Chapter 10 Mid-latitude Cyclones Chapter 10 Mid-latitude Cyclones.
Chapter 10
-
Upload
guest35417d -
Category
Technology
-
view
412 -
download
0
Transcript of Chapter 10
![Page 1: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/1.jpg)
1010 1010
CHAPTERCHAPTERONEONE
Access ListsAccess Lists
![Page 2: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/2.jpg)
ObjectivesObjectives
• Describe the usage and rules of access lists• Establish standard IP access lists• Produce extended IP access lists• Develop standard IPX access lists• Create extended IPX access lists• Define IPX SAP filters• Apply access lists to interfaces• Monitor and verify access lists
![Page 3: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/3.jpg)
Access Lists: Usage and RulesAccess Lists: Usage and Rules
• Network traffic flow and security influence the design and management of computer networks
• Access lists solve many of the problems associated with these two tasks
• Access lists are permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet
![Page 4: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/4.jpg)
Access List UsageAccess List Usage
• Implicit deny any– Blocks all packets that do not meet requirements of the access list
Figure 10-1: Sample network
![Page 5: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/5.jpg)
Problems with Access ListsProblems with Access Lists
• One of the most common problems associated with access lists is a lack of planning
• Another troublesome area is the sequential nature in which you must enter the list into the router
• Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list
![Page 6: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/6.jpg)
Access List RulesAccess List Rules
Figure 10-2: No access-list command
![Page 7: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/7.jpg)
Access List RulesAccess List Rules
• Inbound– Direction parameter used when applying an access
list– Direction is into the router
• Outbound– Direction parameter used when applying an access
list– Direction is out of the router
![Page 8: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/8.jpg)
Access List RulesAccess List Rules
Figure 10-3:The man in the router
![Page 9: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/9.jpg)
Access List RulesAccess List Rules
• Routers apply lists sequentially in the order in which you type them into the router
• Routers apply lists to packets sequentially
• Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements
![Page 10: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/10.jpg)
Access List RulesAccess List Rules
• Lists always end with an implicit deny
• Access lists must be applied to an interface as either inbound or outbound traffic filters
• Only one list, per protocol, per direction can be applied to an interface
• Access list are effective as soon as they are applied
![Page 11: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/11.jpg)
Standard IP Access ListsStandard IP Access Lists
• Standard IP Access Lists– Filter network traffic based on the source IP address
only
– Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address
• Wildcard mask– Also called inverse mask– Applied to IP addresses to determine if an access list
line will act upon a packet
![Page 12: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/12.jpg)
Standard IP Access ListsStandard IP Access Lists
Table 10-1: Wildcard mask examples
![Page 13: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/13.jpg)
Standard IP Access ListsStandard IP Access Lists
Figure 10-4: Wildcard masking example matching a single host
![Page 14: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/14.jpg)
Standard IP Access ListsStandard IP Access Lists
Figure 10-5: Wildcard masking example matching a complete subnet
![Page 15: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/15.jpg)
Standard IP Access ListsStandard IP Access Lists
• Partial masking– When an octet in a wildcard mask contains a mix of binary 1s and 0s
Figure 10-6: Wildcard masking example using partial masking
![Page 16: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/16.jpg)
Standard IP Access ListsStandard IP Access Lists
Figure 10-7: Wildcard masking example without match
![Page 17: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/17.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-8: Sample IP network
![Page 18: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/18.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-9: Creating a standard IP access list
![Page 19: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/19.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB
![Page 20: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/20.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-11: Show access-lists and show ip access-lists commands
![Page 21: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/21.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-12: Show ip interface command
![Page 22: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/22.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-13: Removing an ip access list from an interface
![Page 23: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/23.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-14: Show ip interface after removal of access list 1 from e0
![Page 24: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/24.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-15: Creation and application of standard IP access list
![Page 25: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/25.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-16: Show access-list and show ip interface commands
![Page 26: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/26.jpg)
Standard IP Access List ExamplesStandard IP Access List Examples
Figure 10-17: Access list that blocks multiple subnets
![Page 27: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/27.jpg)
Monitoring Standard IP Access Monitoring Standard IP Access ListsLists
• Three main commands are available for monitoring access lists on your router:– Show access-lists– Show ip access-lists– Show interfaces or show ip interfaces
• It is a good idea to run each of these commands after creating and applying access lists
![Page 28: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/28.jpg)
Extended IP Access ListsExtended IP Access Lists
• IP access lists that filter traffic by:– Source IP address– Destination IP address– Protocol type– Port number
![Page 29: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/29.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-18: Sample IP network with a Web server
![Page 30: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/30.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
• Unlike standard IP access lists, extended access lists do not have a default wildcard mask of 0.0.0.0– You must specify the wildcard mask for the source IP
address
• The host keyword is short for a wildcard mask of 0.0.0.0– The line will only be applied to packets that match the one
source address specified with host keyword
![Page 31: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/31.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-19: Extended IP access list example
![Page 32: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/32.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-19 (cont.): Extended IP access list example
![Page 33: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/33.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-20: Extended IP access list example continued
![Page 34: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/34.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-20 (cont.): Extended IP access list example continued
![Page 35: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/35.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-21: Applying an extended ip access list to an interface
![Page 36: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/36.jpg)
Extended IP Access List ExamplesExtended IP Access List Examples
Figure 10-22: Removing an extended ip access list from an interface
![Page 37: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/37.jpg)
The “Established” ParameterThe “Established” Parameter
• Network administrators often want to block all TCP/IP traffic outside their network from coming into their network
• If you use deny statements to deny all traffic coming in, no one will be able to browse the Web, ping, or other network activities that involve a response to a request
• The easiest way around this problem is to use an extended ip access list with an established parameter
![Page 38: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/38.jpg)
Monitoring Extended IP Access Monitoring Extended IP Access ListsLists
Figure 10-23: Show ip access-lists command
![Page 39: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/39.jpg)
Monitoring Extended IP Access Monitoring Extended IP Access ListsLists
Figure 10-24: Clear access-list counters command
![Page 40: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/40.jpg)
Standard IPX Access ListsStandard IPX Access Lists
• Very similar to their IP cousins– One distinct difference
• Can filter based on source and destination addresses– Standard IP access lists can only filter based on
source addresses
• In all other aspects, they act just like standard IP access lists
![Page 41: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/41.jpg)
Standard IPX Access List Standard IPX Access List ExamplesExamples
Figure 10-25: Sample IPX network
![Page 42: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/42.jpg)
Standard IPX Access List Standard IPX Access List ExamplesExamples
Figure 10-26: Standard IPX access-list configuration
![Page 43: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/43.jpg)
Monitoring Standard IPX ListsMonitoring Standard IPX Lists
Figure 10-27: Show access-list command
![Page 44: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/44.jpg)
Extended IPX Access ListsExtended IPX Access Lists
• Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number
Figure 10-28: Configuring extended IPX access-lists
![Page 45: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/45.jpg)
Extended IPX Access ListsExtended IPX Access Lists
Figure 10-28 (cont.): Configuring extended IPX access-lists
![Page 46: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/46.jpg)
Monitoring Extended IPX Access Monitoring Extended IPX Access ListsLists
Figure 10-29: show access-lists command
![Page 47: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/47.jpg)
IXP SAP FiltersIXP SAP Filters
• Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients– Allows you to limit the “advertising” of particular
servers and services to a particular IPX network segment
– Since SAP advertisements are broadcast, limiting them reduces network traffic
• IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table
![Page 48: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/48.jpg)
IXP SAP Filter ExampleIXP SAP Filter Example
Figure 10-30: IPX SAP filter example
![Page 49: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/49.jpg)
IXP SAP Filter ExampleIXP SAP Filter Example
Figure 10-31: Applying an IPX SAP filter to an interface
![Page 50: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/50.jpg)
Monitoring IXP SAP FiltersMonitoring IXP SAP Filters
• Like all other access lists, the show access-lists command displays all lists including all SAP filters defined on the router
• To make sure the list was applied successfully to the interface, use the show ipx interface command
• To remove the sap filter, use the no access-list [list #] command
• To remove the applications of sap filter from an interface, use the no ipx input-sap-filter [list #] or no ipx output-sap-filter [list #] command
![Page 51: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/51.jpg)
Using Named ListsUsing Named Lists
• In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists– These are known as named access lists
• You cannot use the same name for multiple lists– Even different types of lists cannot have the same
name
• The naming feature allows you to maintain security by using an easily identifiable access list
![Page 52: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/52.jpg)
Chapter SummaryChapter Summary
• Access lists are one of the most important IOS tools for controlling network traffic and security
• Access lists are created in a two-step process• All access lists are created sequentially and applied
sequentially to all packets that enter an interface where the list is applied
• Access lists, by default, always end in an implicit deny any
• Only one access list per direction per protocol can be applied to an interface
![Page 53: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/53.jpg)
Chapter SummaryChapter Summary
• Standard IP access lists filter traffic based on the source IP address of a packet
• Extended IP access lists filter traffic based on the source, destination, protocol type, and application type
• Standard IPX access lists are more complex that standard IP lists
• Extended IPX lists allow you to filter based on IPX protocol type and IPX parameters
• IPX SAP filters allow you to limit the amount of SAP traffic passed by your routers
![Page 54: Chapter 10](https://reader033.fdocuments.us/reader033/viewer/2022052903/5577a26dd8b42a410a8b54c6/html5/thumbnails/54.jpg)
Chapter SummaryChapter Summary
• Ranges of numbers represent all access lists
Table 10-2: Access list number ranges