Chapter 3 Managing IP Traffic

Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access lists Limit virtual terminal access Configure IP extended access lists Verify access list configuration Configure an alternative to using access lists Configure an IP helper address to manage broadcasts

Managing IP Traffic Overview  Limit traffic and restrict network use Enable directed forwarding of broadcasts FTP Broadcast

Access List Application n Access lists control packet movement through a network Transmission of packets on an interface Virtual terminal line access ( IP)

Other Access List Uses n Access lists are multipurpose Route filtering Routing table Dial-on-demand routingQueue List Priority and custom queuing

Configuring IP Standard Access Lists

IP Standard Access Lists Overview  Use source address only  Access list range: 1 to Destination AddressSource Address

Inbound Access List Processing For Standard IP Access Lists Incoming packetAccess list? Next entry in list Does source address match? Apply condition More entries? Route to interface DenyPermit No Yes ICMP MessageForward Packet

Outbound Access List Processing For Standard IP Access Lists Incoming packet Access list? Next entry in list Does source address match? Apply condition More entries? DenyPermit No Yes ICMP MessageForward Packet Route to interface

IP Addressing Review High-Order BitsFirst OctetClassStandard Mask A B C Class B Subnets Class C Subnets

Access Lists Use Wildcard Mask AddressMaskMatches any address network exactly host local broadcast only subnet * 0 bit = must match bits in addresses 1 bit = unconditional match for bits in addresses * Assuming subnet mask of

Access List Configuration Tasks To create an access list, perform the folowing tasks: Define an access list Apply the list to an interface

Standard Access List Commands Router (config) # access-list access-list-number { permit | deny } {source [source- wildcard ] | any}  Defines a standard access list (numbered 1-99) Router (config-if) # ip access-group access-list-number { in | out } Applies an access list to a specific interface

Implicit Masks Access-list 1permit ! Access-list 1permit access-list 1permit access-list 1denyany access-list 1deny Not For standard IP Access Lists Correct Common errors Not needed Omitted mask assumed to be Last two lines unnecessary (implicit deny any)

Configuration Principles  Top-down processing –Place more specific references first  Implicit deny any –Unless access list ends with explicit permit any  New lines added to the end –Cannot selectively add/remove lines  Undefined access list = permit any –Need to create access list lines for implicit deny any

Standard Access List Example Router (config)# access-list 2 permit Router (config)# access-list 2 deny Router (config)# access-list 2 permit Router (config)# !(Note: all other access implicitly denied) Router (config)# interface ethernet 0 Router (config)# ip access-group 2 in A BCD E0 Who can connect to A? Internet

Location of Standard Access Lists VWXYZ E0 access-list 3 deny access-list 3 permit any access-list 3 deny access-list 3 permit any E A ABCD On which router should the access list be configured to deny host Z access to host V? How does location of a standard access list change the policy implemented?

Virtual Terminal Access Overview Standard and extended access lists will not block access from the router n For security, virtual terminal (vty) access can be blocked to or from the router Router#

Restricting Virtual Terminal Access

How to Control vty Access n Five virtual terminal lines (0-4) n Set identical restrictions on all the virtual terminal lines Router# Virtual port (vty 0 4) Physical port (E0)

Virtual Terminal Line Commands n Restricts incoming and outgoing connections between a particular virtual terminal line *into a device( and the addresses in an access list Router (config) # Line { vty number | vty-range} Enters configuration mode for a terminal line or a range of lines Router (config/line) # access-class access-list-number { in | out }

Virtual Terminal Access Example 1 n Permits only hosts in network to connect to the virtual terminal ports on the router Controlling Inbound Access Access-list 12 permit ! Line vty 0 4 access-class 12 in Access-list 12 permit ! Line vty 0 4 access-class 12 in

Virtual Terminal Access Example 2 n Permits terminal line connections only to network Controlling Outbound Access Access-list 13 permit ! Line vty 0 4 access-class 13 out Access-list 13 permit ! Line vty 0 4 access-class 13 out

IP Extended Access List Overview n Control traffic by application, not just address SMTP FTP Manufacturing Accounting Telnet Sales Internet

Configuring IP Extended Access Lists

Extended Access List Processing Access list? Source address Destination address Protocol? * Protocol options ? Apply condition DenyPermit Next entry in list ICMP Message Match Yes Forward Packet Does not match No * If present in access list

Extended IP Access List Command Router (config) # Access-list access-list-number { permit | deny } { protocol | protocol-keyword } { source source/wildcard | any } [ protocol/specific options ] { destination destination-wildcard | any } Access-list access-list-number { permit | deny } { protocol | protocol-keyword } { source source/wildcard | any } [ protocol/specific options ] { destination destination-wildcard | any } Defines an extended access list (numbered 100 to 199) Protocol keywords icmp, igmp, tcp and udp define alternate syntax with protocol-specific options

Extended Mask Keywords n The keyword any can be used in place of the address with mask access-list 101 permit ip ! (altenate configuration) access-list 101 permit ip access-list 101 permit ip ! (altenate configuration) access-list 101 permit ip any access-list 101 permit ip ! (altenate configuration) access-list 101 permit ip any access-list 101 permit ip ! (altenate configuration) access-list 101 permit ip any host The keyword host preceding an ip-address can be used in place of the mask

ICMP Command Syntax n Filters based on icmp messages Router (config) # access-list access-list-number { permit | deny } {source source-wildcard |any} {destination destination-wildcard | any } [icmp-type [ icmp-code] | icmp-message ] icmp

TCP Syntax n Filters based on tcp/tcp port number or name access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any } Router (config) # [operator destination-port | destination-port ] [established] {source source-wildcard |any} tcp

UDP Syntax n Filters based on udp protocol or udp port number or name access-list access-list-number { permit | deny } {source source-wildcard |any} [ operator source-port| source-port ] {destination destination-wildcard | any } Router (config) # udp [operator destination-port | destination-port ]

Extended Access List Example 1 access-list 103 permittpcany established access-list 103 permittpcanyhost eq smtp ! Interface ethernet 1 ip access-group 103 in access-list 103 permittpcany established access-list 103 permittpcanyhost eq smtp ! Interface ethernet 1 ip access-group 103 in Providing Internet Mail A E Internet

Extended Access List Example 2 access-list 104 permittpcany established access-list 104 permittpcanyhost eq smtp access-list 104 permittpcanyany eq domain access-list 104 permitudpanyany eq domain access-list 104 permiticmpanyany echo access-list 104 permiticmpanyany echo-reply ! Interface serial 0 ip access-group 104 in access-list 104 permittpcany established access-list 104 permittpcanyhost eq smtp access-list 104 permittpcanyany eq domain access-list 104 permitudpanyany eq domain access-list 104 permiticmpanyany echo access-list 104 permiticmpanyany echo-reply ! Interface serial 0 ip access-group 104 in Also providing DNS and Ping A S Internet B E1E0

Location of Extended Access Lists Minimize distance travelled by traffic that will be denied (and ICMP unreachable messages) Keep denied traffic off the backbone Select router to receive CPU overhead from access lists Consider number of interfaces affected Consider access list management and security Consider network growth impacts on access list maintenance

Verifying Access List Configuration

Access List show Command n Display access lists from all protocols Router # show access-lists Display a specific IP access lists Router # show ip access-lists [access-list-number] Clear packet counts Router # clear access-lists counters [ access-list-number] Display line configuration Router # show line

Show ip access-list Command Router# show ip access - list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain Router# Router# show ip access - list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain Router#

Using an Alternative to Access Lists

Null Interface n Route to nowhere saves valuable CPU cycles access-list ip permit … access-list ip deny … access-list ip permit … access-list ip deny … access-list ip permit … Packet arrives Access list Null 0 Routing table S0 E0 T0 S1

Null Interface Command Router (config) # ip route address mask null 0 Create a static route to filter unwanted traffic Interface name is always null 0

Null Interface Example Ip route null Eliminates traffic for from WAN

Using Helper Addresses

Helper Addressing Overview n Routers do not forward broadcast, by default n Helper address provide selective connectivity Diskless Workstation Boot Server

Why Use a Helper Address? n Sometimes clients do not know the server address n Helpers change broadcast to unicast to reach server Diskless Workstation Boot Server Broadcast Looking for boot server

IP Helper Address Commands Router (config-if) # ip helper-address address Enables forwarding and specifies destination address for main UDP broadcast packet Changes destination address from broadcast to unicast or directed broadcast address Router (config) # ip forward-protocl { udp [ port ] | nd | snds } Specifies which protocols will be forwarded

Single Server - Remote Medium Diskless Workstation Boot Server E0 Broadcast Forwarding Default UDP Broadcast interface ethernet 0 ip address ip helper-address interface ethernet 0 ip address ip helper-address

Single Server - Remote Medium Forwarding Default and Other Broadcast Diskless Workstation Boot Server BOOTP Broadcast E0 interface ethernet0 ip address ip helper-address ip forward-protocol udp 3000 no ip forward-protocol udp 69 interface ethernet0 ip address ip helper-address ip forward-protocol udp 3000 no ip forward-protocol udp 69

Server Location Multiple server-remote media Single server-remote medium Multiple server-remote medium

Single Server - Remote Medium Directed Broadcast into Subnet E0 BOOTP Server DNS Server Broadcast Directed Broadcast to interface ethernet 0 ip address ip helper-address interface ethernet 0 ip address ip helper-address

Multiple Server - Remote Medium Directed Broadcast and Unicast E0 BOOTP Server DNS Server Broadcast Directed Broadcast to interface ethernet 0 ip address ip helper-address ip helper-address interface ethernet 0 ip address ip helper-address ip helper-address FTP Server

Summary You can manage IP traffic by: Controlling packet transmission on each medium Using a static route to the null interface in place of an access list to minimize processing overhead Configuring helper addresses to forward broadcasts Standard access lists are easy to configure and require lower processing overhead Extended access list provide greater control.