IP Traffic Management With Access Control List Using Cisco Packet Tracer

Similar documents
Cisco Configuring Commonly Used IP ACLs

Chapter 3 Using Access Control Lists (ACLs)

Chapter 2 Quality of Service (QoS)

Lab Developing ACLs to Implement Firewall Rule Sets

Configuring a Gateway of Last Resort Using IP Commands

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Table of Contents. Configuring IP Access Lists

Lab 2 - Basic Router Configuration

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

LAB MANUAL for Computer Network

Adding an Extended Access List

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Securing Networks with PIX and ASA

Network Data Encryption Commands

Specialized Programme on Internetworking Design and LAN WAN Administration

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Effect of Windows XP Firewall on Network Simulation and Testing

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Table of Contents. Cisco How Does Load Balancing Work?

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Configure A VoIP Network

Applicazioni Telematiche

CCNA Access List Sim

- Basic Router Security -

Lab Configure Cisco IOS Firewall CBAC

Implementing Secure Converged Wide Area Networks (ISCW)

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

QUESTION: 1 Which of the following are valid authentication user group types on a FortiGate unit? (Select all that apply.)

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

- Route Filtering and Route-Maps -

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

NB6 Series Quality of Service (QoS) Setup (NB6Plus4, NB6Plus4W Rev1)

Multi-Homing Dual WAN Firewall Router

Configuring a Backup Path Test Using Network Monitoring

Security and Access Control Lists (ACLs)

IP Filter/Firewall Setup

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

"Charting the Course...

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

PIX/ASA 7.x with Syslog Configuration Example

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lab Configure IOS Firewall IDS

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Interconnecting Cisco Network Devices 1 Course, Class Outline

Lab Configuring Access Policies and DMZ Settings

Introduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Course Contents CCNP (CISco certified network professional)

FIREWALLS & CBAC. philip.heimer@hh.se

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Configuring Class Maps and Policy Maps

Load Balance Router R258V

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Configuring Network Address Translation

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Configuring Network Security with ACLs

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

Lab Exercise Configure the PIX Firewall and a Cisco Router

Packet Tracer 3 Lab VLSM 2 Solution

LAB II: Securing The Data Path and Routing Infrastructure

Routing concepts in Cyberoam

How To Configure InterVLAN Routing on Layer 3 Switches

Welcome to Todd Lammle s CCNA Bootcamp

Password Recovery Procedure for the Cisco 3600 and 3800 Series Routers

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Introduction about cisco company and its products (network devices) Tell about cisco offered courses and its salary benefits (ccna ccnp ccie )

Virtual Fragmentation Reassembly

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

How To Learn Cisco Cisco Ios And Cisco Vlan

IOS Zone Based Firewall Step-by-Step Basic Configuration

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Building Secure Network Infrastructure For LANs

Terminal Server Configuration and Reference Errata

Lab: Basic Router Configuration

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Lab Diagramming External Traffic Flows

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Cisco Networking Professional-6Months Project Based Training

Router and Routing Basics

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Implementation of College Network Scenario Module by Using CCNA

3.1 Connecting to a Router and Basic Configuration

IT-AD08: ADD ON DIPLOMA IN COMPUTER NETWORK DESIGN AND INSTALLATION

Configuring Control Plane Policing

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Configuring IP Load Sharing in AOS Quick Configuration Guide

Chapter 4 Rate Limiting

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Skills Assessment Student Training Exam

Controlling Access to a Virtual Terminal Line

IOS NAT Load Balancing for Two ISP Connections

F-SECURE MESSAGING SECURITY GATEWAY

Network Security 1. Module 8 Configure Filtering on a Router

1. Firewall Configuration

Transcription:

IP Traffic Management With Access Control List Using Cisco Packet Tracer Shipra Suman, Er. Aditi Agrawal Abstract Access Control List (ACL) is a set of commands grouped together to filter the traffic that enters and leaves the interface. The ACL commands allow the administrator to deny or permit traffic that enters the interface. ACL also performs other tasks such as restricting telnet, filtering routing information and prioritizing WAN traffic with queuing. A wildcard mask allow to match the range of address in the ACL statements. A router makes two references to ACL such as numbered and named. These references support two types of filtering such as standard and extended. In this paper we have analyzed and simulated the network using Standard ACL and Extended ACL. The configuration is done using CISCO packet tracer. Index Terms- ACL, Telnet, Wildcard Mask, Standard ACL, Extended ACL, Packet Tracer I. INTRODUCTION Cisco provides Access Control Lists (ACLs) to control the flow of traffic from one interface to the other in the network. ACL also performs other tasks such as restricting telnet, filtering routing information and prioritizing WAN traffic with queuing [7]. A wildcard mask allow to match the range of address in the ACL statements. A router makes two references to ACL such as numbered and named. These references support two types of filtering such as standard and extended [5]. The ACL statements are configured first and then they are activated. In a single ACL number maximum 16000 statements can be created. If we add one statement later, it will get added at the bottom of all statement. Router read ACL top to bottom. If a single ACL is removed then all ACLs created will get removed. The benefits of ACL are as follows: a. Reduce network traffic and increase network performance. b. Control the flow of traffic. c. Take a decision as required. In this paper Standard ACL and Extended ACL are analyzed and simulated using Cisco Packet Tracer. II. ACCESS CONTROL LIST ACL is created in the global configuration mode. After creating the basic group of ACL commands, we need to activate them [6]. In order to filter traffic between interfaces, ACL needs to be activated in Interface Subconfiguration Mode [7]. Thus the direction of filtering the traffic is classified into: a. Inbound: The traffic is filtered as it enters the interface. If the ACL is set as inbound, the router compares the incoming packet with the interface ACL before it leaves the interface. b. Outbound: The traffic is filtered as it leaves the interface.. If the ACL is set as outbound, the router forwards the received packet to the exit interface where the packet is compared with the interface ACL.. The ACL are of two types: a. Numbered ACL: Unique number is assigned to each ACL. b. Named ACL: Unique name is assigned to each ACL. The ACLs supports the following types: a. Standard ACL: ACL is applied on destination router. It permits or deny the packet on the basis of source addresses only. b. Extended ACL: ACL is applied on source router. It permits or deny the packet on the basis of source as well as destination addresses. If a single host is to be permitted or denied into a network the syntax is: permit/deny <source IP address> <wildcard mask> or permit/deny host <source IP address> e.g. permit/deny 192.168.10.10 0.0.0.255 or permit/deny host 192.168.10.10 If a single network is to be permitted or denied into a network the syntax is: permit/deny <Network ID> <wildcard mask> e.g. permit/deny 192.168.10.0 0.0.0.255 If the whole network is to be permitted or denied, the syntax is: permit/deny 255.255.255.255 255.255.255.255 or 1556

permit/deny any any III. WILDCARD MASKING Wildcard mask are used for matching a range of IP addresses in ACL, instead of manually entering it. Also, wildcards are used with access lists to specify host, network or a range of addresses. It is similar to an inverted subnet mask [2]. In order to match IP address of a packet with the ACL statement, a wildcard is created by inverting the bit values of the subnet mask. Table 1 shows the subnet mask and wildcard mask of Class A,B and C IP addresses. Table 1. Subnet Mask and Wildcard Mask of Class A,B and C IP addresses CLASS SUBNET MASK WILDCARD MASK A 255.0.0.0 0.255.255.255 B 255.255.0.0 0.0.255.255 C 255.255.255.0 0.0.0.255 source_ip address Specifies the IP address of the source. After creating the standard ACL, it must be activated on the routers interface. The ip access-group command enables to activate the ACL on the interface. The following steps are followed to activate the standard numbered ACL: i. Log into the router. ii. Switch to the privileged mode iii. Switch to the configured mode. iv. Type interface type slot/port to configure on the router s port. v. Type ip access-group ACL_# in/out to activate the standard numbered ACL on the configured interface. e.g. access-list 10 deny host 192.168.20.2 access-list 10 permit 192.168.20.0 0.0.0.255 interface fast 0/0 ip access-group 10 out The figure 1 shows how to specify or place standard ACL in a network. IV. CONFIGURING ACL The guidelines have to be followed to configure the ACL. The access-list command is used to create an ACL. The syntax to create an ACL is: access-list <ACL_#> permit/deny conditions ACL_# - Allows to group statements into a single list. permit/deny- Specifies the action to be performed. conditions - Specifies which packet needs to match for a router to execute an action. After creating the ACL, it has to be applied to a process in the IOS. In order to activate ACL on the interface, the following syntax is followed: interface type slot_#/port_# ip access-group ACL_# in/out in/out Specifies the direction of traffic,whether it is inbound or outbound. V. STANDARD ACL The Standard ACLs filters the source IP address in an IP packet. It is also used to restrict telnet access to the router. ACL number for standard ACL range from 1 to 99 and 1300 to 1999. An entry can be created in a standard numbered IP ACL by using the access-list command [5]-[7]. The syntax of this command is: access-list <ACL_#> <permit/deny> <source_ip address> <wildcard mask> Figure 1. Standard ACL VI. EXTENDED ACL The extended ACLs are more flexible in comparison to the standard ACLs [7]. Unlike standard ACLs, extended ACL filter the source and destination IP address, IP protocols such as IP, TCP, UDP, ICMP and protocol information such as port number. The access-list command is used to configure an extended ACL. ACL number for extended ACL range from 100 to 199 and 2000 to 2699 [5]. The syntax to configure extended ACL is: access-list <ACL_#> <permit/deny> <IP protocol> <source IP address> <wildcard mask> <destination IP address> <wildcard mask> <operator> <port_#/name> IP protocol Specifies the IP protocol to be matched such as UDP, IGRP, EIGRP and IGMP. operator Table 2 shows the operator for TCP and UDP connections [5]. 1557

port_#/name Specifies the TCP/UDP port names or numbers. Table 3 and 4 shows TCP and UDP port names and numbers respectively [5]. Table 2. Operators for TCP and UDP Connection Operator lt gt neq eq range Description Less than Greater than Not equal to Equal to Range of port numbers A virtual networking model comprising of CISCO routers was developed by using Cisco Packet Tracer simulator as shown in figure 3 [1]. Networking Model Algorithm: In this network model we have implemented Routing Information Protocol. We have used many components such as routers, switches and made physical connection by using copper straight through cables and serial DCE cables for fast ethernet and serial ports [4]. Table 3. TCP Port Names and Numbers Name Command Number Parameter FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP Smtp 25 WWW www 80 Table 4. UDP Port Names and Numbers Name Command Number Parameter DNS Query dns 53 TFTP tftp 69 SNMP Snmp 161 IP RIP Rip 520 The figure 2 shows how to specify or place extended ACL in a network. Figure 3.Networking Model in Cisco Packet Tracer The algoritm for Standard ACL as well as Extended ACL are discussed below: A. Standard ACL: First step is to configure the CISCO Routers. Configuration of Router0 using RIP protocol is as follows: Router(config-if)#ip add 192.168.10.1 255.255.255.0 down Router(config-if)#ip add 192.168.20.1 255.255.255.0 Figure 2. Extended ACL VII. CONFIGURATION USING CISCO PACKET TRACER SIMULATOR Router(config-router)#network 192.168.10.0 Router(config-router)#network 192.168.20.0 1558

Router(config-router)#end Router# %SYS-5-CONFIG_I: Configured from console by console Router#write memory Building configuration... [OK] ISSN: 2278 7798 Configuration of Router1 using RIP protocol is as follows: Router(config-if)#ip add 192.168.10.2 255.255.255.0 up Figure 4. Configuring PC0 B. Extended ACL: Similar to standard ACL firstly routers are configured and then extended numbered ACL is congifured. Figure 5 shows the network model for extended ACL. Router(config-if)#ip add Serial2/0, changed 192.168.30.1 255.255.255.0 Router(config-router)#network 192.168.10.0 Router(config-router)#network 192.168.30.0 Router(config-router)#exit Router(config)#access-list 10 deny host 192.168.20.2 Router(config)#access-list 10 permit 192.168.20.0 0.0.0.255 Router(config)#interface fast 0/0 Router(config-if)#ip access-group 10 out Router(config-if)#end %SYS-5-CONFIG_I: Configured from console by console Router#write memory Building configuration... [OK] Router# Configuration of PC: Figure 4 shows the configuration of PC0. Figure 5. Extended ACL Configuration of Router0 using RIP protocol is as follows: Router(config-if)#ip add 10.10.10.1 255.0.0.0 down Router(config-if)#ip add 20.20.20.1 255.0.0.0 1559

Router(config-router)#network 10.0.0.0 Router(config-router)#network 20.0.0.0 Router(config-router)#exit Router(config)#access-list 101 deny tcp host 20.20.20.2 10.10.10.2 0.255.255.255 eq telnet Router(config)#access-list 101 permit tcp 20.0.0.0 0.255.255.255 10.10.10.2 0.255.255.255 eq telnet Router(config)#access-list 101 permit ip any any Router(config)#int f0/0 Router(config-if)#ip access-group 101 in Router(config-if)# up Serial2/0, changed Figure 6 shows that when the host i.e. PC1 connected to Router0 tries to telnet serial port connected to Router1, the access-list permits the host to route the packets. Figure 6. Router0 host can Telnet Router1 Configuration of Router1 using RIP protocol is as follows: Router(config-if)#ip add 10.10.10.2 255.0.0.0 up Router(config-if)# Serial2/0, changed ip add 30.30.30.1 255.0.0.0 Router(config-router)#network 10.0.0.0 Router(config-router)#network 30.0.0.0 Router(config-router)#line vty 0 4 Router(config-line)#password 1234 Router(config-line)#login Router(config-line)#exit Router(config)#enable secret qwerty Router(config)# Verify the Telnet access: Figure 7. Router0 can t Telnet Router1 Figure 7 shows that when the host i.e. PC0 connected to Router0 tries to telnet serial port connected to Router1, the access-list denies the host to route the packets. VIII. CONCLUSION AND FUTURE SCOPE This paper shows the configuration of standard ACL and extended ACL on the router. The standard ACL create filters based on source addresses only and are used for server based filtering, where as extended ACL provide more security by creating filters based on source addresses as well as destination addresses, protocol and port number. The extended ACL in this paper used TCP/IP protocol. Routing Information Protocol (RIP) is used for routing the packets. In future work, more IP protocols such as UDP, ICMP and IP can be used in extended ACL. Apart from RIP routing protocols, EIGRP, OSPF and BGP routing protocols can be used for routing packets. 1560

REFERENCES [1] Pritesh K. Jain, Manoj Sindhwani, S. Sachdeva, Comparative Study of Routing Protocols with Subnetting Implementation in Cisco Packet Tracer, International Journal of Advanced Research in Computer Science and Software Engineering, Vol. 4, No. 12, dec. 2014. [2] S. Pozo, A.J. Varela-Vaca, and R.M. Gasca., A quadratic, complete, and minimal consistency diagnosis process for firewall acls, Advanced Information Networking and Applications (AINA), 24th IEEE International Conference, pages 1037-1046, april 2010. [3] David E. Taylor. Survey and taxonomy of packet classification techniques. ACM Computing Surveys, Vol. 37, No. 3, 2005. Pages 238-275 [4] A. Velte and T. Velte. Cisco: A Beginner s Guide, McGraw-Hill Inc. 3rd edition (2004). [5] Cisco Systems Inc. http://www.cisco.com [6] Sharat Kaushik, Anita Tomar, Poonam, Access Control List Implementation in a Private Network, International Journal of Information & Computation Technology, Vol. 4, No. 14, 2014, pp. 1361-1366. [7] Lammle, Todd. (2011). Cisco Certified Network Associate Study Guide, Wiley Publishing, Inc., Seventh Edition. ISSN: 2278 7798 Shipra Suman, PG Student, Department of Electronics and Communication Engineering, SHIATS, Allahabad, India Er. Aditi Agrawal, Assistant Professor, Department of Electronics And Communication Engineering, SHIATS, Allahabad, India. 1561

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information