Sunday, March 29, 2009

The optional protocol qualifier

> For icmp , the protocol qualifier an be echo , echo-reply or any of icmp packet types

> udp/tcp typcially uses port number specifications but tcp has an additional qualifier
called "eastablished"

> The "established" qualifier for all tcp matches all tcp packets that are a part of tcp
connection that is already set up , regardless of source or destination port

> The log keyword if used , then everytime that access-list entry is matched , a log entry
is produced . This is available only with extended acl

Reference : example acl's wildcard bits *->

> The number of values matched is a power of 2 . There are either 2,4.8,16,32,64,128 or 256
values can be matched together

> The starting address matched is a multiple of the number of values matches if you match 2
addresses, then the first address matched is a multiple of 2 (even) if ou match 4
addresses then starting address is a multiple of 4

>*even if you start a range with an address in the middle of the range , the router will
store and display that particular access-list entry with an address that starts the range
using the previous example , the router would change to . This property could cause confusion later when you debug an access-list problems

some rules:

> For clarity , your matching rules should always give the base address of a range ,
followed by mask while any address within the range will work as the address , it is much
more understandable to start with the base value

> If you want to match some number of addresses that is not a power of 2 or that dosent
start at a multiple power of 2 , you have to write two or more access-list convering the
entries , part of range . an alternative to include more addresses in range

2.3.1 Good numbering practices

> just make sure you allocate one block of addresses or reserve a block of addresses for
present or future use

> let us say you want 4 ip's to access telnet service , better assign 4 ip's continuously in
one block rather than random ones . In this way defining an acl would be very easy

2.4 Building and maintanance of access-list

use of tftp is preffered for easy editing

to copy a file named routera using tftp we use

copy tftp:// system:running-config

Generally performing the following steps everytime you configure a router with tftp will
greatly reduce security exposure

1. make access-list readable only by router
2. configure router via tftp
3. make access-lists unreadable from the network to other users using tftp

saving acl is simple again using tftp:

copy system:running-confg tftp://

steps for tftp security:

1. make area writable by router
2. save config via tftp
3. make config file unwritable and unreadable fro the network to other users on tftp server

2.5 Named acl

> To increase the number of acl available and to provide better more descriptive names more
recent versions of ios provide a facility called name acl

when creatig named acl , you first need to declare name and type

#ip access-list standard name
#permit -
#deny -

key word "ip" needs to be used first , type of acl "standard / extended" notice change in

2.2 Extended acl  

2.2 Extended acl

Standard acl allow all or nothing

To do packet filtering at a finer level of granularity we need a way to extend the standard
acl to include things like protocol , port number , desitination ip

Understanding Tcp and Udp port numbers

> Understanding tcp and udp port numbers is fundamental for using extended acl .

> With tcp a connection is set up, with udp there is no connection set up

> ports are specified as 16 bit numbers

telnet - 23
http - 80
dns - 53

> A set of four values :

source ip address
source port
desitnation ip
destination port
uniquely identify client / server relationships and enable clients and servers to talk to
each other without confusion

> The port numbers below 1024 are called "well known ports " defined by IANA

> Services can live on non standard ports as long as both client and server processes agree
use those ports


policy set 101: http packets to host
policy set 101: ssl packets to host
no other packets

access-list 101 permit tcp eq 80
access-list 101 permit tcp eq 443
access-list 101 deny ip

> Extended acl begin with "access-list" keyword , followed by a number between 100-199 which
is followed by permit/deny . This process is same for standard acl

> Things get different after permit/deny statements , extended acls specifies the "ip"
protocol to which the list applies

> Next we have 2 address/mask paris [which was single in standard acl] . The first pair
define the source and next pair define the desitnation

> The access-list ends with another protocol specifier , the port number ,"eq 80" allow
packets with destination port 80

> To use access-list once the policy set is defined , we must apply against a router
interface .

int fa0/0
ip access-group 101 in/out (depends on the condition and where you are applying)

2.2.1 Some general properties of access-lists

> extended acl lists entry changes / matches against two ip addresses as opposed to one ip
address for standard acl

> Mask of are not optional for extended acl . router assumes if standard acl
leaves off a mask

> Both have a implicit deny

> Ip address , wildcard mask matching and the implicit deny are common to all cisco
access-list structures and are important concepts in understanding acl

2.2.2 Matching ip protocols

other ip protocols can be specified with extended acl

access-list 102 permit 47

> ip protocol 47 is GRE (generic routing encapsulation) protocol. This protocol is used for
non-ip protocols such as novell ipx , apple talk through ip and by pptp , vpn protocol

2.2.3 More on matching protocols part

We have created acl entries that have matched on destination ort of an udp / tcp packet. we
can also match on the source port . This is useful to avoid spoofed packets from entering

ex : ntp uses both source and destination udp port 123 . so writing an acl would look
like this

access-list 102 permit udp eq 123 eq 123

>* The source port is placed after source ip address / mask

> 'eq' key word forces matching packets to have port equal to the specified value

> 'gt' a matching packet must have port value greater than specified value

access-list 103 permit tcp gt 1023 eq 20

for dns server :

access-list 102 permit udp gt 1023 eq 53

2.2.4 Text substitues for commonly used ports and tasks

Certain configs are so common that cisco developed text substitutes instead of port numbers
or address mask pairs

The ip address mask pair -> any -> host

80 -> http
23 -> telnet
123 -> ntp
47 -> gre ( ip protocol)

2.2.5 generic format of extended access-list

access-list [listno] [p/d] [port no] [dest] [protocol] [logging]

the logging key word if present , it turns on a log of all packet information everytime the
access-list entry is applied

Saturday, March 28, 2009

2.1.15 Access-list wildcard masks versus network masks

Generally for a network specified as a.b.c.d/n the access-list wildcard mask that matches
all addresses in a network wil have is in 32-n rightmost bits and 0 in the leftmost n bits

For a network , , the acl wildcard mask that matches all addresses is

In a shorter way - s.m = wildcard m

2.1.6 The implicit wildcard mask

Since each bit is 1 in this mask , any ip address on any network will be matched

access-list 1 permit
access-list 1 permit

A o in the bit position indicates that there should be a match exactly that bit position

access-list 1 permit
access-list 1 permit

2.1.7 Sequential processing in access-list

access-list 4 permit
access-list 4 deny

will not deny as permit statement is encountered first

access-list 4 deny
access-list 4 permit

is the correct way to deny the host

2.1.8 Standard access-list and packet filtering

Standard access-list are used to control packet flowing throug a router . Network Admins use
standard acl in this fashion when certain hosts need total access to hosts on particular

To deny entire subnet
To permit
To permit
TO permit

access-list permit
access-list permit
access-list deny
access-list permit

To assign it to an interface :

int fa0/0
ip access-group 6 out

2.1.9 Standar access-list generic format

access-list [list-number] [permit/deny] [ip addr] [wildcard mask(opt)]

chapter 2: Access-list Basics  

Friday, March 27, 2009

chapter 2: Access-list Basics

Two basic access-list type:

> The first kind of access-list is standard access-list used to build policy set of ip
address or ip networks

> Standard access-list cannot do all policies we may wish to specify , particularly when we
want to do packet filetering

> Extended access-list extends the format of the standard access-list to specify packet
filtering policies

2.1 Standard access lists:

A network administrator typically uses standard access-list to implement three types of
policy controls:

> access to router resources
> route distribution
> packets passing through a router

These policy controls use / require policy sets of ip addresses or network numbers , so the
standard access-list is used to build policy sets of either ip addresses or numbers

example 1:

policy set 1: ip address
policy set 1: ip address
policy set 1: deny others

how does this policy set map to acutal access-list?

access-list 1 permit
access-list 1 permit
access-list 1 deny

> The number after access-list keyword is access-list number . In this case it is 1
The number also specifies what kind of access-list it is

> Different types of access-list for different network protocols uses different ranges of
access-list numbers

ip uses 1-99 for standard access-list
100-199 for extended access-list

ipx uses 800-899 for its standard acl
decnet uses 300-399

> The permit keyword includes ip address in the policy set
The deny key word excludes the ip address following from the policy set

if we want to control router-login access

line vty 0 4
access-class 1 in

2.1.1 The implicit deny

access-list 2 deny
access-list 2 permit

this can also be written (or same as)

access-list 2 permit

> This is beacuse access-lists have an implicit deny at the end of them . everthing not
explicitly permitted in standard acl is denied

2.1.2 Standard access-list and route filtering

follow the example from the labbing here are the outputs

r0#show access-list
Standard IP access list 1
10 permit (10 matches)
20 permit (10 matches)
30 permit (4 matches)
40 permit
50 permit

router eigrp 20
distribute-list 1 in fast 0/0

also remember distribute list and the error commited (should always give network which
matches the routing table not the network which can alternatively match the ip address

for example to deny to enter into routing table , the network should be
mentioned in the routing table and not which dosent match the routing table entry )


2.1.3 Access-list wildcard masks:

> An optional wild card mask can be uses to include many addresses in a policy set

access-list 3 permit

2.1.4 Specifying hosts in a subnet versus specifying a subnet:

> It is important to distinguish between specifying a network number and the host for
inclusion in a policy set nd specifying all of the hosts in a policy set

access-list 3 permit

includes all of the hosts in network

* This is not same as the below acl:

access-list 4 permit

This access-list entry includes the single ip address in a policy set could be one of the two:

a host ip address or a network number

line vty 0 4
access-class 4 in

only a host with the potentially valid ip of would be permitted to have login
access to the router

> acl 4 would more typically be used to build a policy set of network addresses in routing

router eigrp 100
distribute-list 4 in serial 0/0

here only route to network would be permitted into the routing table via eigrp
routing protocol

>* IN general it is best to be as specific as possible when defining policy sets

cisco ios access-list  

o'reilly cisco ios access-list

chapter 1:

Network policies and cisco access lists

The three concerns that motivate the need for access policies are:

> security
> robustness
> business drivers

1.1 policy sets :

If you think about policies in general every policy has two parts "what" and "how"

> "what" descirbes the objects included in a policy
> "how" describes how those objects are affected by the policy

The "what" of the policy , the set of objects affected , is what we will call the 'policy

> policy sets are defined using a series of "policy set entries" . These entries include or
exclude objects of interest from a policy set

1.1.1 charecterstics of policy sets:

> we add each entry to the policy set in order specified . This is important because objects
are compared sequentially against a policy set . As soon as object matches a plicy set
entry, no more matching is done

> enforcing policies takes up resources and has costs . The longer the policy set , the
longer it takes to enforce the policy and more resources are requried

1.1.2 Policy sets in networks:

> In network poicies , policy sets are sets of the network objects that pass through or into

> Three types of network objects that router process are :

host ip addresses

> policy sets of host ip addresses
> policy sets of packets
> complex policy sets

* The function of cisco access list is to hold the specification of a policy set

> access lists are built of access list entries , which directly correspond with policy set

1.2 The policy toolkit

> "policy toolkit" a set of four "tools" that are general techniques for manipulating policy
> The policy tools fit into "how" of the conceptual frame work

There are 4 kinds of tools we can use with policy sets to implement network policy . These
tools control following

-> Router resources
-> Packets passing through the router
-> Routes accepted and distributed
-> Routes based on charecterstics of those routes

so having said that iam looking for perfection blended with full fledge knowledge . i would devote most of my time now concentrating on the studies and i would love again to fall back in the path

having said that, i came across this book called "cisco ios access-lists" o'reilly .. wanted to start of with access-list as they are the ones which will help in every move an access-list config is a must and what better time to kick off access-lists than this ...

it consits of 7 or (probably 8) chapter i guess and i plan to complete is asap


Its been a while  

Hello everyone its been a while i posted something useful on blog ... i intially wanted to go with bgp as i have posted some of the important points about bgp ... i then thought i was lacking some thing .. its ok to have a overall picture of topics such as bgp as a matter of fact all of the routing protocols , switching redundancy techniques , security , qos .. but something started poking me .. "am i perfect atleast in one topic?" , " can i proudly say i have read books on that topic , watched instructor videos and labbed on that particular topic and i can now do what ever any one throws at my router?" ... so having all of these ideas and also some what wexed up with life i gave up cisco studies for a month of so ... yes i mean it i dint even touch any book regarding cisco ... then after seeing scott morris picture in one my pics inspiration was right on top ... he is a four ccie and may be more who knows .. when will i be one .. when should i become when will i get knowledge .. why did i left the studies and wasted one month of time in resolving non beneficial issues which dint help me out in any sort .. hence rocked back and here iam starting off with the following!!!!

Tuesday, March 10, 2009

-routers froming neigbhbor relationship with a.s . ibgp neighbors doesnt need to be directly connected

-router forming neighbor relationship between two different a.s .
EBGP neighbors needs to be directly connected

Bgp configuration

* only one instance of bgp per router
* same network prefix must exist in the routing table
* network may not need to be directly connected
* network without subnet mask will take classful mask
*router should have a route to each neighbor
*same commands for ibgp and ebgp

r(config-r)# neighbor remote-as

Bgp databases  

Bgp databases :

*neighbor table
- list of bgp neighbors

*BGP forewarding table / database
-list of all networks learned from each neighbor
-can contain multiple pathways to destination networks
-database contains bgp attributes for each pathway

*Ip routing table
- list of best paths to destination networks


* bgp neighbors are the routers forming tcp connection for exchanging bgp updates . also called bgp speakers or bgp peers

*two types of bgp neighbors exits

Bgp message type :

keep alive



Autonomous system is a set of routers under a single technical administration , using an igp and common metrics to route packets withing AS

* usage of bgp

# bgp is more appropriate if one of the following conditions exits

- a.s working as transit a.s (isp)
- a.s connected to multiple a.s
- data traffic path entering or leaving a.s need to be manipulated

#when do you donot prefer bgp:

- if it is a single-home a.s
- lack of resources like memory and less processing power in routers
- low bandwidth link between a.s
- limited understanding of bgp route filtering and path selection process

#Bgp features

-open standard protocol
-advance distance vector protocol
- path vector protocol
-supports flsm, vlsm , cidr , auto and manual summary (bgp version 4)
-it is an egp
-designed to scale huge internetwork like internet
-updates are incemental and triggered
-it send updates to manually defined neighbor as unicast
-bgp is an application layer protocol , uses tcp port 179 for reliability
-metric = attributes
- administrative distance
- 20 external updates
-200 internal updates
-bgp is not designed for load balancing . uses only one path per network

Design by Blogger Buster | Distributed by Blogging Tips