Beruflich Dokumente
Kultur Dokumente
TCP/IP Stacks
Muhammad Irfan Leghari
Internetworking
Aladin campus Ilma university
Internet
filters work here ...
Router
Router
packet filtering using cisco access lists INET97 / track 2 # 3
Rules
a packet filter rule looks like this:
permit <src-ip, src-port> <dst-ip, dst-port>
deny <src-ip, src-port> <dst-ip, dst-port>
filter1 = {
deny any any any udp-port 69;
permit any any any any;
}
Application socket
Internet 169.222.31.42
Network 00.00.0c.d6.d4.f7
Interface
Network
Adjacent
layers Peer layers
IP Datagram
my net A A1.A2.A3.A4/24
my net C C1.C2.C3.C4/24
filter2 = {
deny A1.A2.A3.A4/24 any any any;
deny B1.B2.B3.B4/29 any any any;
deny C1.C2.C3.C4/24 any any any;
permit any any any any;
}
my net A A1.A2.A3.A4/24
my net C C1.C2.C3.C4/24
e.g.:
access-list 1 permit 169.222.30.8
access-list 1 permit 169.222.30.9
access-list 1 permit 169.222.30.10
access-list 1 permit 169.222.30.11
access-list 1 permit 169.222.30.12
access-list 1 permit 169.222.30.13
access-list 1 permit 169.222.30.14
access-list 1 permit 169.222.30.14
access-list 1 deny any any
0000 1000
0000 0111
0000 1xxx therefore,
169.222.30.8 0.0.0.7
which includes: matches:
0000 1000 = .8 169.222.30.8
0000 1001 = .9 169.222.30.9
0000 1010 = .10 169.222.30.10
0000 1011 = .11 169.222.30.11
0000 1100 = .12 169.222.30.12
0000 1101 = .13 169.222.30.13
0000 1110 = .14 169.222.30.14
0000 1111 - .15 169.222.30.15
packet filtering using cisco access lists INET97 / track 2 # 11
more wildcard matching lists examples
e.g.:
access-list 101 permit udp 169.222.30.8 0.0.0.7
169.222.31.42 0.0.0.0 eq 53
access-list 101 permit tcp 169.222.30.8 0.0.0.7
169.222.31.42 0.0.0.0 eq 53
access-list 101 deny ip 169.222.30.8 0.0.0.7
169.222.31.42 0.0.0.0
access-list 101 permit any any
1. Select a host in your row for the exercise. Make sure you
know the host’s IP address.
2. Verify that the host can telnet to another host off the net,
i.e. a bsdi PC in a different row.
1. Verify that your host can telnet to another host off the net,
i.e. a bsdi PC in a different row.
E.g. the “established” keyword tests whether the ACK or RST bit
is set in the TCP header. The first packet in a TCP open will not
match.
src
dst
open established close
packet filtering using cisco access lists INET97 / track 2 # 19
Access List Exercise #3 (slide 1/2)
We will create a short access list to prevent mail from
cyberpromo.com
On your router, use copy tftp run to create the access list.
Examine the access list using show ip access-lists.
Install the access-list on the router:
router(config-if)#ip access-group xxx in
packet filtering using cisco access lists INET97 / track 2 # 21
other uses for access lists
Access lists can be used for purposes other than packet filtering: