Security:
Access Lists allow us to implement some level of security on the network by inspecting and filtering traffic as it enters or exits an interface. Each router can have many access lists of the same or different types. However, only one can be applied in each direction of an interface at a time (keep in mind that inbound and outbound traffic is determined from the router's perspective). The two major types of access lists that deserve special attention are the IP Access Lists and the IPX Access Lists.
Standard IP access lists can be configured to permit or deny passage through a router based on the source host's IP address. Extended IP access list uses destination address, IP protocol and port number to extend the filtering capabilities. Access can be configured to be judged based on a specific destination address or range of addresses, on an IP protocol such as TCP or UDP, or on port information such as http, ftp, telnet or snmp. We use access list number to differentiate the type of access list. In standard IP access lists we have numbers from 1 through 99, and in extended IP access lists we have numbers from 100 through 199:
| 1-99 | Standard IP |
| 100-199 | Extended IP |
| 200-299 | Protocol type-code |
| 300-399 | DECnet |
| 600-699 | Appletalk |
| 700-799 | Standard 48-bit MAC Address |
| 800-899 | Standard IPX |
| 900-999 | Extended IPX |
| 1000-1099 | IPX SAP |
| 1100-1199 | Extended 48-bit MAC Address |
| 1200-1299 | IPX Summary Address |
When dealing with Access Control Lists or preparing for your CCNA exam, you have to deal with a 32-bit wild card address in dotted-decimal form, known as your inverse mask. By Cisco’s definition it is called inverse, but you can think of it as the “reverse” of your subnet mask in most cases. When dealing with your wild card mask, you have two values that you are working with. Like subnetting you have a 0 as "off" and a 1 as the "on" value. Wild cards deal with the 0 value as “match” and the 1 value as "ignore". What do I mean by ignore or match? If you have studied ACLs you should know that your goal is to set criteria to deny or permit and that is where your Inverse mask comes into play. It tells the router which values to seek out when trying to deny or permit in your definition. If you have dealt with subnetting you know that most of your address ended with an even number. With your inverse mask you will end up with an odd number. There are several different ways to come up with your inverse mask; the easiest is to subtract your subnet mask from the all routers broadcast address of 255.255.255.255.
Example: You have a subnet mask of 255.255.255.0. To get your wild card mask all you have to do is:
255.255.255.255.
-255.255.255.0
0.0.0.255
Then you can apply it to the definition, whether using a standard or extended ACL.
Standard example:
Router(config)# access-list 3 deny 170.10.1.0 0.0.0.255
How you would read this list. With this wild card you told the router to “match” the first three octets and you don’t care what’s going on in the last octet.
Extended example:
Router(config)# access-list 103 permit 178.10.2.0 0.0.0.255 170.10.1.0 0.0.0.255 eq 80
How you would read this list? With this wild card you have told the router to match the first three octets and you don’t care what’s going on in the last octet.
Think of it this way. If you had broken the decimal form down to binary, the wild card mask would look like this. 00000000.00000000.00000000.11111111
As you know the “1” means ignore and “0” means match. So in that last octet it could have been any value on that subnet line ranging from 0-255.
No comments:
Post a Comment