How you can get top grades, to get a best job.

How you can get top grades, to get a best job.

Sometimes you need advice, Ask a teacher to solve your problems.

Sometimes you need advice, Ask a teacher to solve your problems.

Make a Difference with education, and be the best.

Make a Difference with education, and be the best.

Putting Children First. Preparing Children For Success In Life

Putting Children First. Preparing Children For Success In Life

Latest Posts

Sunday, November 11, 2018

Introduction to IP access lists

Route XP
Today I am going to talk about the Access lists. An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.

Types of Access Lists
There are two categories of access lists: numbered and named.

Fig 1.1- IP access Lists
Numbered Access Lists:-
Numbered access lists are broken down into several ranges, each dedicated
to a specific protocol:

1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list

Named Access Lists:-
Named access lists provide a bit more flexibility. Descriptive names can be
used to identify your access-lists. Additionally, individual lines can be
removed from a named access-list. However, like numbered lists, all new
entries are still added to the bottom of the access list.

There are two common types of named access lists:
IP standard named access lists
IP extended named access lists
Standard IP Access List

Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.

Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255 ( Just for an Example)
Router(config)# access-list 10 permit any

To apply Access Lists we have to configure the Access-Group on the Interface. Likewise we are taking the interface serial 0 as a reference.

Router(config)# int s0
Router(config-if)# ip access-group 10 in

To view all IP access lists configured on the router:
Router# show ip access-list

To view what interface an access-list is configured on:

Router# show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator [port]] [log]
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any

The above ip address is just taken for the example and don’t have real environment existence.

The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
To apply this access list, we would configure the following

Router(config)# int e0
Router(config-if)# ip access-group 101 in

Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:

Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80

We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.16.10.10 with a port that equals 80. We can use several other operators for port numbers:
eq        Matches a specific port
gt         Matches all ports greater than the port specified
lt          Matches all ports less than the port specified
neq      Matches all ports except for the port specified
range   Match a specific inclusive range of ports

ICMP Access List
The specific ICMP port that a “ping” uses is echo. To block specific ICMP  parameters, use an extended IP access list. On Router B, we would configure:

Router(config)# access-list 102 deny icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 echo
Router(config)# access-list 102 permit icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 102 permit ip any any

The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic.

To apply the access lists on other router, you need to configure the follwing as:-

Router(config)# int e0

Router(config-if)# ip access-group 102 in

Sunday, November 4, 2018

Proxy ARP

Route XP
Today I am going to talk about the Proxy ARP. Proxy-ARP is used on routers by default.  The idea is that it permits devices on 2 different subnets to exchange information to each other without configuring a default gateway.

Let’s have this verified by a LAB. This lab was setup on GNS3.  Router NB_R1 and NB_R3 are routers, however, we are going to imitate them as hosts by restricting ip routing.  So imagine this as 2 hosts (NB_R1 & NB_R3) connecting to 1 router (NB_R2).

Fig 1.1- Proxy ARP
NB_R1#no ip routing
interface FastEthernet0/0
 ip address 192.168.0.2 255.255.255.0
NB_R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0

NB_R2#
interface FastEthernet0/0
description connections to R1
ip address 192.168.0.1 255.255.255.0
interface FastEthernet0/1
description connections to R3
ip address 10.10.10.1 255.255.255.0

NB_R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.1             -   cc01.0e1c.0001  ARPA   FastEthernet0/1
Internet  192.168.0.1            -   cc01.0e1c.0000  ARPA   FastEthernet0/0

NB_R3#
no ip routing
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0

NB_R3#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2             -   cc02.116c.0001  ARPA   FastEthernet0/1

So let’s try and ping from NB_R1 to NB_R3 without a default gateway configured either side.


NB_R1#ping 10.10.10.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
NB_R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2              -   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0

The MAC address for 10.10.10.2 is actually the MAC address of our router NB_R2′s fa0/0 interface (as opposed to the MAC of our host NB_R3). Let’s verify this by checking the MAC for NB_R2′s fa0/0 interface.

 NB_R2#sh int fa0/0 | i bia
  Hardware is AmdFE, address is cc01.0e1c.0000 (bia cc01.0e1c.0000)


Cool.  This means our ping from NB_R1 to NB_R3 was actually proxy-arp’d by our router NB_R2 (i.e. NB_R2 actually arp’d NB_R3 for us. This is because he knows the destination IP off one of his interfaces). So if we disable proxy-arp on NB_R2, the ping from NB_R1–>NB_R3 should be unsuccessful!  At this point, I’ve now cleared the arp-cache by using #clear arp on each of the three devices so that we don’t use any old arp entries.


NB_R2(config)#interface FastEthernet0/1
NB_R2(config-if)#no ip proxy-arp
NB_R2(config)#interface FastEthernet0/0
NB_R2(config-if)#no ip proxy-arp
NB_R2#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NB_R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 0 Incomplete ARPA
Internet 192.168.0.2 – cc00.0e1c.0000 ARPA FastEthernet0/0


Good.  The incomplete ARP entry indicates that we didn’t manage to receive a response from the destination of 10.10.10.2.  Because we removed proxy-arp we now need to add a default gateway on both NB_R1 & NB_R3 in order for this to work!


NB_R3(config)#ip default-gateway 10.10.10.1
NB_R1(config)#ip default-gateway 192.168.0.1
NB_R1#ping 10.10.10.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
NB_R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1             0   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0


Now we understand the config as it should work without proxy ARP.  When we ping an address on another subnet, our host (NB_R1) knows it needs to use its default gateway.  It sends a broadcast ARP to find the MAC of the gateway so that he is able to pass the frame onto NB_R2.  R2 looks up his routing table to see that the 10.10.10.0/24 network is directly connected via fa0/1.


Then broadcast ARPs for the MAC assigned to 10.10.10.2 and passes the frame onto NB_R3. Because of the route-lookup, we are working at layer 3 on the router. This means we are no longer sending broadcast frames at layer 2 across different subnets.

Popular Posts