CCIE: Routing & Switching: 2014

What is ACL?

Access control list (ACL) are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface.

Access control list (ACL) is a set of rules which will allow/deny the specific traffic moving through the interface.

When activating an ACL on an interface, we must specify in which direction the traffic should be filtered:

Inbound (as the traffic comes into an interface).
Outbound (before the traffic exits an interface).

Router processes each access list statement against each packet in sequential manner. If the router reaches the end of the list and no match for the packet, then the particular packet will be discarded. So, it’s important that each access list contain at least one permit statement.

An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements.
IP access lists statements can be apply to IP addresses, upper-layer IP protocols, or other fields in IP packets.
Access list is identified and referenced by a name or a number.
Access list acts as a packet filter, filtering packets based on the criteria defined in the access list.
Access list does not filter the traffic originated by the router itself.
Generally Access list implemented on distribution layer router.

Access Control Lists can be used for:

Filtering IP traffic.
Defining traffic to Network Address Translate (NAT) or encrypt.
Filtering non-IP protocols such as AppleTalk, IPX etc.

Benefit of ACL:

The following are the benefit of Access Control List -

Block Unwanted Traffic or Users: Access lists can filter incoming or outgoing packets on an interface based on source addresses, destination addresses, or user authentication. We can configure access lists to determine which types of traffic to be forwarded or blocked at the router interfaces. For example, we can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.

Reduce the Chance of DOS Attacks: Access list can be used to reduce the chance of denial-of-service attacks. For example, by specifying IP source addresses, we can control whether traffic from hosts, networks, or users access our network.
Control Access to Virtual Terminal Lines: We can place an access list on inbound vty (Telnet) line access from certain nodes or networks. We can also place an access list on outbound vty access, blocking or permitting Telnet access to other devices.
Restrict the Content of Routing Updates: Access lists can control routing updates being sent, received, or redistributed.
Provide Bandwidth Control: An access list on a slow link can prevent excess traffic.
Identify or Classify Traffic for QoS Features: Access lists can provide congestion avoidance by setting IP precedence for WRED or CAR. It can provide congestion management for class-based weighted fair queuing (WFQ), priority queuing, and custom queuing.
Trigger Dial-on-Demand (DDR) Calls: An access list can enforce dialing and disconnect criteria.
Limit Debug Command Output: An access list can limit debug output based on an address or protocol.
Provide NAT Control: Access lists can control which addresses are translated by Network Address Translation (NAT).
Authenticate Incoming RSH and RCP Requests: To enable the Cisco IOS software to receive incoming Remote Shell (RSH) protocol and Remote Copy (RCP) protocol requests, customers must configure an authentication database to control access to the router. Access lists can simplify the identification of local users, remote hosts, and remote users in the database authentication configuration.

Access List Rules:

Use the following process and rules when configuring an IP access list:

The software checks the source or destination address or the protocol of each packet against the conditions in the access list, one condition (permit or deny statement) at a time.
If a packet does not match an access list statement, the packet is then tested against the next statement in the list.
If the packet and an access list statement match, the remaining statements in the list will skip and the packet will be permitted or denied as mention in the matched statement.
If the access list denies the address or protocol, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message.
If no conditions match, the software drops the packet because each access list ends with an implicit deny statement.
The access list should contain at least one permit statement or else all packets are denied.
Order of statements is important because the software stops testing conditions after the first match. Put the most restrictive statements at the top of the list and the least restrictive at the bottom.
Create the access list before applying it to an interface. An interface to which an empty access list is applied permits all traffic.
Only one access list per interface, per protocol, per direction is allowed.
For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means discard the packet.
For outbound lists, permit means send it to the output buffer; deny means discard the packet.
An access list cannot be removed if that access list is in use. To remove an access list, remove the access group form interface and then remove the access list.
An access list must exist before we use “ip access group” command in an interface.
To identify the purpose of access list statement, we can write a helpful remark before or after any statement.

Processing of Access Control List (ACL):

For inbound access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router continues to process the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.
For outbound access lists, after receiving and routing a packet to an interface, the router checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.
When we configure an access list (standard or extended) which is not yet applied to an interface, then the router will accept all packets.

Types of Access Control List (ACL):

Access Control List (ACL) is of two types –

Standard Access Control List.
Extended Access Control List.

Standard Access Control List:

Standard access control list can be used to allow or deny packets based on source IP address in an IP datagram packet or allow or deny entire TCP/IP protocol suite.

Standard ACL is range from 1 – 99 & 1300 – 1999.
Standard ACL is used to block a particular host or a network.
Standard ACL implement near to destination.
Standard ACL block all the services.
Standard ACL block two way communications.
Standard ACL works on Layer 3 OSI model.

Standard ACLs are used for the following situation:

Restricting access to a router through the VTY lines (Telnet and SSH).
Restricting access to a router through HTTP or HTTPS.
Filtering routing updates.

Extended Access Control List:

Extended access control list can be used to allow or deny packets based on Source IP address, Destination IP addresses, Protocols type (IP, TCP, UDP, and ICMP) and Protocol information (i.e. port number for TCP & USP, message type for ICMP) in an IP datagram packet.

Extended ACL is range from 100 – 199 & 2000 – 2699.
Extended ACL is used to block specific services like HTP, FTP etc.
Extended ACL implement near to destination.
Extended ACL block only specific services not all.
Extended ACL block one way communication.
Extended ACL works on Layer 3 & 4 of OSI model.

Extended ACLs are used for the following situation.

Filtering IP Options.
Filtering TCP flags.
Filtering non initial fragments of packets.
Time-based entries.

IP Address:

Internet Protocol address is a 32 bits address for a host in a TCP/IP network.

IP address Class:
Class A: 0.0.0.0 -------------- 127.255.255.255

Class B: 128.0.0.0 -------------- 191.255.255.255

Class C: 192.0.0.0 -------------- 223.255.255.255

Class D: 224.0.0.0 -------------- 239.255.255.255

Class E: 240.0.0.0 -------------- 255.255.255.255

Priority Bits:

Class A: 0

               Class B: 10
               Class C: 110
               Class D: 1110
               Class E: 1111

Network & Host Part:
               Class A:              N            H            H            H

Class B: N N H H
Class C: N N N H

Usage of Class:

Class A:

Class B: Used on LAN/MAN/WAN Communication.
Class C:

              Class D:              Used on Multicast Communication.
              Class E:              Used on Research & Development.

Network & Host Bits:

Bits	Class A	Class B	Class C
Total Network Bits	8	16	24
Total Host Bits	24	16	8

Network ID:

In case of Network ID, all the host bits are set to zero’s (0’s).

             Example: 192.168.1.10
             192.168.1. XXXX XXXX         (X = 0)
             192.168.1. 0000 0000
             192.168.1.0
So NID of the IP address 192.168.1.10 is 192.168.1.0

Broadcast ID:
In case of Network ID, all the host bits are set to one’s (1’s)
             Example: 192.168.1.10
             192.168.1. XXXX XXXX         (X = 1)
             192.168.1. 1111 1111
             192.168.1.255
So NID of the IP address 192.168.1.10 is 192.168.1.255

Subnet Mask:

Subnet mask is a 32 bits value which is used to differentiate the host & network portion of an IP address. In case of Subnet Mask, Network is represented by 1 & Host is represented by O.
Default Subnet Mask:
Class A: 255.0.0.0

Class B: 255.255.0.0
Class C: 255.255.255.0

Private IP Address:

              Class A: 10.0.0.0 – 10.255.255.255
              Class B: 172.16.0.0 – 172.31.255.255
              Class C: 192.168.0.0 – 192.168.255.255

Reserve IP Address:

             0.0.0.0 - 0.255.255.255 = Self Identification.
             10.0.0.0 – 10.255.255.255 = Class A Private IP Addres.
             127.0.0.0 – 127.255.255.255 = Loopback Address
             169.254.0.0 – 169.254.255.255 = APIPA Range used Microsoft OS
             172.16.0.0 – 172.31.255.255 = Class B Private IP Addres
             192.168.0.0 – 192.168.255.255 = Class C Private IP Addres
             224.0.0.0 – 239.255.255.255 = Multicast Communication
             240.0.0.0 – 255.255.255.255 = Research & Development
             255.255.255.255 = Limited Broadcast Address.

Subnetting:
The Process of dividing a large network into equal smaller parts is known as Subnetting. In subnetting some of host bits will be converted to network bits.

Reduce the wastage of IP address.
Allow us to manage the network efficiently.
Reduce the network threats.

Formula:

(2^h-2)≥No of host/network.
(2ⁿ-2) ≥ No of sunetwork.

Subnetting for Class C:

Example: 192.168.1.10; divide the given network in such a way where each subnetwork will have minimum of 30 hosts & also find out the Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address.

Solution: From the above question, host is given. So we will use the formula (2^h-2)≥No of host/network.
Step1: Find out the value of “h”, where “h” represent the Host bits.

                 (2^h-2)≥No of host/network
                 (2^h-2)≥30
                 (2⁵-2)≥30
                 (32-2) ≥30
                 30≥30
        From the above calculation, h = 5.
Note: As we know, in subnetting, some of the host bits will be converted to network bits. So we can say that -
                              In class C: n+h=8

                              In class B: n+h=16
                              In class A: n+h=24
Step2: Find out the value of “n”, where “n” represents the Network bits. So given network is 192.168.1.10, which is a class C network. So we will use
                           n+h=8
                           n+5=8
                           n=3

Step3: Find the total number of subnetwork:
                          (2ⁿ-2) ≥ No of sunetwork
                          (2³ – 2) ≥ No of sunetwork
                          (8-2) ≥ No of sunetwork
                          6≥ No of sunetwork
           Total no of subnetwork will be 8.
           Total number of valid subnetwork will be 6.
Step4: Find out the Total Network Bits (TNB):
           TNB = Default Network Bits + n
                  = 24 + 3
                  = 27
Step5: Find out the customize Subnet Mask (CSM):
       CSM =          8                  8                8                   3
                      1111 1111   1111 1111    1111 1111    111 00000
                          255              255             255                224
      CSM = 255.255.255.224
Point to Remember:
        1           2         3          4         5         6          7         8
      128       192       224       240       248       252       254       255
Step6: Finding the increment:
Increment = 256 – Change value on the CSM.
                = 256 – 224
                = 32
Step7: Writing the Range of subnet:

        192.168.1.0 – - - - - - - 192.168.1.31
        192.168.1.32 – - - - - - - 192.168.1.63
        192.168.1.64 – - - - - - - 192.168.1.95
        192.168.1.96 – - - - - - - 192.168.1.127
        192.168.1.128 – - - - - - - 192.168.1.159
        192.168.1.160 – - - - - - - 192.168.1.191
        192.168.1.192 – - - - - - - 192.168.1.223
        192.168.1.224 – - - - - - - 192.168.1.255
192.168.1.10 is the IP address which is belongs to Subnet (192.168.1.0 --- 192.168.1.31). So
         Network ID = 192.168.1.0
         Broadcast ID = 192.168.1.31
         First Valid IP address = 192.168.1.1
         Last Valid IP Address = 192.168.1.30

Note:

(192.168.1.0 – - - - - - - 192.168.1.31) is a subnetwork which is known as Subnet Zero. Cisco IOS prior to 12.0, the IP Subnet Zero is restricted (i.e. Disable). IOS 12.0 to all new IOS, the IP Subnet Zero is enabling by default.

Sample Network with Subnetted IP Address on PC:

Task to Do:
Perform the Subnetting based on the following requirements & Find out the following: Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address:

200.200.200.200; Host = 75
221.195.156.156; Host = 45
193.151.200.200; Host = 125
205.205.103.31; Host = 20
219.215.215.213; Host = 32

Subnetting for Class B:
Example: 172.16.3.10; divide the given network in such a way where each subnetwork will have minimum of 300 hosts & also find out the Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address.

Solution: From the above question, host is given. So we will use the formula
           (2^h-2)≥No of host/network.
Step1: Find out the value of “h”, where “h” represent the Host bits.
                 (2^h-2)≥No of host/network
                 (2^h-2)≥300
                 (2⁹-2)≥300
                 (512-2) ≥300
                 510≥300
         From the above calculation, h = 9.
Step2: Find out the value of “n”, where “n” represents the Network bits
So given network is 172.16.3.10, which is a class B network. So we will use
                  n+h=16
                  n+9=16
                  n=7
Step3: Find the total number of subnetwork:
                 (2ⁿ-2) ≥ No of sunetwork
                 (2⁷ – 2) ≥ No of sunetwork
                 (128-2) ≥ No of sunetwork
                 126≥ No of sunetwork
          Total no of subnetwork will be 128.
          Total number of valid subnetwork will be 126
Step4: Find out the Total Network Bits (TNB):
          TNB = Default Network Bits + n
                 = 16 + 7
                 = 23
Step5: Find out the customize Subnet Mask (CSM):
           CSM =          8               8                  7                 0
                        1111 1111   1111 1111    1111 1110    0000 0000
                             255             255              254                0
           CSM = 255.255.254.0
Step6: Finding the increment:
Increment = 256 – Change value on the CSM.
                = 256 – 254
                = 2
Step7: Writing the Range of subnet:
               172.16.0.0 – - - - - - - 172.16.1.255
               172.16.2.0 – - - - - - - 172.16.3.255
               172.16.4.0 – - - - - - - 172.16.5.255
               -----------------------------------------
               -----------------------------------------
               172.16.254.0 – - - - - - - 172.16.255.255
172.16.3.10 is the IP address which is belongs to subnet (172.16.2.0 --- 172.16.3.255). So
               Network ID = 172.16.2.0
               Broadcast ID = 172.16.3.255
               First Valid IP Add = 172.16.2.1
               Last Valid IP Add = 172.16.3.254

Task to Do:
Perform the Subnetting based on the following requirements & Find out the following: Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address:

151.163.20.3; Host = 500
191.164.12.134; Host = 750
142.158.26.30; Host = 128
158.156.29.32; Host = 817
183.169.176.168; Host = 150

Subnetting for Class A:
Example: 17.16.3.10; divide the given network in such a way where each subnetwork will have minimum of 1000 hosts & also find out the Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address.

Solution: From the above question, host is given. So we will use the formula
              (2^h-2)≥No of host/network.
Step1: Find out the value of “h”, where “h” represent the Host bits.
              (2^h-2)≥No of host/network
              (2^h-2)≥1000
              (2¹⁰-2)≥1000
              (1024-2) ≥1000
               1022≥1000
          From the above calculation, h = 10.
Step2: Find out the value of “n”, where “n” represents the Network bits. So given network is 17.16.3.10, which is a class A network. So we will use
                      n+h=24
                      n+10=24
                      n=14
Step3: Find the total number of subnetwork:
             (2ⁿ-2) ≥ No of sunetwork
             (2¹⁴ – 2) ≥ No of sunetwork
             (16384-2) ≥ No of sunetwork
              16382≥ No of sunetwork
        Total no of subnetwork will be 16384.
        Total number of valid subnetwork will be 16382.
Step4: Find out the Total Network Bits (TNB):
        TNB = Default Network Bits + n
               = 8 + 14
               = 22
Step5: Find out the customize Subnet Mask (CSM):
       CSM =          8               8                 6                 0
                    1111 1111   1111 1111    1111 1100   0000 0000
                         255              255              252              0
       CSM = 255.255.252.0
Step6: Finding the increment:
           Increment = 256 – Change value on the CSM.
                           = 256 – 252
                           = 4
Step7: Writing the Range of subnet:
            17.0.0.0 – - - - - - - 17.0.3.255
            17.0.4.0 – - - - - - - 17.0.7.255
            ----------------------------------
            ----------------------------------
           17.1.0.0 – - - - - - - 17.1.3.255
           17.1.4.0 – - - - - - - 17.1.7.255
           -----------------------------------
           -----------------------------------
          17.16.0.0 – - - - - - - 17.16.3.255
          17.16.4.0 – - - - - - - 17.16.7.255
17.16.3.10 is the IP address which is belongs to subnet (17.16.0.0---17.16.3.255). So
          Network ID = 17.16.2.0
          Broadcast ID = 17.16.3.255
          First Valid IP Add = 17.16.0.1
          Last Valid IP Add = 17.16.3.254

Task to Do:
Perform the Subnetting based on the following requirements & Find out the following: Network ID, Broadcast ID, and First Valid IP Add & Last Valid IP of the given IP address:

10.1.15.10; Host = 600
115.100.15.100; Host = 1000
111.125.136.124; Host = 455
56.125.24.29; Host = 799
76.75.82.86; Host = 1500

CIDR (Classless Inter Domain Routing):
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet Protocol packets.

CIDR was developed in the 1990s as a standard scheme for routing network traffic across the Internet. Before CIDR technology was developed, Internet routers managed network traffic based on the class of IP addresses. In this system, the value of an IP address determines its Subnetwork for the purposes of routing.

CIDR Notation:

CIDR specifies an IP address range using a combination of an IP address and its associated network mask. IDR notation uses the following format –

XXX.XXX.XXX.XXX/n
Where n is the number of (leftmost) '1' bits in the mask. For example, 192.168.12.0/23.

Example: 192.168.1.100/28; Find out the NID, BID, FVIP, LVIP, Total No of Subnets & Total no of host per subnet.

Solution: Here in this question Total Network Bits is given, which is 28.
Step1: Finding the Customized Subnet Mask from the Total Network Bits (TNB):

                 8                         8                          8                         4
               255                      255                      255                      240
Step2: Finding the value of “n”:
            TNB = Default Network Bits + n
            28   = 24 + n
                n = 4
Step3: Find the value of ‘h”:
So given network is 192.168.1.100, which is a class C network. So we will use
                              n+h=8
                              h+4=8
                                  h=4
Step4: Finding the increment:
           Increment = 256 – Change value on the CSM.
                           = 256 – 240
                           = 16

Step5: Writing the Range:
                 192.168.1.0 – - - - - - - 192.168.1.15
                 192.168.1.16 – - - - - - - 192.168.1.31
                 192.168.1.32 – - - - - - - 192.168.1.47
                 192.168.1.48 – - - - - - - 192.168.1.63
                 192.168.1.64 – - - - - - - 192.168.1.79
                 192.168.1.80 – - - - - - - 192.168.1.95
                 192.168.1.96 – - - - - - - 192.168.1.111
                 ---------------------------------------------
                 ---------------------------------------------
                 192.168.1.240 – - - - - - - 192.168.1.255
192.168.1.100 is the IP address which is belongs to subnet (192.168.1.96 – 192.168.1.111). So
                        Network ID = 192.168.1.96
                        Broadcast ID = 192.168.1.111
                        First Valid IP Add = 192.168.1.97
                        Last Valid IP Add = 192.168.1.110
Finding the Total number of Subnets:
                       (2ⁿ-2) ≥ No of sunetwork
                       (2⁴ – 2) ≥ No of sunetwork
                       (16-2) ≥ No of sunetwork
                              14≥ No of sunetwork
                Total no of subnetwork will be 16.
                Total number of valid subnetwork will be 14.
Finding the Total number of host per subnets:
                      (2^h-2) ≥ No of host/sunetwork
                      (2⁴ – 2) ≥ No of host/sunetwork
                      (16-2) ≥ No of host/sunetwork
                            14≥ No of host/sunetwork
               Total number of Host/Subnetwork is 14

Task to do:
Find the NID, BID, FVIP, LVIP, and Total No of Subnets & Total no of host per subnet based on the following:

195.168.1.15/25
174.16.100.100/24
115.10.10.152/16
142.158.158.120/23
182.85.168.200/22
199.199.199.100/30

CCIE: Routing & Switching

Monday, 28 July 2014

Access Control List (ACL)

Sunday, 27 July 2014

Subnetting