Tải bản đầy đủ - 0 (trang)
Chapter 15. Standard and Extended Access Lists

Chapter 15. Standard and Extended Access Lists

Tải bản đầy đủ - 0trang









PartIII:AccessLists,CiscoIOSSoftware

Operations,andTroubleshooting

PartPartIIIAccessLists,CiscoIOSSoftwareOperations,andTroubleshooting



Chapter15StandardandExtendedAccessLists

Chapter16CiscoRouterOperations

Chapter17Troubleshooting









Top











Standard/ExtendedAccessListFundamentals

CiscohasdefinedtwotypesofIPaccesslists:standardand

extended.However,onlyonetypecanbeappliedtoaninterface

attime.Thismeansthatyoucannothaveaninboundstandard

accesslistandaninboundextendedaccesslistappliedtothe

sameinterface.Eachaccesslistmusthaveitsownnumber

rangeandapplications,fornetworksecurity.



StandardAccessLists

StandardaccesslistsmatchpacketsbyexaminingthesourceIP

addressfieldinthepacket'sIPheader.Anybitpositionsinthe

32-bitsourceIPaddresscanbecomparedtotheaccesslist

statements.However,thematchingisflexibleanddoesnot

considerthesubnetmaskinuse.

Accesslistsusetheinversemask,sometimescalledthe

wildcardmaskorI-mask.Thismaskisnamedbecauseitinverts

themeaningofthebits.Inanormalmask,onesmean"must

match,"whilezeroesmean"mayvary."Forexample,fortwo

hoststobeonthesameClassCnetwork,thefirst24bitsof

theiraddressmustmatch,whilethelast8mayvary.Inverse

masksswaptherulessothatzeroesmean"mustmatch"and

onesmean"mayvary."



TIP

Theeasywaytocalculatetheinversemaskwhen

youalreadyknowthenormalmaskistosubtract

fromallones.Thetablethatfollowsshowsan

example.Thenormalmaskissubtracted,columnby



column,fromtheall-onesmasktodeterminethe

inversemask.

AllOnes

NormalMask

InverseMask



255

255

0



255

255

0



255

240

15



255

0

255



Thecommandforconfiguringastandardaccesslistisas

follows:



Router(config)#access-list{1-99}{permit|deny}source-addr

Asyoucanseefromthecommandsyntax,thefirstoptionisto

specifytheaccesslistnumber.Thenumberrangeforstandard

accesslistsis1to99.Thesecondvaluethatyoumustspecify

istopermitordenytheconfiguredsourceIPaddress.Thethird

valueisthesourceIPaddressthatyouwanttomatch.The

fourthvalueisthewildcardmaskthatyouwanttoapplytothe

IPaddresspreviouslyconfigured.



CAUTION

Allaccesslistshaveanimplicitdeny,meaningthat

ifapacketdoesnotmatchanyofthecriteriathat

youhavespecifiedinyouraccesslist,itwillbe

denied.Ifyouhavedenystatementsinyouraccess

lists,besuretocreatepermitstatementstoallow

validtraffic.



Whentheaccesslisthasbeencreated,youneedtoapplyitto

theappropriateinterface.Thecommandtoapplytheaccesslist

isasfollows:



Router(config-if)#ipaccess-group{number|name[in|

Theaccesslistisappliedundertheinterfaceconfiguration

mode.Youmustspecifyonlythenumberornameandwhether

itisanincomingoranoutgoingaccesslist.



ExtendedAccessLists

ExtendedIPaccesslistsarealmostidenticaltostandardIP

accesslistsintheiruse.Thekeydifferencebetweenthetwo

typesisthevarietyoffieldsinthepacketthatcanbecompared

formatchingbyextendedaccesslists.Aswithstandardlists,

extendedaccesslistsareenabledforpacketsenteringorexiting

aninterface.Thelistissearchedsequentially;thefirst

statementmatchedstopsthesearchthroughthelistand

definestheactiontobetaken.Allthesefeaturesaretrueof

standardaccesslistsaswell.Thematchinglogic,however,is

differentthanthatusedwithstandardaccesslistsandmakes

extendedaccesslistsmuchmorecomplex.Extendedaccess

listscanmatchsourceanddestinationaddressesaswellas

differentTCPandUDPports.Thisgivesgreaterflexibilityand

controlovernetworkaccess.

Toconfigureextendedaccesslists,thecommandissimilarto

standardaccesslist,butwithmoreoptions.Thecommandis

this:



Router(config)#access-list{100-199}{permit|deny}protocol

mask][operatoroperand]destination-addr[destination-mask

[established]

Thefirstvaluethatyoumustconfigureistheaccesslist

number.Extendedaccesslistsrangefrom100to199.Thenyou

needtopermitordenythecriteriathatyouwillspecifynext.

Thenextvalueistheprotocoltype.Here,youcouldspecifyIP,

TCP,UDP,orotherspecificIPsub-protocols.Thenextvalueis



thesourceIPaddressanditswildcardmask.Nextisthe

destinationIPaddressanditswildcardmask.Whenthe

destinationIPaddressandmaskareconfigured,youcanspecify

theportnumberthatyouwanttomatch,bynumberorbya

well-knownportname.

Aswithstandardaccesslists,aftertheextendedaccesslistis

created,youneedtoapplyittoaninterfacewiththeip

access-groupcommand.Reviewthelabobjectivesassociated

withthechapterbeforebeginningtoconfiguretheaccesslists.









Top











FinalLabResults

YounowhavesuccessfullyconfiguredIPXroutingandverified

itsproperoperation,perthelabobjectives.Youhaveconfigured

IPXroutingforbothIPXRIPandIPXEIGRP,andyouhaveseen

thatIPXrouteredistributionisoccurringandthatIPXEIGRP

splithorizonhasbeendisabledonthehubFrameRelayrouter

(R3'sSerial0interface).Lastly,youhaveseensomecommands

toverifyyourconfigurationandhavetestedIPXconnectivity

usingthepingcommand.Figure14-2showstheIPXrouting

domainsforIPXRIPandIPXEIGRP.



Figure14-2.IPXRoutingDomains



Insummary,reviewthosecommandsthathavebeen

introducedinthischapter,asshowninTable14-3.

Table14-3.CommandSummaryforIPXConfigurationand



Troubleshooting

Command

ipxroutereigrp[autonomoussystem

number]

noipxsplit-horizoneigrp

[autonomoussystemnumber]

ipxrouterrip

showipxinterfacebrief

showipxinterface

showipxtraffic

showipxservers

showipxroute

pingipx



Purpose

EnablestheIPXEIGRProutingprocess

DisablesIPXsplithorizononanIPX

EIGRPinterface

EnterstheIPXRIProutingprocess

DisplaysasummaryofconfiguredIPX

interfaces

DisplaysadetailedstatusofIPX

interfaces

ShowsIPXpacketinformation

Liststheservicesdiscoveredthrough

SAPadvertisements

ListstheentriesintheIPXrouting

table

VerifiesIPXconnectivity



TheIPXroutingconfigurationisnowcomplete.Chapter15,

"StandardandExtendedAccessLists,"reviewsIPstandardand

extendedaccesslistsandconfigurestheseinthelab

environment.









Top











Chapter15.StandardandExtended

AccessLists

Thischaptercoversthefollowingtopics:

Standardaccesslists

Extendedaccesslists

Thischaptercoversthedifferencebetweenstandardand

extendedaccesslistsandtheirvarioususes.Youwillconfigure

accesslistsaccordingtothelabobjectivesstatedinthechapter,

verifytheiroperation,andapplythemtotherouterinterfaces

appropriately.

Networksecurityusingaccesslistisafundamentalrequirement

thatCiscoexpectsfromCCNAs.Althoughyoucanuseavariety

ofmethodstowriteaccesslists,itisimportantthatyou

understandthelogicbehindtheaccesslists.Thischapterbriefly

reviewsthedifferentaccesslistsandthecommandsneededto

configureandapplythemintheappropriatemanner.Fora

morecomprehensivereviewofaccesslists,refertoChapter9

ofInterconnectingCiscoNetworkDevices.









Top











Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 15. Standard and Extended Access Lists

Tải bản đầy đủ ngay(0 tr)

×