. The router will even let you apply a different ACL to inbound and outbound packets:
Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 50 in Router1(config-if)#ip access-group 51 out
The outbound access-group command has an interesting quirk that you should be aware of. This command will not filter packets that originate on the router itself. This is important because if you apply an outbound filter and then try to test it with a PING or Telnet from the router, your rule will appear not to work. Make sure to do these tests from a downstream device.
It's also important to remember that the router originates packets in several less obvious situations. For example, if you are using tunnels, then even if the router is encapsulating IP packets from downstream devices, the tunnel packets themselves originate on the router. The same is true when the router acts as a gateway for other protocols, such as SNA or X.25.
This also has security implications because it means that if somebody can convince the router to originate packets for them, they will bypass the rule. So, while the outbound access-group command is extremely useful, you need to be careful about how you use it, or it might be less effective than you expect.
The second example in the Solution section of this recipe does a similar kind of filtering, except that this time we have used an extended ACL:
Router1(config)#access-list 150 deny ip host 10.2.2.2host 172.25.25.1 Router1(config)#access-list 150 permit ip any any
The syntax of the extended IP ACL is somewhat more involved than that of the standard ACL. It includes the same permit or deny keywords as the standard IP ACL. The next keyword in this example selects the IP protocol. Please refer to Recipe 19.3 for a discussion of other options.
Extended IP ACLs always include two IP addresses. The first is the source address, and the second is the destination. In the first line of the example, we have specified two host addresses for the source and destination, while the second line matches any address in either the source or the destination fields of the IP packet.
You can use the same wildcard matching system for IP addresses here, as we discussed above for the Standard IP ACL. Suppose, for example, that we want to allow any device on the 10.2.2.0/24 segment to access any destination device, but we wanted to specifically prevent the host, 10.2.2.2 from reaching 172.25.25.1, and we want to drop all packets from any other devices. We could do this with the following Extended IP ACL:
Router1(config)#access-list 150 deny ip host 10.2.2.2host 172.25.25.1 Router1(config)#access-list 150 permit ip 10.2.2.0 0.0.0.255 any Router1(config)#access-list 150 deny ip any any
Note that the last line of both the Standard and Extended ACL examples in this recipe explicitly denies everything that wasn't matched in one of the previous lines. This is actually not necessary because every ACL implicitly ends with a deny all, whether you include it or not. However, including an explicit permit all or deny all clause at the end of an ACL is generally a good practice because it makes things more clear. Also, when you look at an ACL with the show access-list command, it gives you a breakdown of how many times each rule found a match:
Router1#show access-list 150 Extended IP access list 150 deny ip host 10.2.2.2 host 172.25.25.1 (422 matches) permit ip 10.2.2.0 0.0.0.255 any (743 matches) deny ip any any (387 matches) Router1#
As you can see here, by including an explicit deny all rule at the end of this ACL, we can tell exactly how many packets were affected.
And, as we will discuss in Recipe 19.8, you can configure this line to log exactly which packets reach all the way to the end of the ACL without matching one of the earlier rules.
Finally, we need to mention one of the most annoying problems involved in managing large ACLs up until IOS Version 12.3(2)T (see Recipe 19.15 for more information). If you add a new rule to an ACL, it will always go at the very end of the list. This is not always what you want. Further, there is no way to remove individual lines from an ACL without removing the entire list.
We have found that the easiest way to get around this problem is to use the show running-config command to get a complete listing of the ACL you want to edit. Copy this into a text editor of some kind on your local workstation. Then you can use any common text editor to create the modified ACL. Delete the old ACL and copy in the new one. As we mentioned in Chapter 1, if you use TFTP to transfer the new commands into the router, it will not make the change until the transfer is complete. This is particularly important for ACLs, where you could enter the first line, and then find yourself locked out of the router by the implicit deny all that follows it. However, Recipe 19.15 shows another solution to this problem.
See Also
Recipe 5.3; Recipe 19.3; Recipe 19.8; Recipe 19.15
Router Configuration and File Management
- Configuring the Router via TFTP
- Saving Router Configuration to Server
- Booting the Router Using a Remote Configuration File
- Storing Configuration Files Larger Than NVRAM
- Clearing the Startup Configuration
- Loading a New IOS Image
- Booting a Different IOS Image
- Booting over the Network
- Copying an IOS Image to a Server
- Copying an IOS Image Through the Console
- Deleting Files from Flash
- Partitioning Flash
- Using the Router as a TFTP Server
- Using FTP from the Router
- Generating Large Numbers of Router Configurations
- Changing the Configurations of Many Routers at Once
- Extracting Hardware Inventory Information
- Backing Up Router Configurations
- Warm Reload
- Warm Upgrade
- Configuration Archiving
- Locking Configuration Access
Router Management
- Creating Command Aliases
- Managing the Routers ARP Cache
- Tuning Router Buffers
- Auto Tuning Buffers
- Using the Cisco Discovery Protocol
- Disabling the Cisco Discovery Protocol
- Using the Small Servers
- Enabling HTTP Access to a Router
- Enabling Secure HTTP (HTTPS) Access to a Router
- Using Static Hostname Tables
- Enabling Domain Name Services
- Disabling Domain Name Lookups
- Specifying a Router Reload Time
- Scheduling of Router Commands
- Displaying Historical CPU Values
- Creating Exception Dump Files
- Generating a Report of Interface Information
- Generating a Report of Routing Table Information
- Generating a Report of ARP Table Information
- Generating a Server Host Table File
User Access and Privilege Levels
- Setting Up User IDs
- Encrypting Passwords
- Using Better Password-Encryption Techniques
- Removing Passwords from a Router Configuration File
- Deciphering Ciscos Weak Password Encryption
- Displaying Active Users
- Sending Messages to Other Users
- Changing the Number of VTYs
- Changing VTY Timeouts
- Restricting VTY Access by Protocol
- Enabling Absolute Timeouts on VTY Lines
- Implementing Banners
- Disabling Banners on a Port
- Disabling Router Lines
- Reserving a VTY Port for Administrative Access
- Restricting Inbound Telnet Access
- Logging Telnet Access
- Setting the Source Address for Telnet
- Automating the Login Sequence
- Using SSH for Secure Access
- Changing Privilege Level of IOS Commands
- Defining Per User Privileges
- Defining Per Port Privileges
TACACS+
- Authenticating Login IDs from a Central System
- Restricting Command Access
- Losing Access to the TACACS+ Server
- Disabling TACACS+ Authentication on a Particular Line
- Capturing User Keystrokes
- Logging System Events
- Setting the IP Source Address for TACACS+ Messages
- Sample Server Configuration Files
IP Routing
- Finding an IP Route
- Finding Types of IP Routes
- Converting Different Mask Formats
- Using Static Routing
- Floating Static Routes
- Using Policy-Based Routing to Route Based on Source Address
- Using Policy-Based Routing to Route Based on Application Type
- Examining Policy-Based Routing
- Changing Administrative Distances
- Routing Over Multiple Paths with Equal Costs
- Static Routes That Track Interfaces or Other Routes
- Keeping Statistics on Routing Table Changes
RIP
- Configuring RIP Version 1
- Filtering Routes with RIP
- Redistributing Static Routes into RIP
- Redistributing Routes Using Route Maps
- Creating a Default Route in RIP
- Disabling RIP on an Interface
- Default Passive Interface
- Unicast Updates for RIP
- Applying Offsets to Routes
- Adjusting Timers
- Configuring Interpacket Delay
- Enabling Nonperiodic Updates
- Increasing the RIP Input Queue
- Configuring RIP Version 2
- Enabling RIP Authentication
- RIP Route Summarization
- Route Tagging
EIGRP
- Configuring EIGRP
- Filtering Routes with EIGRP
- Redistributing Routes into EIGRP
- Redistributing Routes into EIGRP Using Route Maps
- Disabling EIGRP on an Interface
- Adjusting EIGRP Metrics
- Adjusting Timers
- Enabling EIGRP Authentication
- EIGRP Route Summarization
- Logging EIGRP Neighbor State Changes
- Limiting EIGRPs Bandwidth Utilization
- EIGRP Stub Routing
- Route Tagging
- Viewing EIGRP Status
OSPF
- Configuring OSPF
- Filtering Routes in OSPF
- Adjusting OSPF Costs
- Creating a Default Route in OSPF
- Redistributing Static Routes into OSPF
- Redistributing External Routes into OSPF
- Manipulating DR Selection
- Setting the OSPF RID
- Enabling OSPF Authentication
- Selecting the Appropriate Area Types
- Using OSPF on Dial Interfaces
- Summarizing Routes in OSPF
- Disabling OSPF on Certain Interfaces
- Changing the Network Type on an Interface
- OSPF Route Tagging
- Logging OSPF Adjacency Changes
- Adjusting OSPF Timers
- Reducing OSPF Traffic in Stable Networks
- OSPF Virtual Links
- Viewing OSPF Status with Domain Names
- Debugging OSPF
BGP
- Configuring BGP
- Using eBGP Multihop
- Adjusting the Next-Hop Attribute
- Connecting to Two ISPs
- Connecting to Two ISPs with Redundant Routers
- Restricting Networks Advertised to a BGP Peer
- Adjusting Local Preference Values
- Load-Balancing
- Removing Private ASNs from the AS Path
- Filtering BGP Routes Based on AS Paths
- Reducing the Size of the Received Routing Table
- Summarizing Outbound Routing Information
- Prepending ASNs to the AS Path
- Redistributing Routes with BGP
- Using Peer Groups
- Authenticating BGP Peers
- Using BGP Communities
- Using BGP Route Reflectors
- Putting It All Together
Frame Relay
- Setting Up Frame Relay with Point-to-Point Subinterfaces
- Adjusting LMI Options
- Setting Up Frame Relay with Map Statements
- Using Multipoint Subinterfaces
- Configuring Frame Relay SVCs
- Simulating a Frame Relay Cloud
- Compressing Frame Relay Data on a Subinterface
- Compressing Frame Relay Data with Maps
- PPP over Frame Relay
- Viewing Frame Relay Status Information
Handling Queuing and Congestion
- Fast Switching and CEF
- Setting the DSCP or TOS Field
- Using Priority Queuing
- Using Custom Queuing
- Using Custom Queues with Priority Queues
- Using Weighted Fair Queuing
- Using Class-Based Weighted Fair Queuing
- Using NBAR Classification
- Controlling Congestion with WRED
- Using RSVP
- Manual RSVP Reservations
- Aggregating RSVP Reservations
- Using Generic Traffic Shaping
- Using Frame-Relay Traffic Shaping
- Using Committed Access Rate
- Implementing Standards-Based Per-Hop Behavior
- AutoQoS
- Viewing Queue Parameters
Tunnels and VPNs
- Creating a Tunnel
- Tunneling Foreign Protocols in IP
- Tunneling with Dynamic Routing Protocols
- Viewing Tunnel Status
- Creating an Encrypted Router-to-Router VPN in a GRE Tunnel
- Creating an Encrypted VPN Between the LAN Interfaces of Two Routers
- Generating RSA Keys
- Creating a Router-to-Router VPN with RSA Keys
- Creating a VPN Between a Workstation and a Router
- Creating an SSL VPN
- Checking IPSec Protocol Status
Dial Backup
- Automating Dial Backup
- Using Dialer Interfaces
- Using an Async Modem on the AUX Port
- Using Backup Interfaces
- Using Dialer Watch
- Using Virtual Templates
- Ensuring Proper Disconnection
- View Dial Backup Status
- Debugging Dial Backup
NTP and Time
- Time-Stamping Router Logs
- Setting the Time
- Setting the Time Zone
- Adjusting for Daylight Saving Time
- Synchronizing the Time on All Routers (NTP)
- Configuring NTP Redundancy
- Setting the Router As the NTP Master for the Network
- Changing NTP Synchronization Periods
- Using NTP to Send Periodic Broadcast Time Updates
- Using NTP to Send Periodic Multicast Time Updates
- Enabling and Disabling NTP Per Interface
- NTP Authentication
- Limiting the Number of Peers
- Restricting Peers
- Setting the Clock Period
- Checking the NTP Status
- Debugging NTP
- NTP Logging
- Extended Daylight Saving Time
- NTP Server Configuration
DLSw
- Simple Bridging
- Configuring DLSw
- Using DLSw to Bridge Between Ethernet and Token Ring
- Converting Ethernet and Token Ring MAC Addresses
- Configuring SDLC
- Configuring SDLC for Multidrop Connections
- Using STUN
- Using BSTUN
- Controlling DLSw Packet Fragmentation
- Tagging DLSw Packets for QoS
- Supporting SNA Priorities
- DLSw+ Redundancy and Fault Tolerance
- Viewing DLSw Status Information
- Viewing SDLC Status Information
- Debugging DSLw
Router Interfaces and Media
- Viewing Interface Status
- Configuring Serial Interfaces
- Using an Internal T1 CSU/DSU
- Using an Internal ISDN PRI Module
- Using an Internal 56 Kbps CSU/DSU
- Configuring an Async Serial Interface
- Configuring ATM Subinterfaces
- Setting Payload Scrambling on an ATM Circuit
- Classical IP Over ATM
- Configuring Ethernet Interface Features
- Configuring Token Ring Interface Features
- Connecting VLAN Trunks with ISL
- Connecting VLAN Trunks with 802.1Q
- LPD Printer Support
Simple Network Management Protocol
- Configuring SNMP
- Extracting Router Information via SNMP Tools
- Recording Important Router Information for SNMP Access
- Using SNMP to Extract Inventory Information from a List of Routers
- Using Access Lists to Protect SNMP Access
- Logging Unauthorized SNMP Attempts
- Limiting MIB Access
- Using SNMP to Modify a Routers Running Configuration
- Using SNMP to Copy a New IOS Image
- Using SNMP to Perform Mass Configuration Changes
- Preventing Unauthorized Configuration Modifications
- Making Interface Table Numbers Permanent
- Enabling SNMP Traps and Informs
- Sending Syslog Messages As SNMP Traps and Informs
- Setting SNMP Packet Size
- Setting SNMP Queue Size
- Setting SNMP Timeout Values
- Disabling Link Up/Down Traps per Interface
- Setting the IP Source Address for SNMP Traps
- Using RMON to Send Traps
- Enabling SNMPv3
- Strong SNMPv3 Encryption
- Using SAA
Logging
- Enabling Local Router Logging
- Setting the Log Size
- Clearing the Routers Log
- Sending Log Messages to Your Screen
- Using a Remote Log Server
- Enabling Syslog on a Unix Server
- Changing the Default Log Facility
- Restricting What Log Messages Are Sent to the Server
- Setting the IP Source Address for Syslog Messages
- Logging Router Syslog Messages in Different Files
- Maintaining Syslog Files on the Server
- Testing the Syslog Sever Configuration
- Preventing the Most Common Messages from Being Logged
- Rate-Limiting Syslog Traffic
- Enabling Error Log Counting
- XML-Formatted Log Messages
- Modifying Log Messages
Access-Lists
- Filtering by Source or Destination IP Address
- Adding a Comment to an ACL
- Filtering by Application
- Filtering Based on TCP Header Flags
- Restricting TCP Session Direction
- Filtering Multiport Applications
- Filtering Based on DSCP and TOS
- Logging When an Access-List Is Used
- Logging TCP Sessions
- Analyzing ACL Log Entries
- Using Named and Reflexive Access-Lists
- Dealing with Passive Mode FTP
- Using Time-Based Access-Lists
- Filtering Based on Noncontiguous Ports
- Advanced Access-List Editing
- Filtering IPv6
DHCP
- Using IP Helper Addresses for DHCP
- Limiting the Impact of IP Helper Addresses
- Using DHCP to Dynamically Configure Router IP Addresses
- Dynamically Allocating Client IP Addresses via DHCP
- Defining DHCP Configuration Options
- Defining DHCP Lease Periods
- Allocating Static IP Addresses with DHCP
- Configuring a DHCP Database Client
- Configuring Multiple DHCP Servers per Subnet
- DHCP Static Mapping
- DHCP-Secured IP Address Assignment
- Showing DHCP Status
- Debugging DHCP
NAT
- Configuring Basic NAT Functionality
- Allocating External Addresses Dynamically
- Allocating External Addresses Statically
- Translating Some Addresses Statically and Others Dynamically
- Using Route Maps to Refine Static Translation Rules
- Translating in Both Directions Simultaneously
- Rewriting the Network Prefix
- Using NAT for Server Load Distribution
- Stateful NAT Failover
- Adjusting NAT Timers
- Changing TCP Ports for FTP
- Checking NAT Status
- Debugging NAT
First Hop Redundancy Protocols
- Configuring Basic HSRP Functionality
- Using HSRP Preempt
- Making HSRP React to Problems on Other Interfaces
- Load-Balancing with HSRP
- Redirecting ICMP with HSRP
- Manipulating HSRP Timers
- Using HSRP on Token Ring
- HSRP SNMP Support
- Increasing HSRP Security
- Showing HSRP State Information
- Debugging HSRP
- HSRP Version 2
- VRRP
- Gateway Load-Balancing Protocol
IP Multicast
- Configuring Basic Multicast Functionality with PIM-DM
- Routing Multicast Traffic with PIM-SM and BSR
- Routing Multicast Traffic with PIM-SM and Auto-RP
- Filtering PIM Neighbors
- Configuring Routing for a Low-Frequency Multicast Application
- Multicast over Frame Relay or ATM WANs
- Configuring CGMP
- Using IGMP Version 3
- Static Multicast Routes and Group Memberships
- Routing Multicast Traffic with MOSPF
- Routing Multicast Traffic with DVMRP
- DVMRP Tunnels
- Configuring Bidirectional PIM
- Controlling Multicast Scope with TTL
- Controlling Multicast Scope with Administratively Scoped Addressing
- Exchanging Multicast Routing Information with MBGP
- Using MSDP to Discover External Sources
- Configuring Anycast RP
- Converting Broadcasts to Multicasts
- Showing Multicast Status
- Debugging Multicast Routing
IP Mobility
- Local Area Mobility
- Home Agent Configuration
- Foreign Agent Configuration
- Making a Router a Mobile Node
- Reverse-Tunnel Forwarding
- Using HSRP for Home Agent Redundancy
IPv6
- Automatically Generating IPv6 Addresses for an Interface
- Manually Configuring IPv6 Addresses on an Interface
- Configuring DHCP for IPv6
- Dynamic Routing with RIP
- Modifying the Default RIP Parameters
- IPv6 Route Filtering and Metric Manipulation in RIP
- Using OSPF for IPv6
- IPv6 Route Filtering and Metric Manipulation in OSPF
- Route Redistribution
- Dynamic Routing with MBGP
- Tunneling IPv6 Through an Existing IPv4 Network
- Translating Between IPv6 and IPv4
MPLS
- Configuring a Basic MPLS P Router
- Configuring a Basic MPLS PE Router
- Configuring Basic MPLS CE Routers
- Configuring MPLS over ATM
- PE-CE Communication via RIP
- PE-CE Communication via OSPF
- PE-CE Communication via EIGRP
- PE-CE Communication via BGP
- QoS over MPLS
- MPLS Traffic Engineering with Autoroute
- Multicast Over MPLS
- Your Service Provider Doesnt Do What You Want
Security
- Using AutoSecure
- Using Context-Based Access-Lists
- Transparent Cisco IOS Firewall
- Stopping Denial of Service Attacks
- Inspecting Applications on Different Port Numbers
- Intrusion Detection and Prevention
- Login Password Retry Lockout
- Authentication Proxy
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
- IP Precedence, TOS, and DSCP Classifications
- Queueing Algorithms
- Dropping Packets and Congestion Avoidance
Index
EAN: 2147483647
Pages: 505
