Thursday, June 25, 2009

IP Filtering

Standard IP Access Control Lists

Filtering logic could be configured on any router and on any of its interfaces. Cisco IOS software applies the filtering logic of an ACL either as a packet enters an interface or as it exits the interface. In other words, IOS associates an ACL with an interface, and specifically for traffic either entering or exiting the interface. After you have chosen the router on which you want to place the access list, you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound or outbound packets.
The key features of Cisco ACLs are:
. Packets can be filtered as they enter an interface, before the routing decision.
. Packets can be filtered before they exit an interface, after the routing decision.
. Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
. Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
. The filtering logic is configured in the access list.
. If a packet does not match any of your access list statements, it is blocked.
Access lists have two major steps in their logic: matching, which determines whether it matches the access-list statement; and action, which can be either deny or permit. Deny means to discard the packet, and permit implies that the packet should be allowed. However, the logic that IOS uses with a multiple-entry ACL can be much more complex. Generally, the logic can be summarized as follows:
Step 1: The matching parameters of the access-list statement are compared to the packet.
Step 2: If a match is made, the action defined in this access-list statement (permit or deny) is performed.
Step 3: If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
Step 4: If no match is made with an entry in the access list, the deny action is performed.

Wildcard Masks

IOS IP ACLs match packets by looking at the IP, TCP, and UDP headers in the packet. Standard IP access lists can also examine only the source IP address. You can configure the router to match the entire IP address or just a part of the IP address. When defining the ACL statements you can define a wildcard mask along with the IP address. The wildcard mask tells the router which part of the IP address in the configuration statement must be compared with the packet header. The wildcard masks look similar to subnet masks, in that they represent a 32-bit number. However, the wildcard mask’s 0 bits tell the router that those corresponding bits in the address must be compared when performing the matching logic. The binary 1s in the wildcard mask tell the router that those bits do not need to be compared. Thus, wildcard mask, which in binary form is 00000000.00000000.00000000.00000000, indicates that the entire IP address must be matched, while wildcard mask, which in binary form is 00000000.00000000.00000000.11111111, indicates that the first 24 bits of the IP address must be matched, and wildcard mask, which in binary form is 00000000.00000000.00011111.11111111, indicates that the first 24 bits of the IP address must be matched.
Standard IP Access List Configuration
A standard access list is used to match a packet and then take the directed action. Each standard ACL can match all, or only part, of the packet’s source IP address. The only two actions taken when an access-list statement is matched are to either deny or permit the packet.

The configuration commands required are:

. ip access-group {number | action [in | out]}, in which action can be either permit of deny and is used to enable access lists; and
. access-class number | action [in | out], which can be used to enable either standard or extended access lists.
The standard access list configuration can be verified using the following show commands:
. show ip interface[type number], which includes a reference to the access lists enabled on the interface;
. show access-lists [access-list-number | access-list-name], which shows details of configured access lists for all protocols; and
. show ip access-list [access-list-number | access-list-name], which shows the access lists.

Extended IP Access Control Lists

Extended IP access lists are similar to standard IP ACLs in that you enable extended access lists on interfaces for packets either entering or exiting the interface. IOS then searches the list sequentially. The first statement matched stops the search through the list and defines the action to be taken. The key difference between the extended ACLs and standard ACLs is the variety of fields in the packet that can be compared for matching by extended access lists. A single extended ACL statement can examine multiple parts of the packet headers, requiring that all the parameters be matched correctly in order to match that one ACL statement. That matching logic is what makes extended access lists both much more useful and much more complex than standard IP ACLs. You can configure extended ACL to match the IP protocol type, which identifies what header follows the IP header. You can specify all IP packets, or those with TCP headers, UDP headers, ICMP, etc, by checking the Protocol field. You can also check the source and destination IP addresses, as well as the TCP source and destination port numbers.
An extended access list is more complex than standard access lists. Therefore the configuration commands are more complex. The configuration command for extended access lists is:
. access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists;

Named IP Access Lists

Named ACLs can be used to match the same packets, with the same parameters, you can match with standard and extended IP ACLs. Named IP ACLs do have some differences, however. The most obvious difference is that IOS identifies named ACLs using names you assign them as opposed to numbers. Named ACLs also have another key feature that numbered ACLs do not: You can delete individual lines in a named IP access list.
In addition, two important configuration differences exist between numbered and named access lists. One key difference is that named access lists use a global command that places the user in a named IP access list submode, under which the matching and permit or deny logic is configured. The other key difference is that when a named matching statement is deleted, only that one statement is deleted. With numbered lists, the deletion of any statement in the list deletes all the statements in the list.

Controlling Telnet Access with ACLs

Access into and out of the virtual terminal line (vty) ports of the Cisco IOS software can also be controlled by IP access lists. IOS uses vtys to represent a user who has Telnetted to a router, as well as for Telnet sessions a user of a router has created to other devices. You can use ACLs to limit the IP hosts that can Telnet into the router, and you can also limit the hosts to which a user of the router can Telnet.

Quick Notes


• Class class-default need “fair-queue” if “bandwidth” was not specified.
• When using “ip rsvp bandwidth” on a sub-interfaces, it is also required to be configured on the main interface.
• When using multiple sub-interfaces with “ip rsvp bandwidth”, the main interface should be configured to be the sum all sub-interfaces.
• RSVP requires fair-queue to be enabled. With FRTS, WFQ is disabled by default, re-enable with “frame-relay fair-queue” in the map-class.
• When doing MQC configurations using the bandwidth percent command, do not forget to change the “max-reserve-bandwidth %”.
• Custom queueing defaults – Byte-count = 1500 bytes & Queue-limit = 20.
• Know the NBAR mime categories: “image/*” or “audio/*” or “application/*” or “text/*”
• Voice EF class = 46 decimal and 101110 in dscp-binary.
• FRTS formulas:
Bc = CIR * Tc
Be = (CAR – CIR) * Tc
• WRED formula:
= (1/MPD)
• CAR (Police) formula:
Bc = CIR / 8 * Tc (Default Tc = 1.5 seconds)
Be = 2 * Bc


• BSR is also commonly referred to as PIMv2.
• Pay special attention to when using Frame-Relay non-broadcast types. Multicast will not work. Tunnels might be needed.
• BSR – when multiple c-RP announces same groups, a longer match will be used to determine the RP, regardless of the RP priority set.
• With TTL scoping, if the Packet TTL >= Interface TTL, then the packet is forwarded, else dropped.
• GRE-tunnel - If the unicast source is reachable via tunnel, a RPF failure will occur. Correct with Mroute.
• Know how to spot RPF failures.
• Multicast Filtering:
1. Q – Prevent PIM neighbor establishments, but allow IGMP client joins?
A – On Central router : “ip pim neighbors filter” & the Stub router : “ip igmp helper-address”
2. Q – Filter specific multicast groups, while still allowing IGMP traffic?
A – “ip multicast boundary {acl}”
3. Q – Deny clients from joining specific multicast groups?
A – “ip igmp access-group {acl}”
4. Q – Statically filter RP requests and responses, (no Auto-RP, no BSR)?
A – “ip pim rp address {IP} {acl}”
5. Q – Client RP filtering, Limit join/prune messages for specific RP’s?
A – “ip pim accept-rp {RP-IP/auto-RP} {acl}”
6. Q – Auto-RP – Limit the Candidate-RP’s announcements?
A – “ip pim send-rp-announce {int} scope {no} group-list {acl}”
7. Q – Auto-RP – Limit what mgroups a MA accept from specific RP’s?
A – “ip pim rp-announce-filter rp-list {acl} group-list {acl}”
8. Q – Filter the BSR messages on a interface?
A – “ip pim bsr-border”
9. Q – Limit the amount of multicast routes in the mrouting table?
A – “ip multicast route-limit”
10. Q – Limit the rate a source can sent traffic to a group on a interface?
A – “ip multicast rate-limit group-list {acl} {kbps}”


• RIPng – “no ip split-horizon” in a process command not a interface command.
• EIGRPv6 – Do not forget to enable eigrp under the process.
• IPv6 tunnel method with least overhead : IPv6IP
• Tunnel protocol numbers for ACL’s : IPv6IP = Protocol-41, & GRE IPv6 = Protocol-47
• You can not redistribute a default static route(::/0) with ospfv3.
• Dynamic information (ie IGP next-hops) recurses to remote link-local address, not the global unicast interface.


• Know how to use extended access-lists in distribute-lists, see Brian McGahan @INE article.
• Know how to use extended access-lists instead of prefix-lists, see Brian Dennis @ INE article.
• Know your binary voodoo as Scott Morris @ INE calls it, Part I & Part II.
• Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
• Know when to use the “established” keyword.
• When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
• Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
• NBAR can be used if you not forbidden from using ACL’s. You can also map undefined custom ports with “ip nbar port-map custom”
• Dynamic ACL time-outs specified in the acl: “dynamic NAME timeout {x} permit tcp any any eq 80″.
• When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.


• “no service config” – Disables the router from auto-answering for tftp config files
• WCCP uses udp port 2048 and protcol 47-GRE
• If talk about router discovery > IRDP
• DNS server config : “ip dns server” & “ip host”
• DNS client config : “ip domain-lookup” & “ip name-server”
• DHCP stands for Dont Hit Computer People
• DHCP option-82 = dhcp-relay.
• DHCP option-66 = Hand out IP address off TFTP server
• When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
• Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
• HSRP timers only need to be configure on one of the participating routers.
• HSRP uses UDP port 1984.
• When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.


• When using Communities, don’t forget “neighbor send-community”
• Know your attributes and the direction which applied, when to used what.
• “aggregate address” needs a more specific prefix in the BGP table for aggregate to be advertised.
• Synchronization issue has 3 solutions, 1- Load BGP on all transit routers, 2- GRE tunnel, 3- Redistribution BGP>IGP.
• “no bgp nexthop trigger” – Disables next-hop tracking between scanner intervals.
• “no bgp fast-ext-fallover” – Force the router to wait for the dead-timer to expire, before generating notification messages , when a connected peer goes down.
• “neighbor fall-over” – Will check neighbor connenctivity between scanner intervals, aka BGP Fast Peering.
• Only the Holdtime is sent in update-msg. Two neighbors will use the lowest holdtime and then calculate the keepalive from that.
• Know your Regular Expressions
• Know the difference between Peer-Groups and Peer-Templates


• Know your filters: Offset-list, Distribute-lists, distance command.
• With filters read carefully: “between 25 & 45″ or “from 25 to 45″.
• Know your prefix-lists or alternatively using ACL’s instead.
• “passive interface” command, ONLY stops the sending of updates out the interface. Interface will still receive and process those updates. Passive interfaces will still be advertised in other updates.
• Advertising a default route out one interface: “ip summary-address eigrp [AD]″
• To see if a neighbor is configured as STUB, “show ip eigrp neighbors [detail]” as look for ‘CONNECTED SUMMARY’
• On frame-relay multipoint interfaces, don’t forget to disable split-horizon.
• External EIGRP routes AD (admin distance = 170) can NOT be changed on per prefix basis.
• Metric weight values:
1 0 1 0 0 = Default
0 0 1 0 0 = Only DLY
1 0 0 0 0 = Only BW
3 0 1 0 0 = BW has 3 times more weight reference than DLY
• Metric formula:
Metric = ((107 / BW) + (DLY/10) ) * 256


• The Neighbor IP used with OSPF distance command is the Neighbors Router-ID.
• “area range” summarize type 3 LSA’.
• “summary-address” summarize type 5 & 7 LSA’s.
• Auto-cost reference BW (Default = 100mb), formula = Ref-BW/Int-Bw.
• Switches do no support the interface command “ip ospf {pid} area {area-id}” .
• OSPF path selection: O > O*IA > O*E1 > O*E2.
• Using E1 metric type : Packets will be routed out the closest exit point of the network.
• Using E2 metric type : If you want packets to exit your network at the closest point to their external destination.
• Don’t forget with hub and spoke topology, “ip ospf priority 0″.
• PITFALL, when forbid to use RID, Loopbacks created later on might change the DR on you network after a reload.
• PITFALL, when forbid to use RID, Later requested to configure the same loopback on two routers, could break your adjacencies, as two router cant peer with the same RID.
• “no capability transit” – Mimics OSPFv1 behaviour for all data traffic to pass through Area-0.
• “max-metric” – Configures OSPF stub configurations
• “max-lsa” – Limit amount of non-local LSA’s
• “timers throttle lsa all” – Slow down update rate.
• “timers pacing lsa-group” – Group more LSA’s together in updates.
• “no ip ospf flood-reduction” – Disables every 30-min LSA DB refresh.
• “ip ospf database filter all out” – Breaks RFC, Stop sending LSA’s, but still receive LSA’s


• DHCP on a frame interface : “frame-relay interface-dlci 555 protocol ip″
• When asked to disable INARP, be sure to do so on physical interfaces any multipoint sub-interfaces.
• If you see frame mappings, save your config and reload.
• The backup command can NOT be used on FR physical interfaces. (no way to detect when back up)
• Back-to-Back frame connections, disable keepalives with “no keep”
• LMI keepalives sent every 10 seconds. This interval can NOT be changed.
• LMI Full Status Updates are requested every 60 seconds. CAN be changed with “frame lmi-n391dte”.
• To ping local interface IP, add a mapping for local IP with any valid DLCI.
• To do “?” in authentication password, use either ESC-Q or CRTL-V.
• If two routers both using CHAP has the same hostname “no ppp chap ignoreus” is required.
• “ppp authentication eap” can be used as alternative to chap when md5 needed.
• “ppp link minimum” – amount of links required for a MLP bundle to up.
• With CHAP and PAP, know which side is the client and who is authenticating who!
• Know PPPoFR, MLP, and the mix combination formats

IP Prefix-list

ip prefix-list provides the most powerful prefix based filtering mechanism

Here is a quick little tutorial on Prefix-lists for you.

A normal access-list CANNOT check the subnet mask of a network. It can only check bits to make sure they match, nothing more. A prefix-list has an advantage over an access-list in that it CAN check BOTH bits and subnet mask - both would have to match for the network to be either permitted or denied.

For checking bits a prefix list ALWAYS goes from left to right and CANNOT skip any bits. A basic example would be this:

If there is only a / after the network (no le or ge) then the number after the / is BOTH bits checked and subnet mask. So in this case it will check the 24 bits from left to right (won't care about the last 8
bits) AND it will make sure that it has a 24 bit mask. BOTH the 24 bits checked and the 24 bit subnet mask must match for the network to be permitted or denied.

No we can do a range of subnet masks also that could be permitted or
denyed: ge 25

If we use either the le or ge (or both le and ge) after the /, then the number directly after the / becomes ONLY bits checked and the number after the ge or le (or both) is the subnet mask. So in this case we are still going to check the first 24 bits of the network from left to right. If those match we are then going to check the subnet mask, which in this case can be GREATER THAN OR EQUAL TO 25 bits - meaning that as long as the first 24 bits of the network match the subnet mask could be 25,26,27,28,29,30,31,or 32 bits. They would all match.

We can also do: le 28

Again this will check the first 24 bits of the network to make sure that they match. Then it will check to make sure that the subnet mask is LESS THAN OR EQUAL TO 28 bits. Now this isn't going to be 28 bits down to 0 bits, the subnet mask can't be any lower than the bits we are checking. So the valid range of subnet masks for this one would be 28 bits down to 24 bits (24,25,26,27,and 28). All of those would match.

We can also do both ge and le: ge 25 le 27

Here again we are checking the first 24 bits to make sure they match.
Then our subnet mask must be GREATER THAN OR EQUAL TO 25 bits LESS THAN OR EQUAL TO 27 bits. Meaning that 25,26,and 27 bit subnet masks would match.

Now for a couple of examples:

If we have the following networks:

We could permit all of these networks with on prefix-list statement: ge 28 le 28

This will check the first 24 bits to make sure they match. All of these networks have 172.16.8 as the first 24 bits, and it won't care what is in the last 8 bits. Then it will check to make sure that the subnet mask is GREATER THAN OR EQUAL TO 28 bits LESS THAN OR EQUAL TO 28 bits - the only number that works for this is 28 bits. So the first 24 bits in the network must match and it has to have a 28 bit subnet mask. All 5 of our networks would match for this.

We could be even more precise with this and use: ge 28 le 28

If we take a look at our 4th octects we will see that for all of them the 128 bit is off so we can check that bit also (25 bits total we are checking).

0 -- 0 0 0 0 0 0 0 0
16 - 0 0 0 1 0 0 0 0
32 - 0 0 1 0 0 0 0 0
48 - 0 0 1 1 0 0 0 0
64 - 0 1 0 0 0 0 0 0

This would be closer to permitting the 5 networks that we have.

We could also permit only the classful networks. The first thing that we need to do is figure out exactly what a classful network is.

For a class A network we know that it has to have an 8 bit mask and must be between 0 and 127 in the first octect. If we break down 0 and 127 we

0 --- 0 0 0 0 0 0 0 0
127 - 0 1 1 1 1 1 1 1

For the first octect of a class A network the first bit has to be a 0, it must be off. So we can do a prefix-list like this: ge 8 le 8

In our first octet the first bit is a 0 (which is what it would need to be to be class A), with the /1 we have we are ONLY checking the first bit to make sure it's a 0 (meaning it would be a class A network 0 - 127). We are then making sure that this class A network actually has a class A subnet mask of 8 bits, and only 8 bits would match.

For the class B's we need to make sure that they have a 16 bit subnet mask and that they are in the range of 128 - 191 in the first octet. If we break down 128 and 191 we get:

128 - 1 0 0 0 0 0 0 0
191 - 1 0 1 1 1 1 1 1

The first two bits are what we are going to care about. We need to make sure that the first two bits in the first octet are 1 0 . The first number that we can use as our standard we are checking against is 128 -
128 has a 1 0 as the first two bits in its first octet. ge 16 le 16

So we are checking the first two bits to make sure the network has a 1 0, meaning that it must be in the range of 128 - 191. We are then going to check to make sure that it has the classful 16 bit mask, and ONLY a
16 bit mask.

Finally we have the class C networks. Class C networks are in the range of 192 - 223 and they must have a 24 bit mask. If we break down 192 and
223 we get:

192 - 1 1 0 0 0 0 0 0
223 - 1 1 0 1 1 1 1 1

The first 3 bits in the first octet are what we care about. 192 would be the first number we can put in that first octect that will have 1 1 0 as its first 3 bits. ge 24 le 24

We are going to check the first 3 bits of the octet and make sure that its 1 1 0 meaning that it has to be in the range of 192 - 223 being class C, then we are going to check to make sure it has a class C classful subnet of 24 bits.

Finally how to permit or deny any could be very helpful since a Prefix-list just like an Access-list has an implicit deny at the end: le 32

This is 'any' for a prefix-list. It says check 0 bits; I don't care what any of the bits are. It also says that the subnet mask can be 32 bits or less (down to the number of bits we are checking) down to 0. So we aren't going to check any bits and the network can have a subnet mask of anything between 0 and 32 bits. This would be 'any'.

Now for your Prefix-list:

In the 3rd Octet we have 1, 4, and 5. We'll break these down to binary to see if we can summarize these into one line:

1 - 0 0 0 0 0 0 0 1
4 - 0 0 0 0 0 1 0 0
5 - 0 0 0 0 0 1 0 1

For a Prefix-list we need to go from the left to the right and we can't skip bits. So for these three networks we would need to stop at the 8 bit since it is the last bit from left to right that is the same. This would give us 3 bits that are different, or 8 possible networks. We only have 3 of the 8 possible networks and we should not permit or deny more than we actually have. We should be as specific as possible.

If we leave the alone by itself it will give us a Prefix-list of:

This will check the first 24 bits from left to right to make sure that they match, and it will also check to make sure that it has a 24-bit subnet mask.

For the 4 and 5 networks we can permit or deny both of those with one line. If we take a look at 4 and 5 again we can see that all of the bit's match down to the 2 bit. This would leave 1 bit that doesn't match, which would give us 2 possible networks, both of which we have.
The Prefix-list to permit or deny both 4 and 5 would be: ge 24 le 24

This will check the first 23 bits from left to right. The 24th bit could either be off, which would give us 4, or it could be on which would give us 5. Since we have the ge and le involved the /23 is only bits checked. The ge and le specify that our subnet mask must be greater than or equal to 24-bits and less than or equal to 24-bits which means that the subnet mask must be 24-bits for both possible networks.

Sunday, June 14, 2009

Tips for LAB exam

This is very important to make a template of commonly using commands, also these are very helpful commands.

Under the line console mode:

line 0
logging synchronous
exec-time 0

What this command do it will stop the interfering when you are giving any command and make exec time out 0

This command will use under the global configuration mode:

conf t
no ip domain-lookup

what this command will it stop finding the command when you provide not recognized command.