You are previewing Cisco IOS Access Lists.
O'Reilly logo
Cisco IOS Access Lists

Book Description

Cisco routers are used widely both on the Internet and in corporate intranets. At the same time, the Cisco Internet Operating System (IOS) has grown to be very large and complex, and Cisco documentation fills several volumes. Cisco IOS Access Lists focuses on a critical aspect of the Cisco IOS--access lists. Access lists are central to the task of securing routers and networks, and administrators cannot implement access control policies or traffic routing policies without them. Access lists are used to specify both the targets of network policies and the policies themselves. They specify packet filtering for firewalls all over the Internet. Cisco IOS Access Lists covers three critical areas:

  • Intranets. The book serves as an introduction and a reference for network engineers implementing routing policies within intranet networking.

  • Firewalls. The book is a supplement and companion reference to books such as Brent Chapman's Building Internet Firewalls. Packet filtering is an integral part of many firewall architectures, and Cisco IOS Access Lists describes common packet filtering tasks and provides a "bag of tricks" for firewall implementers.

  • The Internet. This book is also a guide to the complicated world of route maps. Route maps are an arcane BGP construct necessary to make high level routing work on the Internet.

Cisco IOS Access Lists differs from other Cisco router titles in that it focuses on practical instructions for setting router access policies. The details of interfaces and routing protocol settings are not discussed.

Table of Contents

  1. Cisco IOS Access Lists
    1. Preface
      1. Organization
      2. Audience
      3. Conventions used in this book
      4. We’d like to hear from you
      5. Acknowledgments
    2. 1. Network Policies and Cisco Access Lists
      1. Policy sets
        1. Characteristics of policy sets
        2. Policy sets in networks
          1. Policy sets of host IP addresses
          2. Policy sets of packets
          3. Complex policy sets
      2. The policy toolkit
        1. Controlling router resources
        2. Controlling packets passing through a router
        3. Controlling routes accepted and distributed
        4. Controlling routes accepted and distributedbased on route characteristics
        5. Putting it all together
    3. 2. Access List Basics
      1. Standard access lists
        1. The implicit deny
        2. Standard access lists and route filtering
        3. Access list wildcard masks
        4. Specifying hosts in a subnet versus specifying a subnet
        5. Access list wildcard masks versus network masks
        6. The implicit wildcard mask
        7. Sequential processing in access lists
        8. Standard access lists and packet filtering
        9. Generic format of standard access lists
      2. Extended access lists
        1. Some general properties of access lists
        2. Matching IP protocols
        3. More on matching protocol ports
        4. Text substitutes for commonly used ports and masks
        5. Generic format of extended access lists
      3. More on matching
        1. Good numbering practices
      4. Building and maintaining access lists
        1. Risks of deleting access lists as an update technique
        2. Displaying access lists
        3. Storing and saving configurations
        4. Using the implicit deny for ease of maintenance
      5. Named access lists
    4. 3. Implementing Security Policies
      1. Router resource control
        1. Controlling login mode
          1. Router login permission
          2. Addresses reachable from the router
        2. Restricting SNMP access
        3. The default access list for router resources
      2. Packet filtering and firewalls
        1. A simple example of securing a web server
        2. Adding more access to the web server
        3. Allowing FTP access to other hosts
        4. Allowing FTP access to the server
        5. Passive mode FTP
        6. Allowing DNS access
        7. Preventing abuse from the server
        8. Direction of packet flow and extended access lists
        9. Using the established keyword to optimize performance
        10. Exploring the inbound access list
          1. Implementing a policy with inbound access lists
          2. Implementing the same policy with outbound access lists
          3. Comparing the inbound and outbound access list implementations
          4. Using inbound access lists to prevent IP address spoofing
          5. Making routing protocols go through an inbound access list
        11. Session filtering using reflexive access lists
        12. An expanded example of packet filtering
          1. Defining what access lists are necessary
          2. Optimizing the order of access list entries
      3. Alternatives to access lists
        1. Routing to the null interface
        2. Stopping directed broadcasts
        3. Removing router resources
    5. 4. Implementing Routing Policies
      1. Fundamentals of route filtering
        1. Routing information flow
        2. Elements in a routing update
        3. Network robustness
          1. Static routes do not scale
          2. Implementing network robustness through route filtering
        4. Business drivers and route preferences
      2. Implementing routing modularity
        1. Minimizing the impact of local routing errors
        2. Managing routing updates to stub networks
        3. Redistributing routing information between routing protocols
        4. Minimizing routing updates to stub networks using default networks
        5. Filtering routes distributed between routing processes
      3. Implementing route preferences
        1. Eliminating undesired routes
        2. Route preferences through offset-list
          1. Limitations of using distribute-list for preferring routes
          2. Using offset-list statements to prefer routes
          3. Selecting metric offsets
        3. Route preferences through administrative distance
      4. Alternatives to access lists
        1. Static routing
          1. Implementing route preference with static routes
          2. Floating static routes
          3. Static routes to the null device
        2. Denying all route updates in or out of an interface
          1. Using distance to ignore updates
          2. Omitting network statements
    6. 5. Debugging Access Lists
      1. Router resource access control lists
        1. Checking for correctness
          1. Manual tests of masks
        2. When access lists don’t work
        3. Debugging router resource access lists
      2. Packet-filtering access control lists
        1. Checking for correctness
          1. Using show ip interface to display applied access lists
          2. Testing the functionality of packet filters
          3. TCP port probing using Telnet
          4. Access list entry accounting
          5. IP accounting
        2. Debugging extended access lists
          1. Access list entry accounting
          2. IP accounting
          3. Access list entry logging
      3. Route-filtering access control lists
        1. Checking for correctness
          1. Limiting routing output
          2. Verifying the correctness of access lists in outbound distribute-list statements
          3. Verifying that hosts receive correct routing information
          4. Traceroute
          5. Debugging routing policies with access list accounting
          6. Verifying routing protocol activity using debug
          7. Viewing routing topology
        2. Debugging route-filtering access lists
          1. When the wrong route is present
          2. Stopping routing updates with extended access lists
          3. When access lists are used incorrectly
          4. When route-filtering access lists are wrong
    7. 6. Route Maps
      1. Other access list types
        1. Prefix lists
        2. AS-path access lists
        3. BGP community attribute
      2. Generic route map format
      3. Interior routing protocols and policy routing
      4. BGP
        1. Match clauses in BGP
        2. Route maps as command qualifiers
        3. Implementing path preferences
          1. The weight attribute
          2. AS-path prepending
          3. Communities
          4. Multi-Exit Discriminators
        4. Propagating route map changes
      5. Debugging route maps and BGP
    8. 7. Case Studies
      1. A WAN case study
        1. Security concerns
        2. Robustness concerns
        3. Business concerns
        4. Site 1 router configurations
        5. Site 2 router configurations
        6. Site 3 router configurations
      2. A firewall case study
        1. Screening router configuration
        2. Choke router configuration
      3. An Internet routing case study
        1. Robustness concerns
        2. Security concerns
        3. Policy concerns
        4. Router configurations
    9. A. Extended Access List Protocols and Qualifiers
    10. B. Binary and Mask Tables
    11. C. Common Application Ports
    12. Index
    13. Colophon