Cisco press CCNA practical studies apr 2002 ISBN 1587200465
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.02 MB, 187 trang )
Chapter15.StandardandExtended
AccessLists
Thischaptercoversthefollowingtopics:
Standardaccesslists
Extendedaccesslists
Thischaptercoversthedifferencebetweenstandardand
extendedaccesslistsandtheirvarioususes.Youwillconfigure
accesslistsaccordingtothelabobjectivesstatedinthechapter,
verifytheiroperation,andapplythemtotherouterinterfaces
appropriately.
Networksecurityusingaccesslistisafundamentalrequirement
thatCiscoexpectsfromCCNAs.Althoughyoucanuseavariety
ofmethodstowriteaccesslists,itisimportantthatyou
understandthelogicbehindtheaccesslists.Thischapterbriefly
reviewsthedifferentaccesslistsandthecommandsneededto
configureandapplythemintheappropriatemanner.Fora
morecomprehensivereviewofaccesslists,refertoChapter9
ofInterconnectingCiscoNetworkDevices.
Top
PartIII:AccessLists,CiscoIOSSoftware
Operations,andTroubleshooting
PartPartIIIAccessLists,CiscoIOSSoftwareOperations,andTroubleshooting
Chapter15StandardandExtendedAccessLists
Chapter16CiscoRouterOperations
Chapter17Troubleshooting
Top
Standard/ExtendedAccessListFundamentals
CiscohasdefinedtwotypesofIPaccesslists:standardand
extended.However,onlyonetypecanbeappliedtoaninterface
attime.Thismeansthatyoucannothaveaninboundstandard
accesslistandaninboundextendedaccesslistappliedtothe
sameinterface.Eachaccesslistmusthaveitsownnumber
rangeandapplications,fornetworksecurity.
StandardAccessLists
StandardaccesslistsmatchpacketsbyexaminingthesourceIP
addressfieldinthepacket'sIPheader.Anybitpositionsinthe
32-bitsourceIPaddresscanbecomparedtotheaccesslist
statements.However,thematchingisflexibleanddoesnot
considerthesubnetmaskinuse.
Accesslistsusetheinversemask,sometimescalledthe
wildcardmaskorI-mask.Thismaskisnamedbecauseitinverts
themeaningofthebits.Inanormalmask,onesmean"must
match,"whilezeroesmean"mayvary."Forexample,fortwo
hoststobeonthesameClassCnetwork,thefirst24bitsof
theiraddressmustmatch,whilethelast8mayvary.Inverse
masksswaptherulessothatzeroesmean"mustmatch"and
onesmean"mayvary."
TIP
Theeasywaytocalculatetheinversemaskwhen
youalreadyknowthenormalmaskistosubtract
fromallones.Thetablethatfollowsshowsan
example.Thenormalmaskissubtracted,columnby
column,fromtheall-onesmasktodeterminethe
inversemask.
AllOnes
NormalMask
InverseMask
255
255
0
255
255
0
255
240
15
255
0
255
Thecommandforconfiguringastandardaccesslistisas
follows:
Router(config)#access-list{1-99}{permit|deny}source-addr
Asyoucanseefromthecommandsyntax,thefirstoptionisto
specifytheaccesslistnumber.Thenumberrangeforstandard
accesslistsis1to99.Thesecondvaluethatyoumustspecify
istopermitordenytheconfiguredsourceIPaddress.Thethird
valueisthesourceIPaddressthatyouwanttomatch.The
fourthvalueisthewildcardmaskthatyouwanttoapplytothe
IPaddresspreviouslyconfigured.
CAUTION
Allaccesslistshaveanimplicitdeny,meaningthat
ifapacketdoesnotmatchanyofthecriteriathat
youhavespecifiedinyouraccesslist,itwillbe
denied.Ifyouhavedenystatementsinyouraccess
lists,besuretocreatepermitstatementstoallow
validtraffic.
Whentheaccesslisthasbeencreated,youneedtoapplyitto
theappropriateinterface.Thecommandtoapplytheaccesslist
isasfollows:
Router(config-if)#ipaccess-group{number|name[in|
Theaccesslistisappliedundertheinterfaceconfiguration
mode.Youmustspecifyonlythenumberornameandwhether
itisanincomingoranoutgoingaccesslist.
ExtendedAccessLists
ExtendedIPaccesslistsarealmostidenticaltostandardIP
accesslistsintheiruse.Thekeydifferencebetweenthetwo
typesisthevarietyoffieldsinthepacketthatcanbecompared
formatchingbyextendedaccesslists.Aswithstandardlists,
extendedaccesslistsareenabledforpacketsenteringorexiting
aninterface.Thelistissearchedsequentially;thefirst
statementmatchedstopsthesearchthroughthelistand
definestheactiontobetaken.Allthesefeaturesaretrueof
standardaccesslistsaswell.Thematchinglogic,however,is
differentthanthatusedwithstandardaccesslistsandmakes
extendedaccesslistsmuchmorecomplex.Extendedaccess
listscanmatchsourceanddestinationaddressesaswellas
differentTCPandUDPports.Thisgivesgreaterflexibilityand
controlovernetworkaccess.
Toconfigureextendedaccesslists,thecommandissimilarto
standardaccesslist,butwithmoreoptions.Thecommandis
this:
Router(config)#access-list{100-199}{permit|deny}protocol
mask][operatoroperand]destination-addr[destination-mask
[established]
Thefirstvaluethatyoumustconfigureistheaccesslist
number.Extendedaccesslistsrangefrom100to199.Thenyou
needtopermitordenythecriteriathatyouwillspecifynext.
Thenextvalueistheprotocoltype.Here,youcouldspecifyIP,
TCP,UDP,orotherspecificIPsub-protocols.Thenextvalueis
thesourceIPaddressanditswildcardmask.Nextisthe
destinationIPaddressanditswildcardmask.Whenthe
destinationIPaddressandmaskareconfigured,youcanspecify
theportnumberthatyouwanttomatch,bynumberorbya
well-knownportname.
Aswithstandardaccesslists,aftertheextendedaccesslistis
created,youneedtoapplyittoaninterfacewiththeip
access-groupcommand.Reviewthelabobjectivesassociated
withthechapterbeforebeginningtoconfiguretheaccesslists.
Top
FinalLabResults
YounowhavesuccessfullyconfiguredIPXroutingandverified
itsproperoperation,perthelabobjectives.Youhaveconfigured
IPXroutingforbothIPXRIPandIPXEIGRP,andyouhaveseen
thatIPXrouteredistributionisoccurringandthatIPXEIGRP
splithorizonhasbeendisabledonthehubFrameRelayrouter
(R3'sSerial0interface).Lastly,youhaveseensomecommands
toverifyyourconfigurationandhavetestedIPXconnectivity
usingthepingcommand.Figure14-2showstheIPXrouting
domainsforIPXRIPandIPXEIGRP.
Figure14-2.IPXRoutingDomains
Insummary,reviewthosecommandsthathavebeen
introducedinthischapter,asshowninTable14-3.
Table14-3.CommandSummaryforIPXConfigurationand
Troubleshooting
Command
ipxroutereigrp[autonomoussystem
number]
noipxsplit-horizoneigrp
[autonomoussystemnumber]
ipxrouterrip
showipxinterfacebrief
showipxinterface
showipxtraffic
showipxservers
showipxroute
pingipx
Purpose
EnablestheIPXEIGRProutingprocess
DisablesIPXsplithorizononanIPX
EIGRPinterface
EnterstheIPXRIProutingprocess
DisplaysasummaryofconfiguredIPX
interfaces
DisplaysadetailedstatusofIPX
interfaces
ShowsIPXpacketinformation
Liststheservicesdiscoveredthrough
SAPadvertisements
ListstheentriesintheIPXrouting
table
VerifiesIPXconnectivity
TheIPXroutingconfigurationisnowcomplete.Chapter15,
"StandardandExtendedAccessLists,"reviewsIPstandardand
extendedaccesslistsandconfigurestheseinthelab
environment.
Top
Chapter15.StandardandExtended
AccessLists
Thischaptercoversthefollowingtopics:
Standardaccesslists
Extendedaccesslists
Thischaptercoversthedifferencebetweenstandardand
extendedaccesslistsandtheirvarioususes.Youwillconfigure
accesslistsaccordingtothelabobjectivesstatedinthechapter,
verifytheiroperation,andapplythemtotherouterinterfaces
appropriately.
Networksecurityusingaccesslistisafundamentalrequirement
thatCiscoexpectsfromCCNAs.Althoughyoucanuseavariety
ofmethodstowriteaccesslists,itisimportantthatyou
understandthelogicbehindtheaccesslists.Thischapterbriefly
reviewsthedifferentaccesslistsandthecommandsneededto
configureandapplythemintheappropriatemanner.Fora
morecomprehensivereviewofaccesslists,refertoChapter9
ofInterconnectingCiscoNetworkDevices.
Top
Chapter16.CiscoRouterOperations
Thischaptercoversthefollowingtopics:
Ciscorouterbootsequenceandconfiguration
BackingupCiscoIOSSoftwareimagefiles
UpgradingCiscoIOSSoftwareimagefilesfromTFTPservers
Backingup/restoringconfigurationfilesto/fromTFTP
servers
Thischapterreviewssomebasicrouteroperationsnecessaryto
manageCiscoIOSSoftwareimagesandconfigurationfiles.This
chapterbeginsbyreviewingCiscorouterbootorderandthen
focusesonthepracticalapplicationofcontrollingtherouter
bootsequence,upgradingCiscoIOSSoftwareimagefiles,and
managingrouterconfigurationfiles.Ifyouneedanin-depth
reviewonthesetopics,refertoChapter4ofInterconnecting
CiscoNetworkDevicesorChapter2ofCiscoCCNAExam#640607CertificationGuide.
Top
Chapter17.Troubleshooting
Inthischapteryouwillhavetheopportunitytotroubleshoot
differentinternetworkingproblems.Thechapterpresentsfour
scenariosinwhichyouidentifytheproblem,isolatewherethe
issueresides,andthenresolvetheproblem.
Beforebeginningwiththescenarios,youshouldfamiliarize
yourselfwithafewbasictroubleshootingsteps.Oneofthemost
importantitemstorememberabouttroubleshootingistohave
aprocessoramethodologythatyoucanrepeatforevery
internetworkingproblemthatyoumightencounter.Fromour
ownexperiencesandstudies,werecommendusingtheOSI
referencemodeltoisolatetheseproblems.Thatis,alwaysstart
atthephysicallayer,verifythatnoproblemsexist,andthen
moveontothedatalinklayer,ontothenetworklayer,andso
on.Thisprovidesarepeatableprocesstoallinternetworking
problems.
Anotherhelpfulhintistoalwaysstartthetroubleshooting
processclosesttowherethesymptomisexperienced.For
instance,ifusersonrouterR6arehavingproblemsaccessinga
resourceoffrouterR1,startthetroubleshootingprocessonR6
andthenmoveontothenextrouterinthepathtothe
destinationrouter,R1.Thiswillfollowthepathofthesymptom
untilthesourceoftheproblemisisolatedandcanberesolved.
Theseprocessesaredemonstratedinthescenariosincludedin
thischapter.
Totroubleshootproperly,youwillneedtounderstandthe
physicaltopology,thelogicaladdressing,androutingdomain
boundaries.Thischapterreferstothecompletelabdiagram,
showninFigure17-1,thatyoushouldhavebeendeveloping
throughoutthebook.
Figure17-1.CompletedLab
Diagram
Top
LabObjectives
Notethatyouwillnotbetestingtheaccesslistsbecauseno
hostresidesonanyofthesegments.Instead,youwill
configure,apply,andverifythattheaccesslistsareconfigured
correctlywiththeappropriateshowcommands.
Herearetheobjectives:
Forstandardaccesslists,createastandardoutgoingaccess
listandapplyitonR2'sS0interfacesothatuserson
network192.168.12.0aredeniedaccesstotheFrameRelay
network.(AssumethatthisnetworkexistsoffR1.)
Forextendedaccesslists,createanextendedincoming
accesslistandapplyitonR3'sS0interfacetofulfillthe
followingrequirements:
-Denyhttp(www)trafficfromreachingR5'sTokenRing
network.
-DenySMTPtrafficfromreachingR3'sE0network.
-Permitanythingelse.
Thekeytermstorecognizeinthelabobjectivesareoutgoing
andincoming.Remember,thesekeywordswillaffecthowyou
buildyouraccesslists.Let'sconfigurethestandardaccesslist
first.
ConfiguringStandardAccessLists
Tobetterunderstandwhatyoumustaccomplishwiththeaccess
lists,refertotheenvironmentinFigure15-1.
Figure15-1.StandardAccessListScenario
Fromthelabobjectives,youwanttodothefollowing:
CreateastandardoutgoingaccesslistandapplyitonR2's
S0interfacesothatusersonnetwork192.168.12.0are
deniedaccesstotheFrameRelaynetwork.(Assumethat
thisnetworkexistsoffR1.)
Fromthefigure,youcanseethatavirtualnetwork
(192.168.12.0/24)existsoffR1;youwanttokeephostson
thatnetworksegmentfromreachingtheFrameRelaynetwork
(192.168.100.0/24).Animportantissuetopointoutisthat,
becausethisisastandardaccesslist,thereisnowaytofilter
onthedestinationaddress.So,whenyouconfiguretheaccess
listtofilteronthesourceIPaddressof192.168.12.0/24,you
willstopthattrafficfromgoingtotheFrameRelaynetwork,as
wellasallothernetworksbehindR2'sS0,theinterfaceon
whichyouaregoingtoapplytheaccesslist.
Becauseitisanoutgoingaccesslist,youwillcreatetheaccess
listwiththesourceaddressofthenetwork192.168.12.0tobe
denied,butyouwillallowallothertraffictopass.Remember,
thereisanimplicitdenyafterallaccesslists.Createtheaccess
listonR2,asdemonstratedinExample15-1.
Example15-1StandardAccessListConfiguration
Termserver#2
[Resumingconnection2tor2...]
R2#configt
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#access-list1deny192.168.12.00.0.0.255
R2(config)#access-list1permitany
R2(config)#
Themostimportantaspectoftheaccess-listcommandisthe
wildcardmaskportion.Thistellstherouterwheretomatchand
wherenotto.Thefirstthreezerosinthewildcardmask(0.0.0)
signifythatthefirstthreenumbersofthesourceIPaddressof
apacketmustmatchthefirstthreenumbersoftheIPaddress
previouslyconfigured(192.168.12).Thefinal.255portionof
themasksignifiesthatanynumberinthesourceIPaddress
fieldwillnotbelookedatforamatch.Inotherwords,any
packetthathasasourceIPaddresswith192.168.12willbe
matchedagainsttheaccesslistand,therefore,willbedenied,
regardlessofthefourthnumberinthesourceIPaddressfieldof
theIPpacket(0to255).Thesecondlineoftheaccesslist
simplypermitsallothertraffic.Withoutthatstatement,allIP
trafficwouldbeblockedbecauseoftheimplicitdenyattheend
ofallaccesslists.
Thesecondsteptoconfiguringtheaccesslististoapplyitto
theappropriateinterface.Fromthelabobjectives,youwantto
applythisaccesslistontheS0interfaceofR2andmakeit
checkoutgoingpackets.Toapplytheaccesslist,youneedtobe
ininterfacemodeforS0andapplytheipaccess-group
command.Example15-2illustrateshowtoapplytheaccess
liststotheinterface.
Example15-2ApplyingtheAccessListtothe
Interface
R2(config)#ints0
R2(config-if)#ipaccess-group1out
R2(config-if)#
Thisconfigurationappliesaccess-list1toalloutgoingpackets
onR2'sS0interface.Becauseyoudonothaveanyhostsoff
192.168.12.0,youcannotverifythatitisworkingproperly.
However,youcanusesomeshowcommandstomakesurethat
theaccesslisthasbeenappliedcorrectlyontheinterface.
Thefirstshowcommandisthisone:
Router#showipaccess-lists{number}
Theonlyoptionhereistospecifythespecificaccesslistnumber
thatyouwanttosee.Ifnonumberisspecified,allaccesslists
areshown.Example15-3showssampleoutputfromthis
command.
Example15-3showipaccess-listCommand
Output
R2(config-if)#end
R2#showipaccess-lists
StandardIPaccesslist1
deny192.168.12.0,wildcardbits0.0.0.255
permitany
R2#
Thisshowcommandrevealsalltheimportantinformation:
WhetheritisastandardoranextendedIPaccesslist
Theaccesslistnumber
Alltheconfiguredstatementsforthataccesslist
Youconfiguredonlyoneaccesslist,sotheoutputshows
informationforjustaccess-list1thatyouconfiguredin
Example15-1.
Anotherusefulshowcommandisthisone:
Router#showipinterface[interface-type][interface-number
Theoptionthatyoucanusehereistospecifytheinterfacetype
andnumber.
BecauseyouhaveonlyoneaccesslistconfiguredonS0,use
thatasanexample.Example15-4demonstratesthiscommand.
Example15-4showipinterfaces0Command
Output
R2#showipinterfaces0
Serial0isup,lineprotocolisup
Internetaddressis192.168.100.2/24
Broadcastaddressis255.255.255.255
Addressdeterminedbysetupcommand
MTUis1500bytes
Helperaddressisnotset
Directedbroadcastforwardingisdisabled
Multicastreservedgroupsjoined:224.0.0.10
Outgoingaccesslistis1
Inboundaccesslistisnotset
ProxyARPisenabled
Securitylevelisdefault
Splithorizonisdisabled
ICMPredirectsarealwayssent
ICMPunreachablesarealwayssent
ICMPmaskrepliesareneversent
IPfastswitchingisenabled
IPfastswitchingonthesameinterfaceisenabled
IPFeatureFastswitchingturbovector
IPmulticastfastswitchingisdisabled
IPmulticastdistributedfastswitchingisdisabled
IProute-cacheflagsareFast
RouterDiscoveryisdisabled
IPoutputpacketaccountingisdisabled
IPaccessviolationaccountingisdisabled
TCP/IPheadercompressionisdisabled
RTP/IPheadercompressionisdisabled
Probeproxynamerepliesaredisabled
Policyroutingisdisabled
Networkaddresstranslationisdisabled
WebCacheRedirectisdisabled
BGPPolicyMappingisdisabled
R2#
Thecommandoutputhasveryusefulinformation,butthefocus
hereisonwhatIPaccesslistsareconfiguredforthisinterface.
Thehighlightedlinetellsyouquicklywhichaccesslist(s)have
beenconfiguredandwhethertheyareincomingaccesslistsor
outgoingaccesslists.
Beforemovingontoconfiguretheextendedaccesslist,takea
lookattherunningconfigurationofR2toseewheretheaccess
listconfigurationcommandsareplacedinthefile.Example155displaystheoutputoftherunningconfigurationfile.
Example15-5R2'sRunningConfig
Termserver#r2
Tryingr2(192.168.10.10,2002)...Open
R2#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnameR2
!
enablepasswordfalcons
!
usernameall
ipsubnet-zero
noipdomain-lookup
iphostR1192.169.1.1
iphostR2192.169.2.2
iphostR3192.169.3.3
iphostR4192.169.4.4
iphostR5192.169.5.5
iphostR6192.169.6.6
ipxrouting0000.0000.2222
!
!
!
interfaceLoopback0
ipaddress192.169.2.2255.255.255.0
noipdirected-broadcast
!
interfaceEthernet0
ipaddress192.168.1.2255.255.255.0
noipdirected-broadcast
ipxnetwork2100
!
interfaceEthernet1
descriptionThisinterfacedoesnotconnectwithanotherIPde
ipaddress192.168.2.2255.255.255.0
noipdirected-broadcast
ipxnetwork2000
!
interfaceSerial0
descriptionThisinterfaceconnectstoR3'sS0(201)
ipaddress192.168.100.2255.255.255.0
ipaccess-group1out
noipdirected-broadcast
encapsulationframe-relay
noipmroute-cache
ipxnetwork1000
frame-relaymapip192.168.100.3201broadcast
frame-relaymapip192.168.100.4201broadcast
frame-relaymapipx1000.0000.0000.4444201broadcast
frame-relaymapipx1000.0000.0000.3333201broadcast
frame-relaylmi-typeansi
!
routereigrp100
redistributeripmetric200020025511500
network192.168.100.0
!
routerrip
redistributeeigrp100metric1
network192.168.1.0
network192.168.2.0
network192.169.2.0
!
ipclassless
!
