Thursday, October 14, 2010

Acess Control List


Prerequisites

Requirements

There are no specific prerequisites for this document. The concepts discussed are present in Cisco IOS® Software Releases 8.3 or later. This is noted under each access list feature.

Components Used

This document discusses various types of ACLs. Some of these are present since Cisco IOS Software Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

ACL Concepts

This section describes ACL concepts.

Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". This table further explains the concept.
Mask Example

network address (traffic that is to be processed) 10.1.1.0

mask 0.0.0.255

network address (binary) 00001010.00000001.00000001.00000000


mask (binary) 00000000.00000000.00000000.11111111


Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.

Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.

255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)

Note these ACL equivalents.

The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".

The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".

ACL Summarization

Note: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 represents 192.168.10.0 255.255.255.0.

This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks.

192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.

The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.

Decimal 128 64 32 16 8 4 2 1


32 0 0 1


33 0 0 1 1


34 0 0 1 1


35 0 0 1 1 1


36 1 1


37 1 1 1


38


39 1 1 1 1



Since the first five bits match, the previous eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.

access-list acl_permit permit ip 192.168.32.0 0.0.7.255
Consider this set of networks for further explanation.

192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these.

The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.

Decimal

128

64

32

16

8

4

2

1

146

1

0

0

1

0

0

1

0

147

1

0

0

1

0

0

1

1

148

1

0

0

1

0

1

0

0

149

1

0

0

1

0

1

0

1

M

M

M

M

M

?

?

?

Unlike the previous example, you cannot summarize these networks into a single network. If they are summarized to a single network, they become 192.168.144.0/21 because there are five bits similar in the third octet. This summarized network 192.168.144.0/21 covers a range of networks from 192.168.144.0 to 192.168.151.0. Among these, 192.168.144.0, 192.168.145.0, 192.168.150.0, and 192.168.151.0 networks are not in the given list of four networks. In order to cover the specific networks in question, you need a minimum of two summarized networks. The given four networks can be summarized into these two networks:

For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a "don't care." This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0).

For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a "don't care." This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0).

This output defines a summarized ACL for the above networks.


!--- This command is used to allow access access for devices with IP
!--- addresses in the range from 192.168.146.0 to 192.168.147.254.

access-list 10 permit 192.168.146.0 0.0.1.255


!--- This command is used to allow access access for devices with IP
!--- addresses in the range from 192.168.148.0 to 192.168.149.254

access-list 10 permit 192.168.148.0 0.0.1.255
Process ACLs

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.


!--- This command is used to permit IP traffic from 10.1.1.0
!--- network to 172.16.1.0 network. All packets with a source
!--- address not in this range will be rejected.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- This command is used to permit IP traffic from 10.1.1.0
!--- network to 172.16.1.0 network. All packets with a source
!--- address not in this range will be rejected.

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any any
In this example, the last entry is sufficient. You do not need the first three entries because TCP includes Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).


!--- This command is used to permit Telnet traffic
!--- from machine 10.1.1.2 to machine 172.16.1.1.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

!--- This command is used to permit tcp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1

!--- This command is used to permit udp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit udp host 10.1.1.2 host 172.16.1.1

!--- This command is used to permit ip traffic from
!--- 10.1.1.0 network to 172.16.1.10 network.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Define Ports and Message Types

In addition to defining ACL source and destination, it is possible to define ports, ICMP message types, and other parameters. A good source of information for well-known ports is RFC 1700 . ICMP message types are explained in RFC 792 .

The router can display descriptive text on some of the well-known ports. Use a ? for help.

access-list 102 permit tcp host 10.1.1.1 host 172.16.1.1 eq ?
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
During configuration, the router also converts numeric values to more user-friendly values. This is an example where you type the ICMP message type number and it causes the router to convert the number to a name.

access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 14
becomes

access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 timestamp-reply
Apply ACLs

You can define ACLs without applying them. But, the ACLs have no effect until they are applied to the interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in this example, when you try to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C. An access-list has a deny ip any any implicitly at the end of any access-list. If traffic is related to a DHCP request and if it is not explicity permitted, the traffic is dropped because when you look at DHCP request in IP, the source address is s=0.0.0.0 (Ethernet1/0), d=255.255.255.255, len 604, rcvd 2 UDP src=68, dst=67. Note that the source IP address is 0.0.0.0 and destination address is 255.255.255.255. Source port is 68 and destination 67. Hence, you should permit this kind of traffic in your access-list else the traffic is dropped due to implicit deny at the end of the statement.

Note: For UDP traffic to pass through, UDP traffic must also be permited explicitly by the ACL

Tuesday, October 12, 2010

redistribution of eigrp into ospf





In this example, Router B has two Fast Ethernet interfaces. FastEthernet 0/0 is in network 10.1.1.0/24 and FastEthernet 0/1 is in network 20.1.1.0/24. Router B is running EIGRP with Router A, and OSPF with Router C. Router B is mutually redistributing between the EIGRP and OSPF processes. This is the pertinent configuration information for Router B:

Router B

interface FastEthernet0/0
ip address 10.1.1.4 255.255.255.0

interface FastEthernet0/1
ip address 20.1.1.4 255.255.255.0

router eigrp 7
redistribute ospf 7 metric 10000 100 255 1 1500
network 10.1.1.0 0.0.0.255
auto-summary
no eigrp log-neighbor-changes
!
router ospf 7
log-adjacency-changes
redistribute eigrp 7 subnets
network 20.1.1.0 0.0.0.255 area 0
If you look at the routing table for Router B, you see the following:

routerB#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
From the configuration and the routing table above there are three things to notice:

The networks in question are in Router B routing table as directly connected networks.

Network 10.1.1.0/24 is part of the EIGRP process and network 20.1.1.0/24 is part of the OSPF process.

Router B is mutually redistributing between EIGRP and OSPF.

Below are the routing tables for Routers A and C.

routerA#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0
20.0.0.0/24 is subnetted, 1 subnets
D EX 20.1.1.0 [170/284160] via 10.1.1.4, 00:07:26, FastEthernet0


routerC#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, FastEthernet1
O E2 10.1.1.0 [110/20] via 20.1.1.4, 00:07:32, FastEthernet1
Router A has learned about network 20.1.1.0/24 via EIGRP, which is shown as an external route, because it was redistributed from OSPF into EIGRP. Router C has learned about network 10.1.1.0/24 via OSPF as an external route, because it was redistributed from EIGRP into OSPF. Although Router B is not redistributing connected networks, it does advertise the network 10.1.1.0/24, which is part of the EIGRP process redistributed into OSPF. Similarly, Router B advertises network 20.1.1.0/24, which is part of the OSPF process redistributed into EIGRP.

Refer to Redistributing Connected Networks into OSPF for more information about connected routes being redistributed into OSPF.

Note: By default, only EBGP-learned information is candidate to be redistributed into IGP when the redistibute bgp command is issued. The IBGP routes is not redistributed into IGP until the bgp redistribute-internal command is configured under the router bgp command. But precautions must be taken in order to avoid loops within the Autonomous System when IBGP routes are redistirbuted into IGP.

Avoiding Problems Due to Redistribution

redistribution of rip into ospf

OSPF route redistribution is an important topic on the BSCI exam, and its a topic full of details and defaults that you need to know for the exam room and the job.

To help you pass the BSCI exam, heres a quick review of some of the OSPF route redistribution basics.

To see if a router is an ABR or ASBR, run show ip ospf. This also displays any routes being redistributed into OSPF on this router.

R1#show ip ospf

Routing Process "ospf 1" with ID 1.1.1.1

Supports only single TOS(TOS0) routes

Supports opaque LSA

It is an area border and autonomous system boundary router

Redistributing External Routes from,

connected, includes subnets in redistribution

rip, includes subnets in redistribution

When redistributing RIP into OSPF, the "subnets" option is needed to include subnets in redistribution. When redistributing OSPF into RIP, a seed metric must be specified. (OSPF gives redistributed routes a default metric of 20 - this can be changed, but a seed metric does not have to be set.)

R1(config)#router ospf 1

R1(config-router)#redistribute connected

% Only classful networks will be redistributed

R1(config-router)#redistribute connected subnets

R1(config-router)#redistribute rip subnets

R1(config-router)#router rip

R1(config-router)#redistribute connected metric 1

R1(config-router)#redistribute ospf 1 metric 1

By default, routes redistributed into OSPF are marked as E2 routes. The metric for these routes reflects only the cost of the path from the ASBR to the destination network and does not include the cost of the path from the local router to the ASBR. By contrast, E1 routes include the cost of the entire path from the local router to the destination network.

O E2 5.1.1.1 [110/20] via 172.34.34.3, 00:33:21, Ethernet0

6.0.0.0/32 is subnetted, 1 subnets

O E2 6.1.1.1 [110/20] via 172.34.34.3, 00:33:21, Ethernet0

172.12.0.0/16 is variably subnetted, 2 subnets, 2 masks

O E2 172.12.21.0/30 [110/20] via 172.34.34.3, 00:33:32, Ethernet0

O E2 7.1.1.1 [110/20] via 172.34.34.3, 00:33:21, Ethernet0

15.0.0.0/24 is subnetted, 1 subnets

O E2 15.1.1.0 [110/20] via 172.34.34.3, 00:33:32, Ethernet0

To redistribute routes into OSPF and mark them as E1 upon redistribution, use the metric-type option with the redistribution command.

R1(config)#router ospf 1

R1(config-router)#redistribute rip subnets metric-type ?

1 Set OSPF External Type 1 metrics

2 Set OSPF External Type 2 metrics

R1(config-router)#redistribute rip subnets metric-type 1

Look at the same two routes in R4s routing table, which are now displayed as E1 routes:

O E1 5.1.1.1 [110/94] via 172.34.34.3, 00:04:13, Ethernet0

6.0.0.0/32 is subnetted, 1 subnets

O E1 6.1.1.1 [110/94] via 172.34.34.3, 00:04:14, Ethernet0