Sunday, March 29, 2009
The optional protocol qualifier
-------------------------------
> For icmp , the protocol qualifier an be echo , echo-reply or any of icmp packet types
> udp/tcp typcially uses port number specifications but tcp has an additional qualifier
called "eastablished"
> The "established" qualifier for all tcp matches all tcp packets that are a part of tcp
connection that is already set up , regardless of source or destination port
> The log keyword if used , then everytime that access-list entry is matched , a log entry
is produced . This is available only with extended acl
Reference : example acl's wildcard bits *->
---------------------------------------
> The number of values matched is a power of 2 . There are either 2,4.8,16,32,64,128 or 256
values can be matched together
> The starting address matched is a multiple of the number of values matches if you match 2
addresses, then the first address matched is a multiple of 2 (even) if ou match 4
addresses then starting address is a multiple of 4
>*even if you start a range with an address in the middle of the range , the router will
store and display that particular access-list entry with an address that starts the range
using the previous example , the router would change 192.168.34.0 0.0.3.0 to 192.168.32.0
0.0.3.0 . This property could cause confusion later when you debug an access-list problems
some rules:
----------
> For clarity , your matching rules should always give the base address of a range ,
followed by mask while any address within the range will work as the address , it is much
more understandable to start with the base value
> If you want to match some number of addresses that is not a power of 2 or that dosent
start at a multiple power of 2 , you have to write two or more access-list convering the
entries , part of range . an alternative to include more addresses in range
2.3.1 Good numbering practices
------------------------------
> just make sure you allocate one block of addresses or reserve a block of addresses for
present or future use
> let us say you want 4 ip's to access telnet service , better assign 4 ip's continuously in
one block rather than random ones . In this way defining an acl would be very easy
2.4 Building and maintanance of access-list
-------------------------------------------
use of tftp is preffered for easy editing
to copy a file named routera using tftp we use
copy tftp://192.168.30.1/routera system:running-config
Generally performing the following steps everytime you configure a router with tftp will
greatly reduce security exposure
1. make access-list readable only by router
2. configure router via tftp
3. make access-lists unreadable from the network to other users using tftp
saving acl is simple again using tftp:
copy system:running-confg tftp://192.168.35.1/routera
steps for tftp security:
------------------------
1. make area writable by router
2. save config via tftp
3. make config file unwritable and unreadable fro the network to other users on tftp server
2.5 Named acl
-------------
> To increase the number of acl available and to provide better more descriptive names more
recent versions of ios provide a facility called name acl
when creatig named acl , you first need to declare name and type
#ip access-list standard name
#permit -
#deny -
key word "ip" needs to be used first , type of acl "standard / extended" notice change in
prompt