Part VII: Enhanced Network Protocols

Previous page
Table of content
Next page
 <  Free Open Study  >  

Extended IP Access Lists

Extended IP access lists apply the same concepts that you just learned; however, they have much more control over whether to filter off a source and destination address, along with IP protocol type filtering. The general syntax for extended IP access lists is shown here: 

  access-list  {  100-199   2000-2699  } {  permit   deny  }  protocol_type Source_address   Source_address_wildcard destination_address destination_address_wildcard  [  protocol specific options  ] [  precedence   precedence  ][  tos   tos  ][  log  ][  established  ]

The access list range is 100 to 199 and has an extended range of 2000 to 2699 in Cisco IOS Release 12.0.0 and later. The protocol_type keyword is a special value that will cause the access list to look for a match in the Protocol field of the IP header. Table 14-2 lists the values as of Cisco IOS Release 12.0.

Table 14-2. Extended IP Access List protocol_type Values for Cisco IOS Release 12.0
Value What It Means
<0 “255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet protocol
ipinip IP in IP tunneling
nos KA9Q NOS-compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol

As you can see, the protocol_type field grows with every release of Cisco IOS Software. Specifying the protocol type can be a simple way to avoid complex filters. For example, specifying the protocol type when filtering routing protocols such as IGRP, EIGRP, and OSPF instead of filtering by the individual IP multicast messages that these routing protocols use can simplify your configuration when using the protocol_type keyword. Table 14-3 lists the currently supported TCP port numbers under Cisco IOS Release 12.0.

Table 14-3. Extended IP Access List TCP Port Numbers Supported Under Cisco IOS Release 12.0
Value What It Means
<0 “65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC host name server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
Syslog Syslog (514)
Tacacs TAC Access Control System (49)
Talk Talk (517)
telnet Telnet (23)
Time Time (37)
Uucp UNIX-to-UNIX Copy Program (540)
Whois Nicname (43)
www World Wide Web (HTTP, 80)

Table 14-4 lists the currently supported UDP port numbers under Cisco IOS Release 12.0.

Table 14-4. Extended IP Access List UDP Port Numbers Supported Under Cisco IOS Release 12.0
Value What It Means
<0 “65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol (500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBIOS datagram service (138)
netbios-ns NetBIOS name service (137)
netbios-ss NetBIOS session service (139)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)

Another enhancement in extended access lists that is not offered by standard access lists is that you can specify a match on where traffic originates and where it is destined. At the end of the access list, you can set precedence and type-of-service (TOS) values. Here, the router examines the IP packet header for these values. The precedence values range from 0 to 7, while the TOS values range from 0 to 15. The established keyword is used to check for the ACK or RESET flags in the TCP header. If one flag is set, a match occurs. This command is used to pass existing data streams through the access list.

Let's take a look at an extended access list that will be used on a connection to the Internet. In this example, an extended access list is configured on the inbound BRI interface to the Internet. Figure 14-3 illustrates the network topology for the next example.

Figure 14-3. Extended Access List Example

graphics/14fig03.gif

Now, let's add the syntax in Example 14-7 to the access_router.

Example 14-7 Applying an Extended Access List to the access_router 
 access_router(config)#  access-list 199 permit tcp any any established  access_router(config)#  access-list 199 deny   ip 206.191.241.40 0.0.0.7 any  access_router(config)#  access-list 199 deny   ip host 206.191.194.42 host   206.191.194.42  access_router(config)#  access-list 199 permit icmp any any echo  access_router(config)#  access-list 199 permit icmp any any echo-reply  access_router(config)#  access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq www  access_router(config)#  access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq smtp  access_router(config)#  access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq   domain  access_router(config)#  access-list 199 permit udp any 206.191.241.40 0.0.0.7 eq   domain  access_router(config)#  access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 lt 1024  access_router(config)#  access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 gt 1023  access_router(config)#  access-list 199 permit udp any 206.191.241.40 0.0.0.7 gt 1023  access_router(config)#  access-list 199 deny   udp any 206.191.241.40 0.0.0.7 gt 50000  access_router(config)#  access-list 199 deny   udp any 206.191.241.40 0.0.0.7 lt 1024

Now, apply the access list to the BRI interface with the following commands: 

 access_router(config)#  int bri 0  access_router(config-if)#  ip access-group 199 in

The first line of the access list in Example 14-6 invokes the established keyword. This keyword looks for the ACK or the RESET bits set in the TCP header. This inherently allows existing data streams to qualify as a match. The established keyword should be used on any TCP traffic that is user-interactive, such as WWW.

The second line and third lines in Example 14-6 are straightforward.

In the next subset of lines, you have the following: 

  access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq www   access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq smtp   access-list 199 permit tcp any 206.191.241.40 0.0.0.7 eq domain   access-list 199 permit udp any 206.191.241.40 0.0.0.7 eq domain

The first entry allows TCP from any source address or network to go to just the subnet of 206.191.241.40. This would include addresses .41, .42, .43, .44, .45, and .46 only if the TCP port is 80 for HTTP or WWW traffic. The second and third lines allow for the same subnet to inbound access from Simple Mail Transport Protocol (SMTP), port 25, and POP3 mail, port 110. Finally, we have two DNS entries: One allows for DNS that might be operating on TCP port 53, and the other allows for DNS, UDP port 53 access, the more common transport for DNS services.

In the last subset of lines in Example 14-6, you see these lines: 

  access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 lt 1024   access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 gt 1023   access-list 199 permit udp any 206.191.241.40 0.0.0.7 gt 1023   access-list 199 deny   udp any 206.191.241.40 0.0.0.7 gt 50000   access-list 199 deny   udp any 206.191.241.40 0.0.0.7 lt 1024

The first line of this subset of entries denies TCP traffic on ports less than 1024 and from any source network to the specific subnet of 206.191.241.40/29. The next line does the same for ports greater than 1023. The next line allows UDP ports greater then 1023 to pass, while the last two lines deny UDP ports greater then 50000 and deny UDP ports less than 1024. Basically, this subset is filtering some of the well-known UDP TCP ports. The implicit deny any would have caught all of these ports and the entry may seem redundant; however, sometimes it is desirable to "see" the actual ports being denied in the configuration and being logged when someone is trying to access them. In this example, you could also filter inclusive ports with a range statement. For example, these two lines could be combined into single entry: 

  access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 lt 1024   access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 gt 1023

or: 

  access-list 199 deny   tcp any 206.191.241.40 0.0.0.7 range 1 65535

CAUTION

Enhancements to the access-list commands are backward compatible; migrating from earlier releases to Release 11.1 will convert your access lists automatically. Releases earlier than Release 11.1 are not upwardly compatible with these enhancements. If you save an access list with these images later then Release 11.1 and then use software earlier than Release 11.1, the resulting access list will not be interpreted correctly. This can cause severe security problems.

In other words, access lists from Cisco IOS Releases 11.1 and later are backward and forward compatible. Releases earlier than 11.1 are not backward or forward compatible. So, your lists run the chances of being destroyed if the router would come up under a different Cisco IOS Release image or was downgraded somehow.


 <  Free Open Study  >  

Previous page
Table of content
Next page
CCIE Practical Studies, Volume I
CCIE Practical Studies, Volume I
ISBN: 1587200023
EAN: 2147483647
Year: 2001
Pages: 283
Authors: Karl Solie
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Visual C# 2005 How to Program (2nd Edition)
Postfix: The Definitive Guide
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy