11.1 Key Terms
packet
filtering = Packet filtering is a static check on known information such
as source/destination address and source/destination port information.
spoofed
address = The source address of an IP packet that has been changed to
something not actually assigned or belonging to the location from which it
came. Like identity theft for an IP address.
SYN-flood
attack = An exploit against TCP’s three-way handshake opening lots of
sessions via the initial SYN packet with no intent of replying to the SYN-ACK
and completing the session. This leaves half-open, or embryonic, connections
and can overflow a server’s session table.
standard/extended
ACL = Access control list for packet filtering, set up by number. ACLs
1–100 are standard (source IP only), and 100–199 are extended (source and
destination IP as well as port information). ACLs 1300–1999 are also standard
ACLs, and 2000–2699 are also extended ACLs.
numbered/named
ACL = Configured with ip access-list rather than just access-list
commands, and can be defined as either standard or extended, but by name. Named
ACLs are easier to edit than numbered ACLs due to the access-list configuration
mode provided by the named ACL.
11.2 Things to
Remember
11.2.1 Standard ACLs Versus Extended ACLs
Numeric
range
Standard ACL
> 1–99, 1300–1999
Extended ACL
> 100–199, 2000–2699
Option
for using names for the ACL instead of numbers
Standard ACL
> Yes
Extended ACL
> Yes
What
they can match on
Standard ACL
> Source IP only of the packet being compared to the list
Extended ACL
> Source or destination IP, plus most Layer 4 protocols, including items in
the Layer 4 header of the packet being compared.
Where
to place
Standard ACL
> unfortunately, these need to be placed relatively close to the
destination. Applying these access lists too close to the source may limit that
source from reaching other destinations that were not intended to be limited.
Extended ACL
> Because the extended ACL has the granularity of matching on specific
source and destination, you can place these very close to the source of the
host who is generating the packet, because it will only deny the traffic to the
specific destination and will not cause a loss of service to other destinations
that are still being permitted.
11.3 Command
References
Command >
Description
ipv6
traffic-filter BOGUS_SOURCE_FILTER in > Apply the named IPv6 ACL
inbound in interface configuration mode
object-group
network A_Couple_Servers > Create a named network object group and
move to object group configuration mode
permit
tcp 44.44.1.0 0.0.0.255 objectgroup A_Couple_Servers eq www > Permit
source traffic from any hosts whose IP address begins with 44.44.1, and allow
TCP access to any hosts that are members of the object group, if the
destination TCP port is 80 (www)
ip
access-group IINS_Extended_ACL_Example in > Apply the named IPv4
access list inbound in interface configuration mode
11.4 Command
Examples
Using the CLI to
Implement an Access List
R1 (config)# access-list
5 remark Block Server1’s subnet from reaching Server 3
R1 (config)# access-list
5 deny 11.11.11.0 0.0.0.255 log
R1 (config)# access-list
5 permit 0.0.0.0 255.255.255.255
Apply the Access
List to an Interface
R1 (config)# interface
GigabitEthernet3/0
R1 (config-if)# ip
access-group 5 out
Create a Network
Object Group
R1 (config)# object-group
network A_Couple_Servers
R1 (config-network-group)# description Server2 and Server3’s hosts addresses
R1 (config-network-group)# host 33.33.33.33
R1 (config-network-group)# host 22.22.22.22
Using Object Groups
as Part of the ACL
R1 (config)# ip
access-list extended IINS_Exctended_ACL_Example
R1 (config-ext-nacl)# remark This ACL uses object groups
R1 (config-ext-nacl)# permit tcp 44.44.1.0 0.0.0.255 object-group A_couple_Servers eq www
R1 (config-ext-nacl)# deny ip 44.44.0.0 0.0.255.255 object-group A_Couple_Servers
R1 (config-ext-nacl)# permit ip any any
R1 (config-ext-nacl)# exit
R1 (config)# interface
GigabitEthernet1/0
R1 (config-if)# ip
access-group IINS_Extended_ACL_Example in
Monitoring ACLs
from the CLI
R1# show
access-lists
R1# show ip int
g3/0
R1# show ip int
g1/0
Creating an IPv6
Access List and Applying It as a Filter
R1 (config)# ipv6
access-list BOGUS_SOURCE_FILTER
R1 (config-ipv6-acl)# deny 2001:12::/64 any
R1 (config-ipv6-acl)# permit any any
R1 (config)# int
g0/3
R1 (config-if)# ipv6
traffic-filter BOGUS_SOURCE_FILTER in
R1 (config-if)# do
show ipv6 int g0/3
R1# show ipv6
access-list
Comments
Post a Comment