Cisco Router Access-Lists Part 2 (Advanced): Cisco Router Training 101

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to cisco router training 101 my name is dawn Crawley I'm from sound training net where the Seattle washington-based publisher of learning resources and provider of accelerated training for IT professionals this time we're going to cover cisco router access lists part 2 advanced features this is part two of our three-part series on cisco router access lists and this is based on chapter 11 in my book The Accidental administrators cisco router step-by-step configuration guide the book is not required but if you'd like to get a copy I'd love for you to have one and it's available through the usual online resellers and through sound training net slash bookstore this demo is based on Cisco IOS version 15.1 the things I'm going to show you are supported in most versions of the iOS there's a few things that are only supported since version 12 and one thing in particular that's supported since version 15 and I'll try to point those out as we go through the demonstrations in this video we're gonna cover extended access list we'll talk about how to add comments to your access list we'll show you how to use object groups to group different IP addresses or services together we'll also show you how to use time ranges so that you can apply an access control list only during certain hours maybe you want to restrict web access late at night for example and you can do that with time ranges and we'll also show you how I use named access control lists during this video you'll hear me use the terms access list Akal and access control lists interchangeably they all mean the same thing so don't let that confuse you our other videos on cisco router access lists include part 1 which covers the fundamentals including standard access control lists and part 3 which includes ipv6 access lists here are the prerequisites for this lesson you'll need the following unrestricted privilege mode access to a Cisco router understanding of IP addressing including subnets dotted decimal notation and cider notation and familiarity and experience working with Cisco IOS standard access lists I'm going to assume you've already had some experience in that area so I won't be going over some of the basics our equipment software requirements I'm using a Cisco model 1941 router you can do this with pretty much any Cisco IOS based router not gonna work with a Linksys home router but an iOS based device it should work you'll also need a computer for your management workstation connected to one interface on the router a console cable and terminal emulation software the one I'm using is putty here's your disclaimer the videos provided solely as a courtesy to you our viewer there no guarantees whatsoever never our do not attempt these procedures on a production router without first testing them for security and suitability in a lab environment performing these procedures may open your router to the public internet and subject your network to attack so please make sure you have current backups and take precautions including data encryption and additional access controls to protect sensitive data which presumably you do anyway right so what is an extended access list well just like a standard list it's a way of identifying traffic flows but an extended list gives you many more filtering options than a standard access control list for example you can filter on the source IP address like a standard but with an extended you can filter based on the destination IP address you can also look at protocol types and port numbers we'll go over those in more detail in just a moment extended access control lists are numbered 100 through 199 or 2000 through 26 99 most people probably stick to the 100 thru 199 range but the router really doesn't care either way works now as we mentioned you can filter based on source and/or destination IP address so for example we could use a traditional class c network address of 192.168.1.0 slice 24 which in the syntax used with an extended list would equal 192.168.1.0 with an inverse mask of 0 dot 0 dot 0 dot 255 by the way if you looked at the previous video on standard access control issue may recall that with a standard Akal you can use Sider notation a slash value that doesn't appear to be the case with an extended list at least not on the router software i've tested it you can also use a subnet address such as the one I'm showing you here of 10.1 dot 2.64 slash 26 which in access control is syntax equals 10.1 dot 264 with an inverse mask of 0 0 0 63 or you can specify an individual host or node such as what you see here 192.168.1.1 which would equate to in access control as syntax 192.168.1.1 with an inverse mask of 0.0.0.0 which tells the router to match all 32 bits now if you're working with an individual host you can also just use the host command and then specify the IP address so instead of using the inverse mask you could say host 192.168.1.1 and that by the way works in both standard and extended access control lists as I mentioned you can also filter based on protocol so you could filter all IP traffic or ICMP traffic maybe you want to block pings or source quench updates you could filter based on TCP or UDP and you can even get into port numbers if you want to and that's what the next part is this is port numbers and when you're filtering TCP or UDP traffic you can use operators to match certain traffic types so you could use the EQ operator to equal and then specify an individual port number so maybe EQ 80 to block worldwide web traffic or greater than you could specify GT and you could say greater than say 10 23 to block everything except the well-known port numbers not sure why you'd want to do that but you can or less then same thing an EQ is not equal to so you could say I want to block everything except a particular port number and you can also specify a range so you have quite a bit of flexibility there as well now here's the syntax for an IP extended access control list and let's just go over it line by line so the first line access lists 100 that just tells the router that this is an extended list danai obviously we want to block this particular type of traffic we're going to use TCP for the protocol type from any source going to the destination network of 192.168.1 o 1.0 that's equal to telnet now we could also say 23 instead of telling it therefore the port number the next one is to deny ICMP traffic that's typically associated with ping but there are other things that I seen B's used for as well going from any source going to the host 192.168 0.1 Oh 1 and in this case the ICMP packet type is an echo packet so we want to block that the next line is a permit IP traffic from 192.168.1 oh one dot 0 going to any destination now the next line the fourth line is the permit any which really makes the the previous line line three redundant but I included it just so I could show you the syntax so IP any-any just says permit any IP traffic going from any source to any destination so let's work through an exercise together now this diagram may be familiar to you if you watched our first video in the series on access control list but this is a simple for network diagram with a single router with four interfaces one is connected to the internet and then we're also connected to sales managers in R&D our objective in this exercise is to block users in the sales LAN at 10.30 dot zero slash 16 from using telnet to reach the Rd server 10.10 dot one but we want to allow all other access so all we want to do is keep these sales LAN users from tel netting into the Rd server how do we do it well first of all we're gonna create an access control list and as you can imagine we want to specify the sales as the source of the traffic and that server is the destination here's the syntax we'll use access list 100 100 is any number between 100 and 1 99 then we're gonna say deny then the protocol type is TCP the source IP address is all nodes in these sales lands so that's 10 dot 3 dot 0 dot 0 with an inverse mask equaling a 16-bit mask of 0 dot 0 dot 255 dot 255 going to host 10.10 dot 1 notice how we specify the individual node here and then finally we say equal 23 we could also say equal telnet either one works now are we done well no we still have to permit everybody else so that's the next statement access lists 100 permit IP from any source to any destination so that takes care of the access list and are we done no because we have to apply it to an interface now take a look at this diagram and think about the fact there are two possible places where we could place this access control list and both would work equally as well and accomplishing the objective of the exercise which is to keep sales from accessing the Rd server but one is better for reasons unrelated to the the objective of the exercise so we could either put it on G 0 / 0 or G 0 / 2 and the better solution is to put it on G 0 / 2 because that's closer to the source of the packets so we'll use the IP access group 100 statement and then in or out well in this case it's in because again you notice from the perspective of the router these packets are coming in to the router now let's go back and revisit the question about whether to put the access control list on G 0 / 0 or G 0 / 2 we could put it on G 0 / 0 outbound and it would work perfectly well but then the router would have to process the packets on the inbound and the outbound interface by placing it on G 0 / 2 in the router only has to process it on the inbound interface thus saving some processing power on the router either one works but G 0 / 2 is a better solution because it allows you to conserve router resources now there's other things we can do with access control list such as comment them and if you've done any coding at all you know that one of the best things you can do in coding is to put lots of comments and well on a Cisco router we use the remark statement to comment our ACL so we can tell later on what it was that we were thinking when we decided to create that particular line in an access control list so the syntax is access list 10 remark block Topeka office you could also use it with an extended list and that simply is a way of saying okay I remember I was setting this up to block users in the Topeka office we can also use object groups and the way to think about object groups is that it's kind of like how you take users say in Active Directory and you put them all in groups and apply settings to the groups just once instead of multiple times to each individual user and that's kind of what an object group is there's two types of object groups that are supported on a Cisco router there's network object groups and service object and with a network object group you can specify a network so I could say okay I want to operate on the 10.1 0.0 Network and I want to group it with the 10.2 0.0 Network or you can specify an e you can specify an individual host or you can specify a range any one of those for work and you'll see them I'll demo them here in a moment now object groups service types allow you to specify IP traffic you can specify TCP and UDP services such as web port 80 or telnet port 23 encryption or encapsulation protocols such as ESP or GRE routing protocols such as OSPF or EIGRP and many other types of services as well so this allows you to say I want to just block all port 80 and 443 traffic so I could create a service object group and specify 80 and 443 in there and that way I only have to put it in one time instead of creating a separate line for both port 80 and 443 now creating and using object groups well first create the object group and global configuration mode so here you can see I used the object group statement then I specified what type again it's either network or service and then I gave it a name that's just a text string and I like to put them in all caps just makes it easier for me to see in a configuration and that way it tend to recognize it as a name then you use it in place of the network or service statement in the access control entry so access lists 100 permit IP from source object group accounting going to any destination so I may have put in two or three networks in the object group and this way I can operate on those two or three networks with a single statement you'll see that in a moment of when I demoed it I can also use time ranges and time ranges can be used to apply an access list only during a specific time you can either do periodic or absolute if you do periodic you can choose weekdays weekends daily days of the week and with absolute that's specifying a particular time point in time and operating only during that time the way you do it is you create the time range and then use the time range option at the end of an access control entry to apply it the last thing I want to is named access lists which are available in more recent versions of the Iowa's if you're running say version 11 you're not going to have support for named Ackles but most recent versions support named Ackles and it's simply a way of putting a name on the list instead of a number so here you see I created the list with the statement IP access list extended block underscore sales not sure why the underscore is not showing up there but it is there then I used it in I statement to deny IP traffic from source 192.168.0 going to any destination then the permit IP any any after that otherwise all traffic would be denied then I went to an interface and I used the IP access group statement along with block underscore sales out to apply the access list to a particular interface so it's very similar to how a numbered list works but you have the benefit of using a name and easily recognizable in a very descriptive name such as what you see here so let's do the demo and the first thing we're gonna do is I just want to ping the router which is at 192.168.1.2 so let's ping it I'm in PowerShell here 192.168.1.2 n so that's reachable now let's try to tell knit into it so we'll do telnet 192.168.1.2 n and there's our prompt we'll go ahead and authenticate and then back out so as you can see that successful now what we want to do is we want to go back to the router and block telnet traffic so let's go back to the router interface you'll notice that we're on router 2 and we're gonna use an extended access list to block telnet traffic to the outside interface on the router let's go into global configuration mode configure terminal oops and we're gonna use the command access - list 100 then deny TCP traffic from source well any source we could specify it if we want but we'll just do any going to host 192.168.1.2 n that's the outside interface on router equal to and we could either specify telnet or port 23 I'll do 23 but I want to I'll put in a question mark just so you can see the various options that are there so you can see there's quite a few options and if you if you don't see the the name then you can use any of the sixty five and a half thousand port number so we'll just say equals twenty three now let's create the line that allows all other traffic in so access - list 100 permit IP any any and now we need to apply it to an interface so let's take a look at our interfaces use the command do show IP interface brief so here you can see that 192.168.1.2 n is connected to our Gigabit Ethernet 0/1 and real world you probably know all that but I just wanted to show you this so now let's go in and apply the access list so I'll do interface gig 0 / 1 and we're gonna do IP access group 100 in in or out well in this case because the traffic is coming to the router toward the router it would be inbound now let's go back to PowerShell and see if we can reach it so let's start by pinging the router again just to make sure that we can reach it so we'll touch the up arrow a couple of times and success with a ping now let's try the telnet looks like it's not gonna work so you can see the granularity the surgical nature of an extended access control list it gives you much much more power much more control because in this particular case we're still able to ping the router we just can't tell nits to it and you can do that with all of the different TCP and UDP protocols as well as ICMP and and lots and lots of different options with an extended list now let's take a look at a couple of other things so suppose that I want to put a remark in there well I can do the command access list 100 and then I can say remark and block to pica office sorry for all you folks in Topeka and now if I take a look at the running-config let's do that let's use the command do show run and section access list there you can see that I've put a comment in and it says block that Topeka office and so later on down the road when I'm looking at the configuration I don't remember everything I did at least I've got some comments to help me there now I can also do object groups let's create an object group and show you what I was talking about so we're going to create the object group a network object group called accounting so object group and then the type put in a question mark so you can see either network or service so we'll do network and then a text string accounting and again I'm just using all uppercase as a personal preference that's entirely up to you now I need to specify either my network or my host or the other options that we talked about earlier in this case we'll say 192.168 10 0 255 255 255 dot 0 and then I'll show you a little trick that's available on newer routers we can say 192.168.1.0 and check this out I can instead of using a mask I can put insider notation again that's only a newer routers older ones won't support it but certainly they'll all support the dotted decimal notation let's put in a host as well so host 192.168.0 and now to use it in an access list i would use the command access - list 100 deny IP going from any source to the destination specified in object group oops accounting that way I don't have to create three separate lines for each of those 3 Network entities now as I mentioned I can also use time ranges so let's take a look at time ranges so suppose that I want to I'll world wide web traffic only on weekdays from say 8 a.m. to 5:00 p.m. so I could create a time range let's groups time range and then I just give it a text or you know I could call this Fred and Wilma but I'm gonna call it weekdays and notice that I'm now in time range configuration mode and we're gonna specify periodic but let me put in a question mark so you can see the other options so we'll say periodic and again here's a question mark notice what the options are let's just say weekdays one thing that's kind of cool is you could actually say create one that's every other week day so you could say Monday Wednesday Friday if you wanted to but we'll just put in weekdays and then we need to put in the hours so Oh 8 102 1700 so I've created the time range weekdays now I'll use it in an access list so access list 100 permit TCP from any source to any destination equal to 80 time range time rent sometimes that's more appropriate right then weekdays and it's there so that's kind of handy you know maybe you want to block web access during off hours or something like that and and you can do it with a time range command the last thing I want to show you is the use of a named Akal I already showed you that in a screen capture but let's do it live just for grins so IP access list and you have to specify extended or standard let me put in a question mark so here you can see there's several different options there we're gonna say extended and then block underscore sales now what do we want to do well we want to deny IP traffic from 192.168.1.0 with the inverse mask of 0 dot 0 dot 0 dot to any destination now let's include the permit any statements so permit IP any any and we've created the list and let's take a look at it so we'll use the command do show access list there you can see the access list 100 that we created earlier and there's the block sales access control list that we just created just now and one of the cool things about access list now is that you'll notice that there are sequence numbers see those to the far left of each line well if we want to insert a new line we can do that so let's add another subnet in there so this time all I'm gonna do is I'm going to say 15 because the sequence number comes first then deny IP 192.168.0 inverse mask of 0.0 0.5 going to any destination and once again let's use the up arrow to use our command do show access list and there you can see the new one inserted in between line 10 and line 15 or sequence number 10 and 15 the other thing that's kind of neat is if I want to get rid of these I'll just show you a little trick in case you don't do this let's do no and let's get rid of access list 100 so where it was access list 100 there it is so I'll just use my mouse to grab it and then right click notice that the cursor is still up there so all I do is right-click and it pastes it in I hit enter and it's gone now here's another trick let's use the up arrow and let's go back to where we created our named Akal there it is and I can actually use command line shortcuts to move my cursor around so if I want to go to the very start of the list or the start of the line I use ctrl a and notice that in it cool so now I can just type no and hit enter and it's gone pretty slick let's make sure they're gone with a command do show access list and indeed they're all gone the last thing I want to show you before we wrap up is just how a packet is processed if there's an extended access control list on the interface I'm not going to go through this step-by-step you may want to pause the video and just take a look at it or it's in the book as well if you'd like to pick up a copy of the book but it is interesting just to see the order and how it processes things first thing it looks at is is there a list on the interface then it looks at source address destination address protocol and protocol options and like I said you can stop it and look at it a little more closely if you'd like other types of access lists are also supported on routers I'm not going into those here but there's reflexive content based access control lists authentication proxy and turbo ACLs as well and we may cover those in a future video but I just wanted to make you aware of those for right now in part three of our three-part series on access control this will cover ipv6 access lists if you'd like more information we've got it at our website at www.weiu.net I blog at sound training net slash blog you can subscribe to our newsletter I'll also follow us like us on Facebook please like us on Facebook you can also follow our tweets and join us on Google+ as well if you'd like more videos we've got them at sound training dotnet slash videos if you'd like the companion book it's available through the usual online resources and at wwm training net slash bookstore well I hope it's been helpful for you for sound training yep I'm Don Crowley I'll see you next time

Info

Channel: soundtraining.net

Views: 41,092

Rating: undefined out of 5

Keywords: it training, router and, access-list, router installation, time-ranges, cisco, access-control list, ccna, routers, Router, object-groups, ccna cisco, cisco router training, Access Lists, named access-lists

Id: zjzhXcb4CUs

Channel Id: undefined

Length: 26min 7sec (1567 seconds)

Published: Fri Jun 07 2013