What are Access Lists?
|
|
- Camilla Randall
- 7 years ago
- Views:
Transcription
1 What are Access Lists? The increasing need for companies to share information results in more Internet connections and the creation of more extranets. Consequently, a higher awareness of security and bandwidth conservation is developed. Access lists (acls) can be used to increase security by denying unwanted traffic access to your network. They can also be used to restrict permission across a WAN link to a defined traffic group resulting in bandwidth optimization. However, Cisco does NOT recommend access lists as a standalone security mechanism. They should be used to supplement normal security features. Simply stated, access lists are a method of filtering traffic. Cisco's IOS supports statements that can be applied to a router to control traffic. Access lists allow you to define a specific group of traffic and apply a condition based upon the defined traffic group. Using acls, traffic can be permitted or denied based on this traffic grouping. One common access list application involves filtering traffic on a router's interface for bandwidth conservation, filtering telnet on virtual terminal lines, configuring Dial On Demand Routing (DDR), and configuring policy based routing using route maps to control the flow of routing updates. Cisco's IOS supports multiple protocol type access lists. Access lists can be configured for IP, IPX, or AppleTalk traffic. Depending upon the type of acls used, you can filter traffic based upon protocol type, port number, source address, destination address, and various other criteria. This lesson will focus on the most common type of acls, ip acls. 1. Define access lists and explain how they can aid in network performance. Access lists are a method of filtering traffic. Cisco's IOS supports statements that can be applied to a router for the purpose of controlling traffic. Common application of access lists include filtering traffic on a router's interface for bandwidth conservation, filtering telnet on virtual terminal lines, configuring dial on demand routing (DDR), and configuring policy based routing using route maps to control the flow of routing updates. Introduction to How Access Lists Work Now that we understand what acls are, let's view how they work. To effectively use acls you must fully understand how they operate. For acls to operate, you must create the access list, and apply the access list to a router interface. As a preparation step you should plan the list with paper and pencil and step through a mental test of the access list to determine if it will yield the expected
2 results. This step is not necessary to making an operational access list, but is critical to making it successful! Creating Access List Statements Access lists consists of permit and/or deny statements. These statements are executed in a top down fashion. As traffic encounters the access list, the access list is parsed top to bottom, looking for a match. The first match encountered will determine if the traffic is permitted or denied. Therefore, the order of your access list statements is extremely important. Access list should be built from most specific to least specific. This will keep unintentional matching to a minimum. If no match is found, there is an implicit "deny everything" at the end of all access list statements. the figure below illustrates this process. Top-down access list statement execution. Applying Access Lists to Interfaces
3 After the access list has been created with statements, it must be applied to a router interface so that traffic encountering that router interface will be permitted or denied based upon the list conditions. When applying an access list you must also specify if the access list applies to traffic coming in to or going out of the router interface. Remember, all directions are from the router's perspective. Virtual interfaces, such as vty lines in the router used for telnetting purposes, can also have access lists applied to control traffic flow. the figure below shows inbound access list flow. Inbound access list flow. When you use an outbound access list, the packet must enter the router and do a lookup in the routing table to determine the destination interface. If an access list has been applied to the interface to deny the packet, then routing processing has been wasted. It is best to use an inbound access list whenever possible, because the routing look up for denied traffic is inefficient. the figure below shows outbound access list flow.
4 Outbound access list flow. Configuring acls using Cisco's IOS In Cisco's IOS the syntax to create an acls is: (config)#access-list <access list number> [permit deny] {specified traffic}. This command is executed in global configuration mode. To build multiple statements in the same access list, use the same access list number. The access list number represents what type of access list you are creating. There are predefined ranges of numbers to denote what type of protocol traffic the access list is configured to filter. For example, if the access list number is 1-99 or , then the access list is an IP access list, as shown in the following table. When the access list is applied, a match against the specified traffic will be determined and the operation (permit or denied) will be executed. Protocol ACL Number Range IP Standard 1-99 IP Extended IPX Standard
5 IPX Extended IPX SAP filters AppleTalk DECnet To apply the list to an interface: (config-if)#{protocol type} Accessgroup <access-list number> [in out]. This command is executed in interface configuration mode. The protocol type parameter specifies what type of protocol traffic is being evaluated with the access list. Examples of protocol types are IP, IPX, and AppleTalk. The access list number in this command references the access list number you want to apply to this router interface. You have to specify which access list you want to apply to the interface, as you are able to configure multiple access lists per router. The last parameter [in out] specifies which direction you want to apply the access list. If you want all traffic coming in to the router interface to be filtered, choose in. If you want to filter traffic going through your router, out of the applied interface, then choose out. NOTE: You never truly filter traffic originating from a router, only traffic going through the router in the outbound direction. Wildcard Masks When configuring access lists, a wildcard mask is used instead of a normal subnet mask. In a wildcard mask the bit values are swapped, thus a one means to ignore and a zero means to check the corresponding bit value. If you have difficulty calculating a wildcard mask, simply calculate the subnet mask and "flip the bits." For example, if we wanted to create an access list that denied all traffic in the entire class B subnet the wildcard mask is calculated as follows: IP Address Subnet Mask "FLIP THE BITS" Wildcard Mask In this example the first 16 bits will be checked for matches. If the ip address matches these bits then the condition (permit or deny) will be applied to the
6 traffic. Let's take a look at a more complex example. Suppose you wanted to deny a range of addresses within a class B subnet, to First, find the common bits. Then determine the wildcard mask by checking the common bits (zero) and ignoring the other bits (one). Decimal Binary Wildcard Mask Check common bits, 0 =check and 1=ignore In some instances you may need to permit a specific host or permit all traffic. The wildcard mask to check all bits, thus indicating a specific host, would be all zeros. In Cisco's IOS you can use the keyword host or the wildcard mask to denote a single host. The default wildcard mask for access list ip addresses is (host). The three statements that follow are the same; only traffic from is permitted. Access-list 1 permit Access-list 1 permit host Accesslist 1 permit To denote all traffic you can use the keyword any or ip address and wildcard mask. The following statements are identical and permit all ip traffic. Access-list 2 permit Access-list 2 permit any Generally speaking, there are two types of acls, standard and extended. Standard acls are easy to understand and easy to configure, they filter based on more generic traffic group information. Extended acls are more difficult to configure, but allow you to filter based upon more specific traffic group information, allowing for greater granularity. How an ACLS operate - Access lists consists of permit and/or deny statements. These statements are executed in a top down fashion. As traffic encounters the access list, the access list is parsed top to bottom, looking for a match. The first match encountered will determine if the traffic is permitted or denied. Overview of Standard IP Access Lists Standard IP acls filter traffic based upon source ip address only. The number range for standard ip acls is Standard ip acls filter the entire TCP/IP protocol suite. There is no method using standard ip acls to filter only a specific
7 port or protocol. Two of the benefits of standard acls are that they are easy to understand and easier to maintain. The Cisco IOS command to configure a standard ip access list: (config)#access-list <1-99> [permit deny] <source ip address> <wildccard mask>. To apply the access list to an interface: config-if)#ip access-group <1-99> [in out]. When applying the access-group command to an interface, the default filtering direction is outbound. To better understand how standard access lists operate, let's look some examples. Example One: employees on network are complaining of slow response due to high traffic volume. As a network administrator you want to limit IP access to the network by only allowing traffic from the host , and any host from the network. the figure below shows you network Network To solve this problem, create an access list: (config)# access-list 10 permit ! all zeros in the wildcard mask permits the specific host (config)# access-list 10 permit ! wild card mask permits traffic from any host on the network. config)# access-list 10 deny ! Blocks all other ip traffic. To apply it to the interface: (config)# interface e0 (config-if)# ip access-group 10 out.
8 Example Two: using the same network diagram. In your network, you would like to isolate subnet from the rest of the company. This access list denies a specific subnet. To solve this problem, create an access list: (config)# access-list 20 deny !Denies all traffic from subnet (config)# access-list 20 permit any!permits all other ip traffic. To apply it to the interface: (config)# interface e2 (config-if)# ip access-group 20 in. Place standard acls as close to the destination as possible, since they only filter based upon source ip address. Otherwise, you may unintentionally keep traffic from reaching other devices. Explain how standard IP access list works - Standard ip access lists filters traffic based upon source ip address only. The number range for standard ip access lists is Standard ip access lists will filter the entire TCP/IP protocol suite. There is no method using standard ip acls to filter only a specific port or protocol. The benefits of standard access lists are that they are easy to understand, thus easier to maintain. Introduction to Extended IP Access Lists Extended acls allow for more exact filtering, based on source and destination addresses. Unlike standard acls, this allows you to filter traffic coming from a particular address going to a particular address, resulting in more accurate filtering. Extended acls also allows you to filter based on port numbers. The following table shows what port number correlates with what ftp or dns traffic. However, extended acls is more difficult to maintain. The number range for extended acls is Port Number Description 20 FTP data 21 FTP program connection 23 Telnet 25 SMTP 53 DNS 69 TFTP The Cisco IOS command to configure an extended ip access list is: (config)# access-list < > [permit deny] [ip tcp udp icmp gre igrp] <souce ip address><source wildcard mask> [lt gt eq neq] <destination ip address><destination wildcard mask>. You can
9 also set option parameters of established, which allows traffic if the acknowledgement bits are set or log, log sends a logging message to the console. To apply to an interface: (config-if)# ip access-group < > [in out]. When applying the access-group command to an interface, the default filtering direction is outbound. To better understand how extended access lists operate, let's look some examples. Example One: based on the network diagram in the figure below. In this example, we only want hosts residing on the to output IP traffic to hosts and This illustrates how access lists can be used to control traffic flow. Network diagram. To solve this problem, create an access list: (config)# access-list 110 permit ip !Allows ip traffic from subnet to host (config)# access-list 110 permit ip !Allows ip traffic from subnet to host To apply it to interface:(config)#interface e1 (config-if)#ip access-group 110 in. Example Two: using the same network diagram. We want to decrease the amount of ftp traffic in our network. To control this traffic, we will deny ftp traffic from subnet to and allow all other ip traffic. To solve this problem, create an access list: (config)# access-list 120 deny ftp eq 21 (config)# access-list 120 deny ftp
10 eq 20!Deny ftp traffic from subnet to Ftp uses two ports for communication, so both ports need to be denied for all ftp traffic to be filtered. (config)# access-list 120 permit ip any any!allow all other ip traffic. To apply it to interface:(config)#interface e0 (config-if)#ip access-group 120 in. Place extended acls as close to the source address as possible, because extended acls filter based on source and destination address. This allows filtered traffic to be dropped sooner, decreasing bandwidth consumption. Removing Standard and Extended ACLs To remove standard and extended access list type "no" before the configuration command. (config)# no access-list 1 (config)# no access-list 100 There is no way to delete a single statement in an access list. When you type "no" and the access-list <acl number> the entire access list is removed. This can be troublesome if you make a typing error. To correct this you have to remove the entire access list and rebuild all the statements. Also, remember that the order of the statement in your acls is critical. Say you have an active acls in your network, and you would like to add a new subnet as the second permit statement in a ten-statement access list. The only way to add the subnet in the proper order is to delete the access list and rebuild it. Using named access lists, which we will discuss later, solves this problem. Remove the access list from the interface, instead of deleting it, if you think you might need to apply it again. To remove the acl from the interface, go into interface configuration mode and type "no" before the configuration command. (config-if)# no ip access-group 100 in EXPLAIN HOW EXTENDED ACLS OPERATES - Extended access lists allow for more exact filtering. Extended acls allows for filtering based upon source and destination addresses. Unlike standard acls, this give you the ability to filter traffic coming from a particular address going to a particular address resulting in more accurate filtering. Extended acls allow you to also filter based upon port numbers. So you have the ability to filter specifically ftp or dns traffic. With the obvious advantage to using extended acls the disadvantage would be that it more difficult to maintain. The number range for extended access lists is When configuring an extended IP access list, when do you want to set the established parameter? When you need to allow traffic that has the acknowledgement bit set.
11 Overview of Named IP Access Lists Named access lists allow you to label an access list descriptively. Each acl name must be totally unique. If you create a standard named access list called ENGINEERING, you cannot create an extended acl with the same name. Naming the acl helps identify its purpose. Named access lists are useful in a large network with many access lists. Remember that access list numbers are in groups of 100, which limits how many numbered lists you can have. If you have more than 100 standard or extended access lists, use named lists. An added benefit is the ability to modify a named access list by removing a single statement. The Cisco IOS command to configure a named ip access list: (config)# ip access-list [standard extended] <name> (config {std- ext- }nacl)# [permit deny] {specified traffic}. To apply to an interface: (config-if)# ip access-group <name> [in out]. To delete a specific statement, type "no" before the permit or deny statement. Removing an individual statement will not remove the entire list. The following is a configuration example. Create a list:(config)# ip accesslist standard TEST (config-std-nacl)# permit (configstd-nacl)# permit (config-std-nacl)# deny all. Apply the list: (config-if)# ip access-group TEST in. To remove the list: (config)# ip access-list standard TEST (config-std-nacl)# no permit Explain the benefits of a name access list - Named access lists allow you to label an access list descriptively. Each acl name must be totally unique. Naming the acl can help the administrator readily identify its purpose. Using named access lists are also a good feature if you are in a large network using many access lists. Remember that the range of access list number are in groups of 100, so if you have more than 100 standard or extended access list then you have to use named lists. The added benefit of using named acls, is the ability to modify an access list by removing a single statement. Guidelines To implement successful acls, remember the following guidelines: Plan Create Apply Your acl should be well thought out, and planned in advanced. Be sure to select the correct access list range number for your type of acl. Arrange acl statements from most specific to least specific. Order is critical, be careful not to make typing errors. An implicit "deny all" follows every acl. Apply standard acls close to the destination.apply extended acls
12 close to the source. Traffic originating from the router cannot be filtered. There can only be one acl per interface, per protocol, per direction. Recommendation Always create acls using a text editor, then cut and paste into the router. This makes modifying numbered acls easier. Verification To verify your access list configuration use the show ip interface and show access-lists commands available in the IOS. Show ip interface will display the direction and number of access list applied to that interface, as shown in the figure below. Output display of show ip interface command. Show access-lists displays all access lists configured on the router, ans shown in the figure below. You can also view each access lists if the acl number is indicated.
13 Output displays for show access-lists command. Other Applications Acls can be used on a router's virtual interfaces, in addition to the physical interfaces. Most routers use five default virtual terminal lines (vty) for telnet. Traffic can be filtered on these lines for security purposes. To do this, set the same restriction on all virtual lines using an access list. Configure the access list as detailed in previously, and then apply the list to the vty lines. The command to apply an acl to vty lines is: (config)#line vty 0 4 (config-line)# access-class <acl number> [in out]. Remember to create the access list first, and then apply the list to the vty lines using the access-class command. the figure below illustrates this concept.
14 Applying an acl to vty lines. Only device is able to telnet into the router. When device attempts to telnet to the router, the source address matches the second access list statement and the telnet traffic is denied. In your network, the permitted device could be the network administrator, and all other devices will not be able to telnet into the router. Note: The access list shown can be implemented with fewer statements; the deny statement can be removed with the same results. Explain the two routing protocols, the method of best route determination, and how they update other routers in their network. 1. Explain the two routing protocols, the method of best route determination, and how they update other routers in their network.
15 Overview There are two methods of sending routing information over an IPX network. The original and still most common method is to use Router Information Protocol or RIP (not to be confused with the RIP protocol for TCP/IP, although it operates in a similar fashion). The second, and newer of the two, is the NetWare Link Services Protocol, or NLSP. NLSP is a link-state routing protocol that works in a similar fashion to OSPF in the TCP/IP world and features advantages like faster convergence time, greater network size support, and uses less bandwidth. The RIP Routing Protocol RIP is a distance vector route discovery protocol. It uses hop counts (the number of routers a packet must pass through to get to a destination network) combined with Time Ticks (the amount of time in 1/18-of-a-second intervals that it will take to get there) to determine the best route for a network. RIP has a maximum of 15 hops to get to a destination before the packet is discarded. RIP sends period broadcast messages to other routers that show what networks it knows about (minus the route to the network it is sent out on). RIP information is sent in the Data field of the IPX packet, with a socket type of 0x0453. Every 60 seconds, RIP routers on an IPX network send out a broadcast message that includes their entire routing table (minus the network of the interface it is sent out on) over each interface configured for IPX. Each neighbor router that receives this RIP update adds one hop to the network's hop count, updates its own routing table with this information, and sends out this updated table to its neighbors. As you can probably imagine by now, a large IPX network using RIP can generate quite a bit of broadcast traffic on a regular basis. RIP also works with the Service Advertising Protocol (SAP) to discover and advertise network services for NetWare clients. For example, when an IPX client boots up, it usually sends out a SAP "Get Nearest Server" broadcast request. If there are no servers on that particular LAN segment to respond first, the IPX router checks its SAP and RIP tables to determine the nearest file server (Service Type 0x0004) and what its internal IPX number is. Remember that an internal IPX number is the same as a network address, as far as the routers are concerned.
16 Cisco routers by default use RIP for routing IPX networks. The Cisco IOS configuration command "IPX Routing" actually starts up the RIP and SAP process on the router. RIP is a distance vector protocol based on hop counts and time ticks. RIP sends out a periodic broadcast of its complete routing table. NLSP is a link state protocol that selects routes based on hop counts, time ticks, and other information like the line speed of segments in the path of the network. NLSP only sends out changes to a route when necessary, and after network listings expire.
Cisco Configuring Commonly Used IP ACLs
Table of Contents Configuring Commonly Used IP ACLs...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...3 Configuration Examples...3 Allow a Select Host to Access the Network...3 Allow
More informationChapter 3 Using Access Control Lists (ACLs)
Chapter 3 Using Access Control Lists (ACLs) Access control lists (ACLs) enable you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol
More informationSUBNETTING SCENARIO S
SUBNETTING SCENARIO S This white paper provides several in-depth scenario s dealing with a very confusing topic, subnetting. Many networking engineers need extra practice to completely understand the intricacies
More informationAdding an Extended Access List
CHAPTER 11 This chapter describes how to configure extended access lists (also known as access control lists), and it includes the following topics: Information About Extended Access Lists, page 11-1 Licensing
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationTable of Contents. Configuring IP Access Lists
Table of Contents...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...2 Understanding ACL Concepts...2 Using Masks...2 Summarizing ACLs...3 Processing ACLs...4 Defining Ports and Message
More informationIPv4 Supplement Tutorial - Job Aids and Subnetting
Appendix B IPv4 Supplement This appendix contains job aids and supplementary information that cover the following topics: IPv4 Addresses and Subnetting Job Aid Decimal-to-Binary Conversion Chart IPv4 Addressing
More informationConfiguring a Backup Path Test Using Network Monitoring
6AOSCG0006-29B February 2011 Configuration Guide Configuring a Backup Path Test Using Network Monitoring This configuration guide describes how to configure a demand routing test call to test the availability
More information100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)
100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.
More informationSecurity and Access Control Lists (ACLs)
Security and Access Control Lists (ACLs) Malin Bornhager Halmstad University Session Number 2002, Svenska-CNAP Halmstad University 1 Objectives Security Threats Access Control List Fundamentals Access
More informationCCNA Access List Sim
1 P a g e CCNA Access List Sim Question An administrator is trying to ping and telnet from Switch to Router with the results shown below: Switch> Switch> ping 10.4.4.3 Type escape sequence to abort. Sending
More informationLab 5.5.3 Developing ACLs to Implement Firewall Rule Sets
Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8 Device Interface
More informationYou can probably work with decimal. binary numbers needed by the. Working with binary numbers is time- consuming & error-prone.
IP Addressing & Subnetting Made Easy Working with IP Addresses Introduction You can probably work with decimal numbers much easier than with the binary numbers needed by the computer. Working with binary
More informationccna question and answers
ccna question and answers 46 Which addresses are valid host addresses? A. 201.222.5.17 B. 201.222.5.18 C. 201.222.5.16 D. 201.222.5.19 E. 201.222.5.31,B & D Subnet addresses in this situation are all in
More informationConfiguring a Gateway of Last Resort Using IP Commands
Configuring a Gateway of Last Resort Using IP Commands Document ID: 16448 Contents Introduction Prerequisites Requirements Components Used Conventions ip default gateway ip default network Flag a Default
More informationConfiguring Network Address Translation
6 Configuring Network Address Translation Contents NAT Services on the ProCurve Secure Router....................... 6-2 Many-to-One NAT for Outbound Traffic........................ 6-2 Using NAT with
More informationProcedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address
Objectives University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528 Lab.4 Basic Network Operation and Troubleshooting 1. To become familiar
More informationAccess Control Lists: Overview and Guidelines
Access Control Lists: Overview and Guidelines Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed
More informationInterconnecting Cisco Network Devices 1 Course, Class Outline
www.etidaho.com (208) 327-0768 Interconnecting Cisco Network Devices 1 Course, Class Outline 5 Days Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructorled training course
More informationConfiguring Class Maps and Policy Maps
CHAPTER 4 Configuring Class Maps and Policy Maps This chapter describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing
More information1000 CCNA Certification Exam Preparation Questions and Answers:
1000 CCNA Certification Exam Preparation Questions and Answers: One Thousand Practice Questions for Passing the CCNA Exams - Pass On Your First Try 1 Copyright 2009 Notice of rights All rights reserved.
More informationRouter and Routing Basics
Router and Routing Basics Malin Bornhager Halmstad University Session Number 2002, Svenska-CNAP Halmstad University 1 Routing Protocols and Concepts CCNA2 Routing and packet forwarding Static routing Dynamic
More informationTroubleshooting IP Access Lists
CHAPTER 21 This chapter describes how to troubleshoot IPv4 and IPv6 access lists (IP-ACLs) created and maintained in the Cisco MDS 9000 Family. It includes the following sections: Overview, page 21-1 Initial
More information- Basic Router Security -
1 Enable Passwords - Basic Router Security - The enable password protects a router s Privileged mode. This password can be set or changed from Global Configuration mode: Router(config)# enable password
More informationInterconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0
Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 is a five-day, instructor-led training course that teaches learners
More informationLab 8.3.13 Configure Cisco IOS Firewall CBAC
Lab 8.3.13 Configure Cisco IOS Firewall CBAC Objective Scenario Topology In this lab, the students will complete the following tasks: Configure a simple firewall including CBAC using the Security Device
More informationHow To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net
Using Access-groups to Block/Allow Traffic in AOS When setting up an AOS unit, it is important to control which traffic is allowed in and out. In many cases, the built-in AOS firewall is the most efficient
More informationTerminal Server Configuration and Reference Errata
Doc. No. 78-0944-06A0 June 14, 1993 Terminal Server Configuration and Reference Errata This document supplies corrections and additional informaiton for the 9.0 version of the Cisco publication Terminal
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationConfiguring NetFlow Secure Event Logging (NSEL)
75 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationNetwork Data Encryption Commands
Network Data Encryption Commands This chapter describes the function and displays the syntax for network data encryption commands. For more information about defaults and usage guidelines, see the corresponding
More informationINTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)
INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1) COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructor-led training course that teaches learners
More informationLab 2 - Basic Router Configuration
CS326 Fall 2001 Room: PAI 5.48 Name: Lab 2 - Basic Router Configuration In this lab you will learn: the various configuration modes of Cisco 2621 routers how to set up IP addresses for such routers how
More informationObjectives. Router as a Computer. Router components and their functions. Router components and their functions
2007 Cisco Systems, Inc. All rights reserved. Cisco Public Objectives Introduction to Routing and Packet Forwarding Routing Protocols and Concepts Chapter 1 Identify a router as a computer with an OS and
More informationChapter 2 Quality of Service (QoS)
Chapter 2 Quality of Service (QoS) Software release 06.6.X provides the following enhancements to QoS on the HP 9304M, HP 9308M, and HP 6208M-SX routing switches. You can choose between a strict queuing
More information51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE
51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationCisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time
Essential Curriculum Computer Networking II Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Chapter 1 Networking in the Enterprise-------------------------------------------------
More informationZarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)
QUESTION NO: 8 David, your TestKing trainee, asks you about basic characteristics of switches and hubs for network connectivity. What should you tell him? A. Switches take less time to process frames than
More informationPacket Tracer 3 Lab VLSM 2 Solution
Packet Tracer 3 Lab VLSM 2 Solution Objective Create a simulated network topology using Packet Tracer Design an IP addressing scheme using a Class B subnetwork address and VLSM Apply IP addresses to the
More informationCCNA 2 v5.0 Routing Protocols Final Exam Answers
CCNA 2 v5.0 Routing Protocols Final Exam Answers 1 Refer to the exhibit. What can be concluded about network 192.168.1.0 in the R2 routing table? This network was learned through summary LSAs from an ABR.*
More informationNetwork Protocol Configuration
Table of Contents Table of Contents Chapter 1 Configuring IP Addressing... 1 1.1 IP Introduction... 1 1.1.1 IP... 1 1.1.2 IP Routing Protocol... 1 1.2 Configuring IP Address Task List... 2 1.3 Configuring
More informationUNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)
BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23) March 2007 This page intentionally left blank. March 2007 Foreword The BlackBerry Enterprise Server Isolation in a Microsoft
More informationConfiguring a Leased Line
CHAPTER 4 Configuring a Leased Line The configuration in this chapter describes how to configure a Cisco 1700 router for IP and IPX over a synchronous serial line. Before You Begin The configuration in
More informationHow To Understand Bg
Table of Contents BGP Case Studies...1 BGP4 Case Studies Section 1...3 Contents...3 Introduction...3 How Does BGP Work?...3 ebgp and ibgp...3 Enabling BGP Routing...4 Forming BGP Neighbors...4 BGP and
More informationConfiguring Network Security with ACLs
CHAPTER 46 This chapter describes how to use access control lists (ACLs) to configure network security on the Catalyst 4500 series switches. The Catalyst 4500 series switch supports time-based ACLs. For
More informationThe Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series
Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including
More informationLab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router
Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab exercise,
More information- Route Filtering and Route-Maps -
1 Prefix-Lists - Route Filtering and Route-Maps - Prefix-lists are used to match routes as opposed to traffic. Two things are matched: The prefix (the network itself) The prefix-length (the length of the
More information- Multicast - Types of packets
1 Types of packets - Multicast - Three types of packets can exist on an IPv4 network: Unicast A packet sent from one host to only one other host. A hub will forward a unicast out all ports. If a switch
More informationO 10.16.1.0/27 [110/129] via 192.168.1.5, 00:00:05, Serial0/0/1
1 Which two statements are true regarding the advantages of the use of static routes? (Choose increased security reduced effort in configuring routes the administrator maintains control over routing easier
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More informationVirtual Fragmentation Reassembly
Virtual Fragmentation Reassembly Currently, the Cisco IOS Firewall specifically context-based access control (CBAC) and the intrusion detection system (IDS) cannot identify the contents of the IP fragments
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationRoute Optimization. rek. 2005 Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks 1
Route Optimization (intra-as) Petr Grygárek rek 1 Goal of route optimization Static routing: More predictable and safer Dynamic routing: Automatically ally reacts on topology changes Lower administration
More informationChapter 4 Rate Limiting
Chapter 4 Rate Limiting HP s rate limiting enables you to control the amount of bandwidth specific Ethernet traffic uses on specific interfaces, by limiting the amount of data the interface receives or
More informationBRI to PRI Connection Using Data Over Voice
BRI to PRI Connection Using Data Over Voice Document ID: 14962 Contents Introduction Prerequisites Requirements Conventions Background Information Configure Network Diagram Configurations Verify Troubleshoot
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationPrestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement
Prestige 310 Cable/xDSL Modem Sharing Router User's Guide Supplement Domain Name Support Enhanced WAN Setup Remote Node Support PPPoE Support Enhanced Unix Syslog Setup Firmware and Configuration Files
More informationExpert Reference Series of White Papers. The Basics of Configuring and Using Cisco Network Address Translation
Expert Reference Series of White Papers The Basics of Configuring and Using Cisco Network Address Translation 1-800-COURSES www.globalknowledge.com The Basics of Configuring and Using Cisco Network Address
More informationFirewall Stateful Inspection of ICMP
The feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages into either a malicious or benign category by allowing the Cisco IOS firewall to use stateful inspection
More informationConfiguring RADIUS Server Support for Switch Services
7 Configuring RADIUS Server Support for Switch Services Contents Overview...................................................... 7-2 Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting
More information"Charting the Course...
Description "Charting the Course... Course Summary Interconnecting Cisco Networking Devices: Accelerated (CCNAX), is a course consisting of ICND1 and ICND2 content in its entirety, but with the content
More informationiseries TCP/IP routing and workload balancing
iseries TCP/IP routing and workload balancing iseries TCP/IP routing and workload balancing Copyright International Business Machines Corporation 2000, 2001. All rights reserved. US Government Users Restricted
More informationCOURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking
COURSE AGENDA CCNA & CCNP - Online Course Agenda Lessons - CCNA Lesson 1: Internetworking Internetworking models OSI Model Discuss the OSI Reference Model and its layers Purpose and function of different
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationBlue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3
Blue Coat Systems Reference Guide WCCP Reference Guide For SGOS 5.3 Contact Information Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 http://www.bluecoat.com/support/contact.html bcs.info@bluecoat.com
More informationConfiguring NetFlow Secure Event Logging (NSEL)
73 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationAdministrative Distance
RIP is a distance vector routing protocol. It shares routing information through the local broadcast in every 30 seconds. In this tutorial we will explain RIP routing fundamentals with examples such as
More informationHow To Learn Cisco Cisco Ios And Cisco Vlan
Interconnecting Cisco Networking Devices: Accelerated Course CCNAX v2.0; 5 Days, Instructor-led Course Description Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v2.0 is a 60-hour instructor-led
More informationIntroduction about cisco company and its products (network devices) Tell about cisco offered courses and its salary benefits (ccna ccnp ccie )
CCNA Introduction about cisco company and its products (network devices) Tell about cisco offered courses and its salary benefits (ccna ccnp ccie ) Inform about ccna its basic course of networking Emergence
More informationIP Routing Features. Contents
7 IP Routing Features Contents Overview of IP Routing.......................................... 7-3 IP Interfaces................................................ 7-3 IP Tables and Caches........................................
More informationFirewall Defaults and Some Basic Rules
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
More informationChapter 4. Distance Vector Routing Protocols
Chapter 4 Distance Vector Routing Protocols CCNA2-1 Chapter 4 Note for Instructors These presentations are the result of a collaboration among the instructors at St. Clair College in Windsor, Ontario.
More informationHalf Bridge mode }These options are all found under Misc Configuration
Securing Your NB1300 - Once connected. There are eleven areas that need your attention to secure your NB1300 from unauthorised access - these areas or features are; Physical Security Admin Password User
More informationTransport and Network Layer
Transport and Network Layer 1 Introduction Responsible for moving messages from end-to-end in a network Closely tied together TCP/IP: most commonly used protocol o Used in Internet o Compatible with a
More informationUsing the Border Gateway Protocol for Interdomain Routing
CHAPTER 12 Using the Border Gateway Protocol for Interdomain Routing The Border Gateway Protocol (BGP), defined in RFC 1771, provides loop-free interdomain routing between autonomous systems. (An autonomous
More informationChapter 8 Advanced Configuration
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your ProSafe 802.11g Wireless VPN Firewall FVG318. Configuring Dynamic DNS If your network has a permanently
More informationNetworking Basics for Automation Engineers
Networking Basics for Automation Engineers Page 1 of 10 mac-solutions.co.uk v1.0 Oct 2014 1. What is Transmission Control Protocol/Internet Protocol (TCP/IP)------------------------------------------------------------
More informationConfiguring Network Address Translation
CHAPTER5 Configuring Network Address Translation The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. This chapter contains the following major sections
More informationSSVP SIP School VoIP Professional Certification
SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationChapter 5 Customizing Your Network Settings
Chapter 5 Customizing Your Network Settings This chapter describes how to configure advanced networking features of the RangeMax NEXT Wireless Router WNR834B, including LAN, WAN, and routing settings.
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationcnds@napier Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)
Slide 1 Introduction In today s and next week s lecture we will cover two of the most important areas in networking and the Internet: IP and TCP. These cover the network and transport layer of the OSI
More informationHow To Configure InterVLAN Routing on Layer 3 Switches
How To Configure InterVLAN Routing on Layer 3 Switches Document ID: 41860 Contents Introduction Prerequisites Requirements Components Used Conventions Configure InterVLAN Routing Task Step by Step Instructions
More informationPacket Filtering using the ADTRAN OS firewall has two fundamental parts:
TECHNICAL SUPPORT NOTE Configuring Access Policies in AOS Introduction Packet filtering is the process of determining the attributes of each packet that passes through a router and deciding to forward
More informationLeased Line PPP Connections Between IOS and HP Routers
Leased Line PPP Connections Between IOS and HP Routers This technical document describes how to connect an IOS Router to an HP Router using point-to-point protocol. An example of an IOS router connected
More informationRouting with OSPF. Introduction
Routing with OSPF Introduction The capabilities of an internet are largely determined by its routing protocol. An internet's scalability, its ability to quickly route around failures, and the consumption
More informationPIX/ASA 7.x with Syslog Configuration Example
PIX/ASA 7.x with Syslog Configuration Example Document ID: 63884 Introduction Prerequisites Requirements Components Used Conventions Basic Syslog Configure Basic Syslog using ASDM Send Syslog Messages
More informationFirewall Authentication Proxy for FTP and Telnet Sessions
Firewall Authentication Proxy for FTP and Telnet Sessions First Published: May 14, 2003 Last Updated: August 10, 2010 Before the introduction of the Firewall Authentication Proxy for FTP and Telnet Sessions
More informationInternet Protocol version 4 Part I
Internet Protocol version 4 Part I Claudio Cicconetti International Master on Information Technology International Master on Communication Networks Engineering Table of Contents
More information1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet
Review questions 1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet C Media access method D Packages 2 To which TCP/IP architecture layer
More informationChapter 4 Customizing Your Network Settings
Chapter 4 Customizing Your Network Settings This chapter describes how to configure advanced networking features of the RangeMax Dual Band Wireless-N Router WNDR3300, including LAN, WAN, and routing settings.
More informationPT Activity 8.1.2: Network Discovery and Documentation Topology Diagram
Topology Diagram All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 6 Addressing Table Device Interface IP Address Subnet
More informationIP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life
Overview Dipl.-Ing. Peter Schrotter Institute of Communication Networks and Satellite Communications Graz University of Technology, Austria Fundamentals of Communicating over the Network Application Layer
More informationCCNA Discovery 4.0.3.0 Networking for Homes and Small Businesses Student Packet Tracer Lab Manual
4.0.3.0 Networking for Homes and Small Businesses Student Packet Tracer Lab Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial
More informationFirewall Design Principles
Firewall Design Principles Software Engineering 4C03 Dr. Krishnan Stephen Woodall, April 6 th, 2004 Firewall Design Principles Stephen Woodall Introduction A network security domain is a contiguous region
More informationChapter 11 Network Address Translation
Chapter 11 Network Address Translation You can configure an HP routing switch to perform standard Network Address Translation (NAT). NAT enables private IP networks that use nonregistered IP addresses
More information