Sunday, March 29, 2009

The optional protocol qualifier

> For icmp , the protocol qualifier an be echo , echo-reply or any of icmp packet types

> udp/tcp typcially uses port number specifications but tcp has an additional qualifier
called "eastablished"

> The "established" qualifier for all tcp matches all tcp packets that are a part of tcp
connection that is already set up , regardless of source or destination port

> The log keyword if used , then everytime that access-list entry is matched , a log entry
is produced . This is available only with extended acl

Reference : example acl's wildcard bits *->

> The number of values matched is a power of 2 . There are either 2,4.8,16,32,64,128 or 256
values can be matched together

> The starting address matched is a multiple of the number of values matches if you match 2
addresses, then the first address matched is a multiple of 2 (even) if ou match 4
addresses then starting address is a multiple of 4

>*even if you start a range with an address in the middle of the range , the router will
store and display that particular access-list entry with an address that starts the range
using the previous example , the router would change to . This property could cause confusion later when you debug an access-list problems

some rules:

> For clarity , your matching rules should always give the base address of a range ,
followed by mask while any address within the range will work as the address , it is much
more understandable to start with the base value

> If you want to match some number of addresses that is not a power of 2 or that dosent
start at a multiple power of 2 , you have to write two or more access-list convering the
entries , part of range . an alternative to include more addresses in range

2.3.1 Good numbering practices

> just make sure you allocate one block of addresses or reserve a block of addresses for
present or future use

> let us say you want 4 ip's to access telnet service , better assign 4 ip's continuously in
one block rather than random ones . In this way defining an acl would be very easy

2.4 Building and maintanance of access-list

use of tftp is preffered for easy editing

to copy a file named routera using tftp we use

copy tftp:// system:running-config

Generally performing the following steps everytime you configure a router with tftp will
greatly reduce security exposure

1. make access-list readable only by router
2. configure router via tftp
3. make access-lists unreadable from the network to other users using tftp

saving acl is simple again using tftp:

copy system:running-confg tftp://

steps for tftp security:

1. make area writable by router
2. save config via tftp
3. make config file unwritable and unreadable fro the network to other users on tftp server

2.5 Named acl

> To increase the number of acl available and to provide better more descriptive names more
recent versions of ios provide a facility called name acl

when creatig named acl , you first need to declare name and type

#ip access-list standard name
#permit -
#deny -

key word "ip" needs to be used first , type of acl "standard / extended" notice change in

Design by Blogger Buster | Distributed by Blogging Tips