Chapter15.StandardandExtended
AccessLists
Thischaptercoversthefollowingtopics:
Standardaccesslists
Extendedaccesslists
Thischaptercoversthedifferencebetweenstandardand
extendedaccesslistsandtheirvarioususes.Youwillconfigure
accesslistsaccordingtothelabobjectivesstatedinthechapter,
verifytheiroperation,andapplythemtotherouterinterfaces
appropriately.
Networksecurityusingaccesslistisafundamentalrequirement
thatCiscoexpectsfromCCNAs.Althoughyoucanuseavariety
ofmethodstowriteaccesslists,itisimportantthatyou
understandthelogicbehindtheaccesslists.Thischapterbriefly
reviewsthedifferentaccesslistsandthecommandsneededto
configureandapplythemintheappropriatemanner.Fora
morecomprehensivereviewofaccesslists,refertoChapter9
ofInterconnectingCiscoNetworkDevices.
Top
PartIII:AccessLists,CiscoIOSSoftware
Operations,andTroubleshooting
PartPartIIIAccessLists,CiscoIOSSoftwareOperations,andTroubleshooting
Chapter15StandardandExtendedAccessLists
Chapter16CiscoRouterOperations
Chapter17Troubleshooting
Top
Standard/ExtendedAccessListFundamentals
CiscohasdefinedtwotypesofIPaccesslists:standardand
extended.However,onlyonetypecanbeappliedtoaninterface
attime.Thismeansthatyoucannothaveaninboundstandard
accesslistandaninboundextendedaccesslistappliedtothe
sameinterface.Eachaccesslistmusthaveitsownnumber
rangeandapplications,fornetworksecurity.
StandardAccessLists
StandardaccesslistsmatchpacketsbyexaminingthesourceIP
addressfieldinthepacket'sIPheader.Anybitpositionsinthe
32-bitsourceIPaddresscanbecomparedtotheaccesslist
statements.However,thematchingisflexibleanddoesnot
considerthesubnetmaskinuse.
Accesslistsusetheinversemask,sometimescalledthe
wildcardmaskorI-mask.Thismaskisnamedbecauseitinverts
themeaningofthebits.Inanormalmask,onesmean"must
match,"whilezeroesmean"mayvary."Forexample,fortwo
hoststobeonthesameClassCnetwork,thefirst24bitsof
theiraddressmustmatch,whilethelast8mayvary.Inverse
masksswaptherulessothatzeroesmean"mustmatch"and
onesmean"mayvary."
TIP
Theeasywaytocalculatetheinversemaskwhen
youalreadyknowthenormalmaskistosubtract
fromallones.Thetablethatfollowsshowsan
example.Thenormalmaskissubtracted,columnby
column,fromtheall-onesmasktodeterminethe
inversemask.
AllOnes
NormalMask
InverseMask
255
255
0
255
255
0
255
240
15
255
0
255
Thecommandforconfiguringastandardaccesslistisas
follows:
Router(config)#access-list{1-99}{permit|deny}source-addr
Asyoucanseefromthecommandsyntax,thefirstoptionisto
specifytheaccesslistnumber.Thenumberrangeforstandard
accesslistsis1to99.Thesecondvaluethatyoumustspecify
istopermitordenytheconfiguredsourceIPaddress.Thethird
valueisthesourceIPaddressthatyouwanttomatch.The
fourthvalueisthewildcardmaskthatyouwanttoapplytothe
IPaddresspreviouslyconfigured.
CAUTION
Allaccesslistshaveanimplicitdeny,meaningthat
ifapacketdoesnotmatchanyofthecriteriathat
youhavespecifiedinyouraccesslist,itwillbe
denied.Ifyouhavedenystatementsinyouraccess
lists,besuretocreatepermitstatementstoallow
validtraffic.
Whentheaccesslisthasbeencreated,youneedtoapplyitto
theappropriateinterface.Thecommandtoapplytheaccesslist
isasfollows:
Router(config-if)#ipaccess-group{number|name[in|
Theaccesslistisappliedundertheinterfaceconfiguration
mode.Youmustspecifyonlythenumberornameandwhether
itisanincomingoranoutgoingaccesslist.
ExtendedAccessLists
ExtendedIPaccesslistsarealmostidenticaltostandardIP
accesslistsintheiruse.Thekeydifferencebetweenthetwo
typesisthevarietyoffieldsinthepacketthatcanbecompared
formatchingbyextendedaccesslists.Aswithstandardlists,
extendedaccesslistsareenabledforpacketsenteringorexiting
aninterface.Thelistissearchedsequentially;thefirst
statementmatchedstopsthesearchthroughthelistand
definestheactiontobetaken.Allthesefeaturesaretrueof
standardaccesslistsaswell.Thematchinglogic,however,is
differentthanthatusedwithstandardaccesslistsandmakes
extendedaccesslistsmuchmorecomplex.Extendedaccess
listscanmatchsourceanddestinationaddressesaswellas
differentTCPandUDPports.Thisgivesgreaterflexibilityand
controlovernetworkaccess.
Toconfigureextendedaccesslists,thecommandissimilarto
standardaccesslist,butwithmoreoptions.Thecommandis
this:
Router(config)#access-list{100-199}{permit|deny}protocol
mask][operatoroperand]destination-addr[destination-mask
[established]
Thefirstvaluethatyoumustconfigureistheaccesslist
number.Extendedaccesslistsrangefrom100to199.Thenyou
needtopermitordenythecriteriathatyouwillspecifynext.
Thenextvalueistheprotocoltype.Here,youcouldspecifyIP,
TCP,UDP,orotherspecificIPsub-protocols.Thenextvalueis
thesourceIPaddressanditswildcardmask.Nextisthe
destinationIPaddressanditswildcardmask.Whenthe
destinationIPaddressandmaskareconfigured,youcanspecify
theportnumberthatyouwanttomatch,bynumberorbya
well-knownportname.
Aswithstandardaccesslists,aftertheextendedaccesslistis
created,youneedtoapplyittoaninterfacewiththeip
access-groupcommand.Reviewthelabobjectivesassociated
withthechapterbeforebeginningtoconfiguretheaccesslists.
Top
FinalLabResults
YounowhavesuccessfullyconfiguredIPXroutingandverified
itsproperoperation,perthelabobjectives.Youhaveconfigured
IPXroutingforbothIPXRIPandIPXEIGRP,andyouhaveseen
thatIPXrouteredistributionisoccurringandthatIPXEIGRP
splithorizonhasbeendisabledonthehubFrameRelayrouter
(R3'sSerial0interface).Lastly,youhaveseensomecommands
toverifyyourconfigurationandhavetestedIPXconnectivity
usingthepingcommand.Figure14-2showstheIPXrouting
domainsforIPXRIPandIPXEIGRP.
Figure14-2.IPXRoutingDomains
Insummary,reviewthosecommandsthathavebeen
introducedinthischapter,asshowninTable14-3.
Table14-3.CommandSummaryforIPXConfigurationand
Troubleshooting
Command
ipxroutereigrp[autonomoussystem
number]
noipxsplit-horizoneigrp
[autonomoussystemnumber]
ipxrouterrip
showipxinterfacebrief
showipxinterface
showipxtraffic
showipxservers
showipxroute
pingipx
Purpose
EnablestheIPXEIGRProutingprocess
DisablesIPXsplithorizononanIPX
EIGRPinterface
EnterstheIPXRIProutingprocess
DisplaysasummaryofconfiguredIPX
interfaces
DisplaysadetailedstatusofIPX
interfaces
ShowsIPXpacketinformation
Liststheservicesdiscoveredthrough
SAPadvertisements
ListstheentriesintheIPXrouting
table
VerifiesIPXconnectivity
TheIPXroutingconfigurationisnowcomplete.Chapter15,
"StandardandExtendedAccessLists,"reviewsIPstandardand
extendedaccesslistsandconfigurestheseinthelab
environment.
Top
Chapter15.StandardandExtended
AccessLists
Thischaptercoversthefollowingtopics:
Standardaccesslists
Extendedaccesslists
Thischaptercoversthedifferencebetweenstandardand
extendedaccesslistsandtheirvarioususes.Youwillconfigure
accesslistsaccordingtothelabobjectivesstatedinthechapter,
verifytheiroperation,andapplythemtotherouterinterfaces
appropriately.
Networksecurityusingaccesslistisafundamentalrequirement
thatCiscoexpectsfromCCNAs.Althoughyoucanuseavariety
ofmethodstowriteaccesslists,itisimportantthatyou
understandthelogicbehindtheaccesslists.Thischapterbriefly
reviewsthedifferentaccesslistsandthecommandsneededto
configureandapplythemintheappropriatemanner.Fora
morecomprehensivereviewofaccesslists,refertoChapter9
ofInterconnectingCiscoNetworkDevices.
Top
Chapter16.CiscoRouterOperations
Thischaptercoversthefollowingtopics:
Ciscorouterbootsequenceandconfiguration
BackingupCiscoIOSSoftwareimagefiles
UpgradingCiscoIOSSoftwareimagefilesfromTFTPservers
Backingup/restoringconfigurationfilesto/fromTFTP
servers
Thischapterreviewssomebasicrouteroperationsnecessaryto
manageCiscoIOSSoftwareimagesandconfigurationfiles.This
chapterbeginsbyreviewingCiscorouterbootorderandthen
focusesonthepracticalapplicationofcontrollingtherouter
bootsequence,upgradingCiscoIOSSoftwareimagefiles,and
managingrouterconfigurationfiles.Ifyouneedanin-depth
reviewonthesetopics,refertoChapter4ofInterconnecting
CiscoNetworkDevicesorChapter2ofCiscoCCNAExam#640607CertificationGuide.
Top
Chapter17.Troubleshooting
Inthischapteryouwillhavetheopportunitytotroubleshoot
differentinternetworkingproblems.Thechapterpresentsfour
scenariosinwhichyouidentifytheproblem,isolatewherethe
issueresides,andthenresolvetheproblem.
Beforebeginningwiththescenarios,youshouldfamiliarize
yourselfwithafewbasictroubleshootingsteps.Oneofthemost
importantitemstorememberabouttroubleshootingistohave
aprocessoramethodologythatyoucanrepeatforevery
internetworkingproblemthatyoumightencounter.Fromour
ownexperiencesandstudies,werecommendusingtheOSI
referencemodeltoisolatetheseproblems.Thatis,alwaysstart
atthephysicallayer,verifythatnoproblemsexist,andthen
moveontothedatalinklayer,ontothenetworklayer,andso
on.Thisprovidesarepeatableprocesstoallinternetworking
problems.
Anotherhelpfulhintistoalwaysstartthetroubleshooting
processclosesttowherethesymptomisexperienced.For
instance,ifusersonrouterR6arehavingproblemsaccessinga
resourceoffrouterR1,startthetroubleshootingprocessonR6
andthenmoveontothenextrouterinthepathtothe
destinationrouter,R1.Thiswillfollowthepathofthesymptom
untilthesourceoftheproblemisisolatedandcanberesolved.
Theseprocessesaredemonstratedinthescenariosincludedin
thischapter.
Totroubleshootproperly,youwillneedtounderstandthe
physicaltopology,thelogicaladdressing,androutingdomain
boundaries.Thischapterreferstothecompletelabdiagram,
showninFigure17-1,thatyoushouldhavebeendeveloping
throughoutthebook.
Figure17-1.CompletedLab
Diagram
Top
LabObjectives
Notethatyouwillnotbetestingtheaccesslistsbecauseno
hostresidesonanyofthesegments.Instead,youwill
configure,apply,andverifythattheaccesslistsareconfigured
correctlywiththeappropriateshowcommands.
Herearetheobjectives:
Forstandardaccesslists,createastandardoutgoingaccess
listandapplyitonR2'sS0interfacesothatuserson
network192.168.12.0aredeniedaccesstotheFrameRelay
network.(AssumethatthisnetworkexistsoffR1.)
Forextendedaccesslists,createanextendedincoming
accesslistandapplyitonR3'sS0interfacetofulfillthe
followingrequirements:
-Denyhttp(www)trafficfromreachingR5'sTokenRing
network.
-DenySMTPtrafficfromreachingR3'sE0network.
-Permitanythingelse.
Thekeytermstorecognizeinthelabobjectivesareoutgoing
andincoming.Remember,thesekeywordswillaffecthowyou
buildyouraccesslists.Let'sconfigurethestandardaccesslist
first.
ConfiguringStandardAccessLists
Tobetterunderstandwhatyoumustaccomplishwiththeaccess
lists,refertotheenvironmentinFigure15-1.
Figure15-1.StandardAccessListScenario
Fromthelabobjectives,youwanttodothefollowing:
CreateastandardoutgoingaccesslistandapplyitonR2's
S0interfacesothatusersonnetwork192.168.12.0are
deniedaccesstotheFrameRelaynetwork.(Assumethat
thisnetworkexistsoffR1.)
Fromthefigure,youcanseethatavirtualnetwork
(192.168.12.0/24)existsoffR1;youwanttokeephostson
thatnetworksegmentfromreachingtheFrameRelaynetwork
(192.168.100.0/24).Animportantissuetopointoutisthat,
becausethisisastandardaccesslist,thereisnowaytofilter
onthedestinationaddress.So,whenyouconfiguretheaccess
listtofilteronthesourceIPaddressof192.168.12.0/24,you
willstopthattrafficfromgoingtotheFrameRelaynetwork,as
wellasallothernetworksbehindR2'sS0,theinterfaceon
whichyouaregoingtoapplytheaccesslist.
Becauseitisanoutgoingaccesslist,youwillcreatetheaccess
listwiththesourceaddressofthenetwork192.168.12.0tobe
denied,butyouwillallowallothertraffictopass.Remember,
thereisanimplicitdenyafterallaccesslists.Createtheaccess
listonR2,asdemonstratedinExample15-1.
Example15-1StandardAccessListConfiguration
Termserver#2
[Resumingconnection2tor2...]
R2#configt
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#access-list1deny192.168.12.00.0.0.255
R2(config)#access-list1permitany
R2(config)#
Themostimportantaspectoftheaccess-listcommandisthe
wildcardmaskportion.Thistellstherouterwheretomatchand
wherenotto.Thefirstthreezerosinthewildcardmask(0.0.0)
signifythatthefirstthreenumbersofthesourceIPaddressof
apacketmustmatchthefirstthreenumbersoftheIPaddress
previouslyconfigured(192.168.12).Thefinal.255portionof
themasksignifiesthatanynumberinthesourceIPaddress
fieldwillnotbelookedatforamatch.Inotherwords,any
packetthathasasourceIPaddresswith192.168.12willbe
matchedagainsttheaccesslistand,therefore,willbedenied,
regardlessofthefourthnumberinthesourceIPaddressfieldof
theIPpacket(0to255).Thesecondlineoftheaccesslist
simplypermitsallothertraffic.Withoutthatstatement,allIP
trafficwouldbeblockedbecauseoftheimplicitdenyattheend
ofallaccesslists.
Thesecondsteptoconfiguringtheaccesslististoapplyitto
theappropriateinterface.Fromthelabobjectives,youwantto
applythisaccesslistontheS0interfaceofR2andmakeit
checkoutgoingpackets.Toapplytheaccesslist,youneedtobe
ininterfacemodeforS0andapplytheipaccess-group
command.Example15-2illustrateshowtoapplytheaccess
liststotheinterface.
Example15-2ApplyingtheAccessListtothe
Interface
R2(config)#ints0
R2(config-if)#ipaccess-group1out
R2(config-if)#
Thisconfigurationappliesaccess-list1toalloutgoingpackets
onR2'sS0interface.Becauseyoudonothaveanyhostsoff
192.168.12.0,youcannotverifythatitisworkingproperly.
However,youcanusesomeshowcommandstomakesurethat
theaccesslisthasbeenappliedcorrectlyontheinterface.
Thefirstshowcommandisthisone:
Router#showipaccess-lists{number}
Theonlyoptionhereistospecifythespecificaccesslistnumber
thatyouwanttosee.Ifnonumberisspecified,allaccesslists
areshown.Example15-3showssampleoutputfromthis
command.
Example15-3showipaccess-listCommand
Output
R2(config-if)#end
R2#showipaccess-lists
StandardIPaccesslist1
deny192.168.12.0,wildcardbits0.0.0.255
permitany
R2#
Thisshowcommandrevealsalltheimportantinformation:
WhetheritisastandardoranextendedIPaccesslist
Theaccesslistnumber
Alltheconfiguredstatementsforthataccesslist
Youconfiguredonlyoneaccesslist,sotheoutputshows
informationforjustaccess-list1thatyouconfiguredin
Example15-1.
Anotherusefulshowcommandisthisone:
Router#showipinterface[interface-type][interface-number
Theoptionthatyoucanusehereistospecifytheinterfacetype
andnumber.
BecauseyouhaveonlyoneaccesslistconfiguredonS0,use
thatasanexample.Example15-4demonstratesthiscommand.
Example15-4showipinterfaces0Command
Output
R2#showipinterfaces0
Serial0isup,lineprotocolisup
Internetaddressis192.168.100.2/24
Broadcastaddressis255.255.255.255
Addressdeterminedbysetupcommand
MTUis1500bytes
Helperaddressisnotset
Directedbroadcastforwardingisdisabled
Multicastreservedgroupsjoined:224.0.0.10
Outgoingaccesslistis1
Inboundaccesslistisnotset
ProxyARPisenabled
Securitylevelisdefault
Splithorizonisdisabled
ICMPredirectsarealwayssent
ICMPunreachablesarealwayssent
ICMPmaskrepliesareneversent
IPfastswitchingisenabled
IPfastswitchingonthesameinterfaceisenabled
IPFeatureFastswitchingturbovector
IPmulticastfastswitchingisdisabled
IPmulticastdistributedfastswitchingisdisabled
IProute-cacheflagsareFast
RouterDiscoveryisdisabled
IPoutputpacketaccountingisdisabled
IPaccessviolationaccountingisdisabled
TCP/IPheadercompressionisdisabled
RTP/IPheadercompressionisdisabled
Probeproxynamerepliesaredisabled
Policyroutingisdisabled
Networkaddresstranslationisdisabled
WebCacheRedirectisdisabled
BGPPolicyMappingisdisabled
R2#
Thecommandoutputhasveryusefulinformation,butthefocus
hereisonwhatIPaccesslistsareconfiguredforthisinterface.
Thehighlightedlinetellsyouquicklywhichaccesslist(s)have
beenconfiguredandwhethertheyareincomingaccesslistsor
outgoingaccesslists.
Beforemovingontoconfiguretheextendedaccesslist,takea
lookattherunningconfigurationofR2toseewheretheaccess
listconfigurationcommandsareplacedinthefile.Example155displaystheoutputoftherunningconfigurationfile.
Example15-5R2'sRunningConfig
Termserver#r2
Tryingr2(192.168.10.10,2002)...Open
R2#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnameR2
!
enablepasswordfalcons
!
usernameall
ipsubnet-zero
noipdomain-lookup
iphostR1192.169.1.1
iphostR2192.169.2.2
iphostR3192.169.3.3
iphostR4192.169.4.4
iphostR5192.169.5.5
iphostR6192.169.6.6
ipxrouting0000.0000.2222
!
!
!
interfaceLoopback0
ipaddress192.169.2.2255.255.255.0
noipdirected-broadcast
!
interfaceEthernet0
ipaddress192.168.1.2255.255.255.0
noipdirected-broadcast
ipxnetwork2100
!
interfaceEthernet1
descriptionThisinterfacedoesnotconnectwithanotherIPde
ipaddress192.168.2.2255.255.255.0
noipdirected-broadcast
ipxnetwork2000
!
interfaceSerial0
descriptionThisinterfaceconnectstoR3'sS0(201)
ipaddress192.168.100.2255.255.255.0
ipaccess-group1out
noipdirected-broadcast
encapsulationframe-relay
noipmroute-cache
ipxnetwork1000
frame-relaymapip192.168.100.3201broadcast
frame-relaymapip192.168.100.4201broadcast
frame-relaymapipx1000.0000.0000.4444201broadcast
frame-relaymapipx1000.0000.0000.3333201broadcast
frame-relaylmi-typeansi
!
routereigrp100
redistributeripmetric200020025511500
network192.168.100.0
!
routerrip
redistributeeigrp100metric1
network192.168.1.0
network192.168.2.0
network192.169.2.0
!
ipclassless
!