Restricting Virtual Terminal Access 869Restricting Virtual Terminal Access Standard and extended ACLs apply to packets traveling through a router.. For security purposes, users can be de
Trang 1Restricting Virtual Terminal Access 869
Restricting Virtual Terminal Access
Standard and extended ACLs apply to packets traveling through a router They are not
designed to block packets that originate within the router By default, an outbound
Telnet-extended ACL does not prevent router-initiated Telnet sessions
In addition to physical ports or interfaces on the router, such as Fa0/0 and S0/0, there
are virtual ports These virtual ports are called vty lines There are five vty lines, which
are numbered zero through four, as shown in Figure 20-16 For security purposes,
users can be denied or permitted virtual terminal access to the router, but denied access
to destinations from that router For example, an administrator can configure the ACL
to allow terminal access to the router for management or troubleshooting purposes,
while at the same time restricting access beyond this router
Figure 20-16 Restricting vty Access with ACLs
Restricting vty access is not commonly used as a traffic control mechanism; instead, it
is for increasing network security vty access is accomplished using the Telnet protocol
to make a nonphysical connection to the router As a result, there is only one type of
vty ACL Identical restrictions should be placed on all vty lines because it is impossible
to control which line a user will connect on
Whereas a vty ACL is created the same way as on an interface, applying the vty ACL
to a terminal line requires using the access-class command instead of the access-group
command Example 20-7 demonstrates creating and applying a virtual terminal access
list
Example 20-7 Restricting vty Access with ACLs
! Creating the standard list:
Rt1(config)# access-list 2 permit 172.16.1.0 0.0.0.255
Rt1(config)# access-list 2 permit 172.16.2.0 0.0.0.255
Rt1(config)# access-list 2 deny any
continues
Physical Port Ethernet 0
0 1 2 3 4 Virtual Ports
(vty 0-4)
Trang 2870 Chapter 20: Access Control Lists
Keep the following considerations in mind when configuring access lists on vty lines:
■ A name or number can be used when controlling access to an interface
■ Only numbered access lists can be applied to virtual lines
■ Identical restrictions should be set on all the virtual terminal lines because a user can attempt to connect to any of them
Verifying ACLs
The show ip interface command displays IP interface information and indicates whether any ACLs are set Example 20-8 shows the output of the show ip interface
command As you can see in rows 9 and 10 in Example 20-8, ACL 10 is set to the out-going traffic on interface Ethernet 0 There is no ACL set to inbound traffic
! Applying the access list:
Rt1(config)# line vty 0 4 Rt1(config)# login Rt1(config)# password secret Rt1(config)# access-class 2 in
Example 20-8 show ip interface Command
Router> show ip interface Ethernet0 is up, line protocol is up Internet address is 192.54.22.2, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255
Address determined by nonvolatile memory MTU is 1500 bytes
Helper address is 192.52.71.4 Secondary address 131.192.115.2, subnet mask 255.255.255.0 Outgoing ACL 10 is set
Inbound ACL is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are never sent ICMP mask replies are never sent
Example 20-7 Restricting vty Access with ACLs (Continued)
Trang 3Summary 871
The show access-lists command displays the contents of all ACLs By entering the ACL
name or number as an option for this command, you can see a specific list
Summary
This chapter presented an overview of the following key points:
■ The two main types of ACLs are standard and extended
■ Named ACLs allow access lists to be identified by name instead of number
■ ACLs can be configured for all routed network protocols
■ ACLs typically are used in firewall routers, which often are positioned between
the internal network and an external network such as the Internet
■ ACLs also can restrict virtual terminal access to the router
■ ACLs perform several functions within a Cisco router, including implementing
security/access procedures
■ ACLs are used to control and manage traffic
■ For some protocols, you can apply up to two ACLs to an interface: one inbound
ACL and one outbound ACL
■ With ACLs, after a packet is checked for a match with the ACL statement, it can
be denied or permitted the use of an associated interface
■ Wildcard mask bits use the numbers 1 and 0 to determine how to treat the
corre-sponding IP address bits
To supplement all that you’ve learned in this chapter, refer to the chapter-specific Videos,
PhotoZooms, and e-Lab activities on the CD-ROM accompanying this book
IP fast switching is enabled
Gateway Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Router>
Example 20-8 show ip interface Command (Continued)
Trang 4872 Chapter 20: Access Control Lists
Key Terms
ACL (access control list)—A means of controlling or limiting network traffic that com-pares different criteria to a defined rule set
bit bucket—The destination of discarded bits (dropped packets), as determined by the router
border router—A router situated at the edges or end of the network boundary, which provides basic security from the outside network or from a less controlled area of the network into a more private area of the network
extended ACL—Compares source IP address, destination IP address, TCP/UDP port number, and other criteria to the rules defining an extended ACL
exterior router—In firewall architecture, the router that is connected to the Internet is referred to as the exterior router It forces all incoming traffic to pass through the application gateway
firewall—One or more network devices, such as routers or access servers, designated
as a buffer between any connected public networks and a private network A firewall router uses access control lists and other methods to ensure the security of the private network
interior router—The router that is connected to the internal network The interior router accepts packets only from the application gateway The gateway controls the delivery of network-based services both to and from the internal network
named ACL—ACL that allows standard and extended ACLs to be given names
queuing—A process by which ACLs can designate certain packets to be processed by a router before other traffic, on the basis of some configurable parameter such as speci-fying a protocol
standard ACL—ACL that compares source IP addresses to the rules defining a
stan-dard ACL.
Check Your Understanding
Complete all the review questions to test your understanding of the topics and con-cepts in this chapter Answers are listed in Appendix C, “Check Your Understanding Answer Key.”
Trang 5Check Your Understanding 873
1. Common ACL functions include filtering packets internally, protecting the
inter-nal network from illegal Internet access, and restricting access to virtual termiinter-nal ports True or false?
A. True
B. False
2. ACL is an acronym for:
A. Accessibility control list
B. Accountability control list
C. Assessment control list
D. Access control list
3. A(n) ACL works by comparing the source IP address against
the ACL rules
A. Extended
B. Named
C. Standard
D. Router
4. A(n) ACL works by comparing the source IP address,
destina-tion IP address, or other parameters against the ACL rules
A. Extended
B. Named
C. Standard
D. Router
5. A(n) ACL uses names instead of numbers to distinguish ACLs
A. Extended
B. Named
C. Standard
D. Router
6. As a general rule, ACLs should be placed where in the network?
A. In the Internet
B. In the Core
C. Closest to the traffic to be controlled
D. None of the above
Trang 6874 Chapter 20: Access Control Lists
7. In a firewall architecture, which router most likely will be configured with
an ACL?
A. The most powerful router
B. The interior router
C. The exterior router
D. All of the above
8. Named ACLs were introduced in Cisco IOS 11.2 True or false?
A. True
B. False
9. What command is used to apply an ACL to a VTY port?
A. ip access-list
B. ip access-class
C. ip access-group
10. Which of the following commands would you use to find out whether any ACLs are set on an interface?
A. show running-config
B. show ip protocols
C. show ip interface
D. show ip network
11. What do you call the additional 32 bits of information in the access-list statement?
A. Wildcard bits
B. Access bits
C. 0 bits
D. 1 bits
12. If you want to permit traffic based on its addressing or protocol type, you would use which of the following commands?
A. Router #access-list access-list number {permit | deny} {test conditions}
B. Router (config)#access-list access-list number {permit | deny} {test conditions}
C. Router (config-if)#access-list access-list number {permit | deny} {test conditions}
D. None of the above
Trang 7Check Your Understanding 875
13. Standard IP access lists permit or deny routing of a packet based on the IP
address that it originates from and the protocol suite that it is destined for True
or false?
A. True
B. False
14. Access lists impact network security based on which of the following factors?
A. The data content of the packets
B. The destination subnet/host/network for the packets
C. The source subnet/host/network of the packets
D. The type of the network they are routed through
15. What type of networking device would be needed to implement access lists to
increase network security?
A. Hub
B. Router
C. Bridge
D. Switch
16. What does the following access list allow? access-list 1 permit 204.211.19.162
0.0.0.0
A. “Deny my network only.”
B. “Permit a specific host.”
C. “Permit only my network.”
D. None of the above
Trang 9Part III
Appendixes
Appendix A Structured Cabling Appendix B Glossary of Key Terms Appendix C Check Your Understanding Answer Key
part_03.fm Page 877 Wednesday, May 21, 2003 8:16 AM
Trang 10Upon completion of this appendix, you will be able to
■ Understand the roots of structured cabling
■ Adhere to the rules of structured cabling when designing and performing instal-lations to provide scalability
■ Recognize subsystems of structured cabling, including demarcation points, tele-communications and equipment rooms including roles such as, MC, IC, and HC
■ Recognize the special requirements of cabling in the work area
■ Express familiarity with standards organizations such as Telecommunications Industry Association (TIA), the Electronic Industries Association (EIA) TIA/EIA, and the European Committee for Electrotechnical Standardization (CENELEC),
as well as world-level organizations such as the International Organization for Standardization (ISO)
■ Perform low-voltage telecommunications work with attention to safety, and be safe around electricity
■ Understand basic points of ladder safety and the importance or proper attire for cabling work
■ Have a familiarity with the basic specialized hand tools of the installer’s craft,
as well as with basic telecom test and measurement equipment
■ Understand which cabling tasks accompany which phase of a typical project
■ Understand the basic business processes that lead to successful cabling organization appen_a.fm Page 878 Tuesday, May 20, 2003 4:54 PM