Scribd Logo
Upload

Welcome to Scribd!

  • CH 26

    Uploaded by

    Abebe Tesfaye
    20 views23 pages
    CCNA study material

    Original Title

    Ch26

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CCNA study material

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views23 pages

    CH 26

    Uploaded by

    Abebe Tesfaye
    CCNA study material

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Interconnecting Cisco Networking

    Devices Part 1
    ICND1 100-105

    Instructor
    Paul A. Parker

    1
    Chapter 26

    Advanced IPv4 ACLs and Device Security

    2
    Chapter 26
    Foundation Topics
    v Extended Numbered IP Access Control Lists
    ▼ Extended IP access lists have many similarities to standard
    numbered IP ACLs but they differ in the fact that they have a
    larger variety of packet header fields that can be used for
    matching.
    ▼ The syntax is identical up through the permit or deny keyword,
    but the extended ACL access-list also requires the IP protocol
    type, the source IP address, and the destination IP address.
    ▼ The IP header’s Protocol field identifies the header that follows.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 3


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Matching the Protocol, Source IP, and Destination IP
    ▼ In an extended ACL access-list
    command, all the matching
    parameters must match the packet
    for the packet to match the
    command.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 4


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Matching TCP and UDP Port Numbers
    ▼ Extended ACLs
    can also check
    parts of the TCP
    and UDP headers.
    The most useful are the well-known ports like HTTP, Telnet, etc.
    ▼ When the extended ACL command includes either tcp or udp the
    command can optionally reference source and/or destination
    port. The command
    can use the literal
    decimal port or it
    can use keywords
    for well-known
    application ports.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 5


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Filtering Packets based on Source and Destination Ports

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 6


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Popular Applications and Their Well-Known Port Numbers

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 7


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Example Extended access-list Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 8


    Chapter 26
    Extended Numbered IP Access Control Lists
    v Extended IP ACL Configuration

    ▼  Place extended ACLs as close as possible to the source of the packets that will be
    filtered. Filtering close to the source of the packets saves some bandwidth.
    ▼  Remember that all fields in one access-list command must match a packet for
    the packet to be considered to match that access-list statement.
    ▼  Use numbers of 100–199 and 2000–2699 on the access-list commands; no one
    number is inherently better than another.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 9


    Chapter 26
    Named ACLs and ACL Editing
    v Named IP Access Lists
    ▼ Named ACLs originally had three big differences compared to
    numbered ACLs:
    ➘  Using names instead of numbers to identify the ACL, making it
    easier to remember the reason for the ACL
    ➘  Using ACL subcommands, not global commands, to define the action
    and matching parameters
    ➘  ACL editing features that allow the CLI user to delete individual lines
    from the ACL and insert new lines

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 10


    Chapter 26
    Named ACLs and ACL Editing
    v Editing ACLs Using Sequence Numbers
    ▼ With older IOS versions to simply delete a line from the ACL, the
    user had to delete the entire ACL and then reconfigure it.
    Sequence numbers were first added to named ACLs and later to
    numbered ACLs as well.
    ➘  New Configuration Style for Numbered: Numbered ACLs use a
    configuration style like named ACLs, as well as the traditional style, for the
    same ACL; the new style is required to perform advanced ACL editing.
    ➘  Deleting Single Lines: An individual ACL permit or deny statement can
    be deleted with a no sequence-number subcommand.
    ➘  Inserting New Lines: Newly added permit and deny commands can be
    configured with a sequence number, dictating the location of the statement
    within the ACL.
    ➘  Automatic Sequence Numbering: IOS adds sequence numbers to
    commands as you configure them, even if you do not include the sequence
    numbers.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 11


    Chapter 26
    Router and Switch Security
    v Review: Password Protections for CLI
    ▼  Use the enable secret command, instead of the combination of the enable
    password command plus the service password-encryption command. Both
    result in what looks like a scrambled password when displayed with the show
    running-config command. However, the enable secret command uses stronger
    password encryption, while passwords encrypted with the service password-
    encryption command can be easily broken.
    ▼  Avoid using simple password checking for the console or VTYs with the login
    line-mode command, because this method does not identify individual users.
    ▼  Optimally, authenticate CLI logins using an external authentication server, like a
    RADIUS server. However, if necessary, use locally configured username secret
    commands, which hides the passwords with a hash (as does the enable secret
    command).
    ▼  Disable support for inbound Telnet connections, because Telnet sends the
    passwords as clear text, opening up the possibility of someone capturing the
    packets and stealing the password. Instead, configure the router and switch to
    allow SSH only, using the transport input ssh command in VTY line mode.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 12


    Chapter 26
    Router and Switch Security
    v Cisco Security Recommendations:
    ▼ Disable the HTTP service, and only enable the HTTPS service if
    you intend to allow users to connect to the router or switch using
    a web browser.
    ▼ Disable CDP on all interfaces connected to untrusted parts of the
    network. To be even more secure, CDP could be disabled
    globally.
    ▼ Disable both TCP and UDP small services like the Echo service.
    ▼ Restrict access to the vty using the access-class command.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 13


    Chapter 26
    Router and Switch Security
    v ACL Implementation Considerations
    ▼ Place extended ACLs as close as possible to the source of the
    packet to discard the packets quickly.
    ▼ Place standard ACLs as close as possible to the packet’s
    destination, because standard ACLs often discard packets that
    you do not want discarded when they are placed close to the
    source.
    ▼ Place more specific statements early in the ACL.
    ▼ Disable an ACL from its interface (using the no ip access-group
    command) before making changes to the ACL.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 14


    Chapter 26
    Router and Switch Security
    v Network Time Protocol
    ▼ Routers and switches issue log messages in response to different
    events. For example, when an interface fails, the device creates
    log messages. With default settings, IOS sends these messages
    to the console port.
    ▼ One option to handle log messages uses a service called a Syslog
    server, where the routers and switches forward copies of all log
    messages to the Syslog server. The Syslog server saves copies of
    the messages, from all devices.
    ▼ Network Time Protocol (NTP) gives any device type a way to
    synchronize their time-of-day clocks. If all the network devices
    synchronize their clocks, then messages that list the date/time
    can be viewed so you know which messages happened around
    the same time, making troubleshooting easier.

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 15


    Chapter 26
    Exam Preparation Tasks

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 16


    Chapter 26
    Command Reference
    v ACL Configuration Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 17


    Chapter 26
    Command Reference
    v ACL Configuration Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 18


    Chapter 26
    Command Reference
    v Device Security Configuration Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 19


    Chapter 26
    Command Reference
    v Device Security Configuration Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 20


    Chapter 26
    Command Reference
    v Device Security Configuration Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 21


    Chapter 26
    Command Reference
    v EXEC Commands

    CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 22


    Questions?

    23

    You might also like