<PARA><DROPCAP>I</DROPCAP>n this chapter, we'll show you how to identify the important components when you're designing and implementing access policies. How users access the network directly affects how you build your network and what policies you implement. </PARA>
<PARA>Access policies start at the physical equipment and extend throughout the entire internetwork. In its IOS, Cisco provides different security options that you can run on a switch or router to help implement access policy security. </PARA>
<SECTION ID="11.1"><TITLE>Definition of an Access Policy</TITLE>
<PARA><DROPCAP>T</DROPCAP>o document a standard implementation for user access, a company or corporation creates policies. Those policies should include access policies, which describe how users access the network and even how to stop unwanted connections into the network.</PARA>
<PARA>Before any access control is implemented on a network, a standard access policy must be created. It would be difficult for all companies to use a standard access policy because networks and business requirements vary widely between companies. However, you should keep in mind some basic standards when designing your access policies.</PARA>
<PARA>The following list includes some of the most common access policy standards:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Physical security to the network equipment</PARA></LISTITEM>
<LISTITEM><PARA>VLAN management and port security</PARA></LISTITEM>
<PARA>When designing your access policy, remember the big picture: access policies are meant to secure the corporate network and prevent unwanted and unneeded traffic from entering it or slowing it down. Network administrators should implement access policies based on a set of defined traffic standards as well as provide a level of security to campus network devices. </PARA>
<SECTION ID="11.1.1" POS="1"><TITLE>Applying Policies to the Hierarchical Model</TITLE>
<PARA>Throughout this course, when discussing different aspects of network design, we have included a discussion of the Cisco three-layer hierarchical model. A discussion of network policies is no exception. Each layer in the Cisco hierarchical model can have a different access policy because each layer can be responsible for a different task. However, only the access layer and the distribution layer are typically used for implementing policies. </PARA>
<PARA>As you already know, the access layer is where users gain access to the network. You need to create security without hindering the company's business requirements. You can provide security at the access layer with port security on layer 2 switches and passwords on all devices in the internetwork.</PARA>
<PARA>The distribution layer is where routing occurs (that is, where layer 3 devices are present). At this layer, you create routing policies, which will ensure that only traffic that is necessary makes it to the core layer or is switched to another access layer. Because the distribution layer is also responsible for advertising routing information to the core layer, the routing policy can include route filtering with access lists and routing filters. </PARA>
</SECTION>
<SECTION ID="11.1.1.3"><TITLE>Core Layer</TITLE>
<PARA>The idea of the core layer is to pass data as quickly as possible, so typically, no access policies would apply here. Any policy implemented at the core will only slow down data traversing the core. The distribution layer is responsible for preventing unwanted traffic from entering the core layer. </PARA>
<PARA><DROPCAP>I</DROPCAP>t is important to be able to manage all your network devices. The first thing most administrators perform on their networking equipment is to set the passwords. This is probably a good thing to do right away. However, it is not the only thing you need to do. If all you set is the passwords, you are overlooking some of the other needed security items. This section will discuss the typical security that can be provided on a Cisco internetwork. </PARA>
<PARA>You should create a plan for the following:</PARA>
<PARA>One of the first things you need to document when you're creating an access policy to describe network security is how to create physical security.</PARA>
<PARA>Physically accessing equipment is the easiest way to gain access into a campus internetwork. It takes less than a minute to break into any Cisco router or switch if physical access to the device is granted. If you cannot get physical access to a Cisco router or switch, it is impossible to break into it unless you can guess the passwords. </PARA>
<PARA>If someone has physical access to your network equipment, they can have almost complete control over it. Most devices have a backdoor for getting in without a password. Creating a security policy doesn't help if you don't create physical security as well. The following are some possible solutions for physical security access policies:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Create a configuration and control policy for each type of device. For each site and remote branch, have a security plan that details how the links will be secured. </PARA></LISTITEM>
<LISTITEM><PARA>Design and implement server rooms and network closets that have locks-or even badge entry. Make sure the proper ventilation and power is installed, as well as UPS systems. </PARA></LISTITEM>
<LISTITEM><PARA>Control direct access to network equipment. Creating and locking server and network rooms is only the beginning of your access policy. You need to buy and install locking racks that stop unauthorized users or administrators from gaining direct access to hardware.</PARA></LISTITEM>
<LISTITEM><PARA>Secure network links by providing the same type of security for the wiring and network closets that you provide for the physical devices. </PARA></LISTITEM>
</LIST>
</SECTION>
<SECTION ID="11.2.2"><TITLE>Passwords</TITLE>
<PARA>Passwords are probably the most important aspect of security on your network. Change your passwords frequently and make sure they are not easy-to-decipher passwords such as your wife's or husband's name or even the name of one of your kids. Family names are typically used as passwords because they are easy to remember. However, people trying to break into your network or a piece of equipment know this as well.</PARA>
<PARA>Because there are many different ways to access and configure Cisco routers, passwords need to be set on all possible access points. To do this, you must know what they are. Remember, there are really only two ways to enter a Cisco router or switch:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA><KEYTERM>Out-of-band management</KEYTERM> includes the console and auxiliary ports. Set passwords on both of these physical ports. By default, no passwords are set and anyone can connect and manage the devices. "Out-of-band" comes from "managing the device out of the network." </PARA></LISTITEM>
<LISTITEM><PARA><KEYTERM>In-band management</KEYTERM> includes Telnet, TFTP servers, and Network Management Stations (NMSs). These access points do not allow access by default, but passwords should still be applied. "In-band" comes from "managing the device from within the network." </PARA></LISTITEM>
<PARA>There are five types of passwords used to secure your Cisco routers. The first two set your enable password, which is used to secure privileged mode. This will prompt a user for a password when the command <INLINECODE>enable</INLINECODE> is used. The other three are used to configure a password when user mode is accessed through the console port, the auxiliary port, or via Telnet. </PARA>
<NOTE>You should already be aware of how to set passwords on Cisco routers and switches and use the information presented in this section as a review.</NOTE>
<PARA>Enable passwords are very important because they stop users from gaining access to privileged mode, where they can view and change the configuration of the device. You set the enable passwords from global configuration mode: </PARA>
<RUNINPARA>Used if you set up authentication through a tacacs server and the server is not available. This will allow the administrator to still enter the router. However, it is not used if the tacacs server is working. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Tells the router to authenticate through a tacacs server. This is convenient if you have dozens or even hundreds of routers. How would you like to change the password on 200 routers? With the tacacs server, you need to change the password only once. </RUNINPARA></RUNINBLOCK>
<PARA>Here is an example of how to set the enable secret password:</PARA>
<CODELINE>The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password.</CODELINE></CODESNIPPET>
<PARACONTINUED>If you try to set the enable secret and enable passwords to be the same, the router will give you a nice, polite warning the first time, but if you type the same password again, it will be accepted. However, now neither password will work. If you don't have older legacy routers, don't bother to use the enable password. </PARACONTINUED>
<PARA>Usermode passwords are assigned by using the <INLINECODE>line</INLINECODE> command: </PARA>
<RUNINPARA>Sets the usermode password for the auxiliary port. This is typically used for configuring a modem on the router, but it can be used as a console as well. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Sets a Telnet password on the router. If the password is not set, then by default, Telnet cannot be used. </RUNINPARA></RUNINBLOCK>
<PARA>To configure the usermode passwords, you configure the line you want and use either the <INLINECODE>login</INLINECODE> or <INLINECODE>no login</INLINECODE> command to tell the router to prompt for authentication. </PARA>
<PARA>To configure the auxiliary password, go to global configuration mode and type <INLINECODEUSERINPUT>line aux ?</INLINECODEUSERINPUT>. Notice that you only get a choice of 0-0 because there is only one port: </PARA>
<PARACONTINUED>It is important to remember the <INLINECODE>login</INLINECODE> command or the auxiliary port won't prompt for authentication. </PARACONTINUED>
<PARA>To set the console password, use the command <INLINECODE>line console 0</INLINECODE>. However, notice that when we tried to type <INLINECODE>line console 0 ?</INLINECODE> from the aux line configuration, we got an error. You can still type <INLINECODE>line console 0</INLINECODE> and it will be accepted, but the help screens don't work from that prompt. We typed <INLINECODE>exit</INLINECODE> to get back one level: </PARA>
<PARA>To set the usermode password for Telnet access into the router, use the <INLINECODE>line vty</INLINECODE> command. Routers that are not running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. However, if you have the Enterprise edition, you will have significantly more. The routers we're using for this course have 198 (0-197). The best way to find out how many lines you have is to use the question mark: </PARA>
<PARA>If you try to telnet into a router that does not have a VTY password set, you will receive an error stating that the connection is refused because the password is not set. You can tell the router to allow Telnet connections without a password by using the <INLINECODE>no login</INLINECODE> command:</PARA>
<PARA>After your routers are configured with an IP address, you can use the Telnet program to configure and check them instead of having to use a console cable. You can use the Telnet program by typing <USERINPUT>telnet</USERINPUT> from any command prompt (DOS or Cisco). </PARA>
<PARA>In the preceding examples, we used the <INLINECODE>login</INLINECODE> command to indicate to the router where to find the login information that tells it to prompt for authentication. For example, the <INLINECODE>login</INLINECODE> command was used in the console, auxiliary, and VTY lines. The system then automatically uses the line as a login and will prompt for the password set under that particular line. </PARA>
<PARA>However, there are other options you can use that are more specific:</PARA>
<RUNINPARA>Indicates that the information will be found locally in the username statement (the username statement will be described shortly).</RUNINPARA></RUNINBLOCK>
<RUNINPARA>Used in conjunction with the <INLINECODE>login tacacs</INLINECODE> command to indicate that the login information is contained on a centralized authentication server. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Used in conjunction with the <INLINECODE>login authentication</INLINECODE> command to indicate that the login information is contained on a centralized authentication server. Using a centralized server makes it easier to maintain a large number of users and devices. </RUNINPARA></RUNINBLOCK>
<PARA>Cisco recommends that you require your users to log in to the system with a username and password instead of just handing out the enable secret password to all administrators. Using this method allows you to keep track of administrators and what changes they have made on a device. </PARA>
<PARA>To set up usernames, use the <INLINECODE>username</INLINECODE> command. Here is an example:</PARA>
<PARA>Setting the usernames won't do any good until you set the <INLINECODE>login local</INLINECODE> command on a line. If you want users to be prompted for a username on certain lines, make sure you set the <INLINECODE>login local</INLINECODE> command on those lines. Do not set the <INLINECODE>login local</INLINECODE> and then forget to set the usernames and passwords or you will be locked out of your router! The only way to recover is to reload or reboot the router, and this will work only if you didn't save the new configuration. You will have to perform a password recovery technique if you did save the configuration. </PARA>
<PARA>Here is an example of setting the <INLINECODE>login local</INLINECODE> on the console and Telnet lines:</PARA>
<PARA>It is important to not leave open Telnet or console sessions running when you are not at your workstation. It is very easy to forget to log out, so setting the time-outs will provide an additional level of security for an unattended console.</PARA>
<PARA>For an IOS-based router, use the <INLINECODE>exec-timeout</INLINECODE> command under the <INLINECODE>line</INLINECODE> command. The <INLINECODE>exec-timeout 0 0</INLINECODE> sets the time-out for the console EXEC session to zero, or to never time out. To set the line to time out after 10 minutes, use <INLINECODE>exec-timeout 10</INLINECODE>.</PARA>
<PARA>Here is an example of how to configure the <INLINECODE>exec-timeout</INLINECODE> command on the console and telnet lines:</PARA>
<CODESNIPPET><CODELINE>Router(config)#<EMPHASIS FORMAT="bold">line con 0</EMPHASIS></CODELINE>
<SECTION ID="11.2.2.4"><TITLE>Encrypting Your Passwords</TITLE>
<PARA>Only the enable secret password is encrypted by default. You need to manually configure the usermode and enable passwords.</PARA>
<PARA>Notice that you can see all the passwords except the enable secret when performing a <INLINECODE>show running-config</INLINECODE> on a router: </PARA>
<PARA>To manually encrypt your passwords, use the <INLINECODE>service password-encryption</INLINECODE> command. Here is an example of how to perform manual password encryption:</PARA>
<PARA>By typing the <INLINECODE>show running-config</INLINECODE> command, you can see that the enable password and the line passwords are all encrypted: </PARA>
<SECTION ID="11.2.2.5"><TITLE>Setting Passwords on a CLI-Based switch</TITLE>
<PARA>To configure the usermode and enable mode passwords on a CLI-based switch, enter enable mode by using the <INLINECODE>enable</INLINECODE> command and then enter global configuration mode by using the <INLINECODE>config t</INLINECODE> command. </PARA>
<PARA>Once you are in global configuration mode, you can set the usermode and enable mode passwords by using the <INLINECODE>enable password</INLINECODE> command. The switch's output below shows the configuration of both the usermode and enable mode passwords: </PARA>
<PARACONTINUED>To enter the usermode password, use level number 1. To enter the enable mode password, use level mode 15. Remember, the password must be at least four characters but not longer than eight characters. </PARACONTINUED>
<CODELINE>CLI session with the switch is now closed.</CODELINE>
<CODELINE>Press any key to continue.</CODELINE></CODESNIPPET>
<PARA>At this point, you can press Enter and test your passwords. You will be prompted for a usermode password after you press K and then an enable mode password after you type <INLINECODEUSERINPUT>enable</INLINECODEUSERINPUT>. Remember that the enable secret password always supercedes an enable password. On a CLI-based switch, use the <INLINECODE>enable secret</INLINECODE> command, just as you would with any router:</PARA>
<PARA>Notice that the enable mode passwords are not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. The passwords are not case sensitive. </PARA>
<PARA>You can set the session time-out on a CLI-based switch with the <INLINECODE>time-out</INLINECODE> command under the line console: </PARA>
<PARACONTINUED>The <INLINECODE>time-out</INLINECODE> command is set in seconds (300 seconds is 5 minutes). </PARACONTINUED>
</SECTION>
</SECTION>
<SECTION ID="11.2.2.6"><TITLE>Setting Passwords on a Set-Based Switch</TITLE>
<PARA>To configure the usermode and privilege mode passwords on a set-based switch, use the command <INLINECODE>set password</INLINECODE> for the usermode password and the command <INLINECODE>set enablepass</INLINECODE> for the enable password.</PARA>
<PARA>When you see the "Enter old password" prompt, you can leave it blank and press Enter if you don't have a password set. The output for the "Enter new password" prompt doesn't show on the console screen. If you want to clear the usermode (login) password, type in the old password and then just press Enter when you're asked for a new password. </PARA>
<PARA>You can type <USERINPUT>exit</USERINPUT> at this point to log out of the switch completely, which will allow you to test your new passwords. You can set the session time-out on the set-based switch by using the <INLINECODE>set logout</INLINECODE> command: </PARA>
<PARA>By default, all Cisco devices have two privilege levels: user mode and privilege mode. If you have a large network with many administrators, you should set usernames and passwords for each administrator. This will allow you to monitor each administrator and the changes they make to any device. </PARA>
<PARA>This becomes a problem when each administrator has different duties; they should not all have the same amount of access to Cisco devices. By setting additional privilege levels, you can effectively provide each user with the ability to perform certain commands without giving them the opportunity to modify the configuration or even perform a debug on a device. The privilege mode, by default, allows a user to perform all commands, view and change the configuration, and run debugging commands. You probably would not want all administrators to have full privilege mode capabilities. </PARA>
<PARA>There are 16 different levels of privilege that can be set, 0-15. By default, user mode is level 1 and the highest privilege mode is 15. Level 0 is used to set up a very limited subset of commands for a specific user or line. </PARA>
<PARA>To set up privilege modes, use the <INLINECODE>privilege</INLINECODE> global configuration command:</PARA>
<CODELINE> vpdn-group VPDN group configuration mode</CODELINE></CODESNIPPET>
<PARA>There are a lot of commands that can be used with the <INLINECODE>privilege</INLINECODE> command, which allows for very granular control. Here is a list of some of the most commonly used privilege mode commands:</PARA>
<RUNINPARA>Allows changes to routing protocols </RUNINPARA></RUNINBLOCK>
<PARA>To configure privileges, you configure an enable password for each level and then assign commands that each level can perform. For Cisco IOS devices, use the following command to set the level passwords:</PARA>
<PARA>Then set the <INLINECODE>privilege</INLINECODE> command as follows using the list of most commonly used privilege mode commands as valid modes: </PARA>
<PARA>Here is an example of how to set a password for a level 5 user, then enable that user to execute the <INLINECODE>ping</INLINECODE> command, which is a level 15 command: </PARA>
<CODELINE>Current privilege level is 15</CODELINE>
<CODELINE>Router#</CODELINE></CODESNIPPET>
<PARA>You can then have the user log in with the <INLINECODE>enable 5</INLINECODE> command, which will prompt the user for the level 5 enable password: </PARA>
<PARA>You can set a banner on a Cisco router so that when either a user logs in to the router or an administrator telnets into it, for example, the banner will give them information that you want them to have. Another reason for having a banner is to add a security notice to users dialing in to your internetwork. There are four different banners available: </PARA>
<CODELINE> LINE c banner-text c, where 'c' is a delimiting character</CODELINE>
<CODELINE> exec Set EXEC process creation banner</CODELINE>
<CODELINE> incoming Set incoming terminal line banner</CODELINE>
<CODELINE> login Set login banner</CODELINE>
<CODELINE> motd Set Message of the Day banner</CODELINE></CODESNIPPET>
<PARA>The Message of the Day is the most used and gives a message to every person dialing in or connecting to the router via Telnet, auxiliary port, or console port: </PARA>
<CODELINE>Enter TEXT message. End with the character '#'.</CODELINE>
<CODELINE><EMPHASIS FORMAT="bold">$ized to be in Acme.com network, then you must disconnect immediately.</EMPHASIS></CODELINE></CODESNIPPET>
<NOTE>The router wrapped the text above and inserted a dollar sign ($) to let the administrator know this. The complete message will be used, however, as shown in the output that follows. </NOTE>
<CODELINE>If you are not authorized to be in Acme.com network, then you must disconnect immediately.</CODELINE>
<CODELINE></CODELINE>
<CODELINE>Router></CODELINE></CODESNIPPET>
<PARA>The above MOTD banner tells anyone connecting to the router that they either must be authorized or must disconnect. It's important that you understand the delimiting character. You can use any character you want, and it is used to tell the router where the end of the message is. So you can't use the delimiting character in the message itself. Also note that at the end of the message, you should press Return, then the delimiting character, then Return again. If you don't do that, the message will still work, but if you have multiple banners, for example, they will be combined as one message and put on one line. </PARA>
<PARA>These are the other banners: </PARA>
<RUNINBLOCK><RUNINHEAD>Exec banner</RUNINHEAD>
<RUNINPARA>You can configure a line-activation (exec) banner to be displayed when an EXEC process (such as a line-activation or incoming connection to a VTY line) is created.</RUNINPARA></RUNINBLOCK>
<RUNINPARA>You can configure a banner to be displayed on terminals connected to reverse Telnet lines. This banner is useful for providing instructions to users who use reverse Telnet.</RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Login banner</RUNINHEAD>
<RUNINPARA>You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner but before the login prompts. The login banner cannot be disabled on a per-line basis. To globally disable the login banner, you must delete the login banner with the <INLINECODE>no banner login</INLINECODE> command.</RUNINPARA></RUNINBLOCK>
<PARA>You will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access list to control access by placing the access list on the VTY lines themselves. </PARA>
<NOTE>Access lists are in discussed in detail later in this chapter.</NOTE>
<PARA>To place an access list on a VTY line, follow these steps:</PARA>
<LIST MARK="number">
<LISTITEM><PARA>Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers to do so. </PARA></LISTITEM>
<LISTITEM><PARA>Apply the access list to the VTY line with the <INLINECODE>access-class</INLINECODE> command. </PARA></LISTITEM>
</LIST>
<PARA>Here is an example of allowing only host 172.16.10.3 to telnet into a router: </PARA>
<PARACONTINUED>Because of the implied <INLINECODE>deny any</INLINECODE> at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3. </PARACONTINUED>
<PARA>HTTP can be used to gain access to a router or switch and both view and change the configuration of the device. Because any active interface can be used to allow access via HTTP, you can limit access by placing an access list under the HTTP server command. </PARA>
<PARA>To turn on HTTP access, use the <INLINECODE>ip http server</INLINECODE> command. By default, the enable secret password is used to gain access. When you set up usernames and passwords, each user can be prompted for passwords when trying to access the device via a network browser. You can use the <INLINECODE>ip access-class</INLINECODE> command to add an access list to the HTTP server running on the device. Here is an example of setting up a user with HTTP access from their host 172.16.10.1: </PARA>
<PARACONTINUED>User tlammle can now use a network browser to log in and manage a Cisco device. </PARACONTINUED>
<PARA>Password security for HTTP access is similar to password security for console and Telnet access. The following commands can be used for login authentication:</PARA>
<PARA><DROPCAP>T</DROPCAP>he access layer is where users gain access to the internetwork. If you want total security, you can unplug their workstations from the switch, but that's not usually possible. You need to both allow users to gain access to corporate services and secure your internetwork. Not an easy task. The biggest threat is users going into a network closet and just plugging into an access layer switch. Always lock the closet in which the network equipment is located. </PARA>
<PARA>However, by managing the MAC address table, you can manage port security on access layer switches, which allows you to protect your internetwork from a user plugging a device into the switch. </PARA>
<SECTION ID="11.3.1" POS="1"><TITLE>Managing the MAC Address Table</TITLE>
<PARA>Do you remember how bridges and switches filter a network? They use MAC (hardware) addresses burned into a host's network interface card (NIC) to make forwarding decisions. The switches create a MAC table that includes dynamic, permanent, and static addresses. This filter table is created when hosts send a frame and the switch learns the source MAC address and from which segment and port it was received. </PARA>
<PARA>The switch keeps adding into the MAC filter table new MAC addresses that are sent on the network. As hosts are added or removed, the switch dynamically updates the MAC filter table. If a device is removed, or if it is not connected to the switch for a period of time, the switch will age out the entry. </PARA>
<PARA>You can see the switch's filter table by using the command <INLINECODE>show mac-address-table</INLINECODE>. The following output shows the information received when using the <INLINECODE>show mac-address-table</INLINECODE> command: </PARA>
<PARA>The addresses in the table above are from the four hosts connected to a 1900 switch. They are all <EMPHASIS FORMAT="italic">dynamic entries</EMPHASIS>, which means the switch looked at the source address of a frame as it entered the switch interface and placed that address in the filter table. Notice that we have hosts in interfaces 1, 2, 4, and 5. </PARA>
<PARA>Administrators can specifically assign permanent addresses to a switch port. These addresses are never aged out. You can do this to provide security to a port, which means that unless you specifically configure a hardware address to a switch port, the hardware address won't work. Administrators can also create static entries in the switch; these entries actually create a path for a source hardware address. This can be really restrictive, and you need to be careful when setting static entries because you can basically shut your switch down if you do not plan the configuration carefully. </PARA>
<SECTION ID="11.3.1.1"><TITLE>Configuring Port Security</TITLE>
<PARA>Another form of security on an access layer switch is <EMPHASIS FORMAT="italic">port security</EMPHASIS>. Port security is a way of stopping users from plugging a hub into their jack in their office or cubicle and adding a bunch of hosts without your knowledge. By default, 132 hardware addresses can be allowed on a single switch interface. To change this, use the interface command <INLINECODE>port secure max-mac-count</INLINECODE>. </PARA>
<PARA>On a set-based switch, the command is <INLINECODE>set port security </INLINECODE><INLINECODEVARIABLE>mod/port</INLINECODEVARIABLE><INLINECODE> enable </INLINECODE><INLINECODEVARIABLE>mac_address</INLINECODEVARIABLE>.</PARA>
<PARA>The following switch output shows the command <INLINECODE>port secure max-mac-count</INLINECODE> being set on a CLI-based switch, interface 0/2, to allow only one entry: </PARA>
<PARA>The secured port or ports you create can use either static or sticky-learned hardware addresses. If the hardware addresses on a secured port are not statically assigned, the port sticky learns the source address of incoming frames and automatically assigns them as permanent addresses. <EMPHASIS FORMAT="italic">Sticky-learn</EMPHASIS> is a term Cisco uses to refer to a port dynamically finding a source hardware address and creating a permanent entry in the MAC filter table. </PARA>
<PARA><DROPCAP>T</DROPCAP>he distribution layer is the place to implement most of your policies for the network. Here, you can exercise considerable flexibility in defining network operation. There are several items that generally should be taken care of at the distribution layer:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Implementation of tools such as access lists, packet filtering, and queuing</PARA></LISTITEM>
<LISTITEM><PARA>Implementation of security and network policies, including address translation and firewalls</PARA></LISTITEM>
<LISTITEM><PARA>Redistribution between routing protocols, including static routing</PARA></LISTITEM>
<LISTITEM><PARA>Routing between VLANs and other workgroup support functions</PARA></LISTITEM>
<LISTITEM><PARA>Broadcast and multicast domain definition</PARA></LISTITEM>
</LIST>
<PARA>Things to avoid at the distribution layer are limited to those functions that exclusively belong to one of the other layers. The best access polices assure that the distribution layer does not send excessive data to the core layers or other switch blocks. Access control at the distribution layer falls into several different categories:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Filtering traffic between VLANs and to the core layer. Typically, this is provided by an access list.</PARA></LISTITEM>
<LISTITEM><PARA>Filtering routing protocol updates to the core block. This is provided by <KEYTERM>distribution lists</KEYTERM>, which are another form of access lists but are specific for routing protocols. </PARA></LISTITEM>
<PARA>Most of the access policies are implemented at the distribution layer with some type of access list. Access lists are essentially lists of conditions that control access. They're powerful tools that control access both to and from network segments. They can filter unwanted packets and be used to implement security policies. With the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent. </PARA>
<NOTE>This is only an overview of access lists. For a detailed explanation, please see <EMPHASIS FORMAT="italic">CCNA: Cisco Certified Network Associate Study Guide</EMPHASIS>, by Todd Lammle (Sybex, 2000), and <EMPHASIS FORMAT="italic">CCNP: Routing Study Guide</EMPHASIS>, by Todd Lammle and Sean Odom (Sybex, 2000). </NOTE>
<PARA>The IP and IPX access lists work similarly-they're both packet filters that packets are compared with, categorized by, and acted upon. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list will then cause the router to analyze every packet crossing that interface in the specified direction and take action accordingly.</PARA>
<PARA>There are a few important rules a packet follows when it's being compared with an access list:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>It's always compared with each line of the access list in sequential order; that is, it'll always start with line 1, then go to line 2, then line 3, and so on. </PARA></LISTITEM>
<LISTITEM><PARA>It's compared with lines of the access list only until a match is made. Once the packet matches a line of the access list, it's acted upon, and no further comparisons take place.</PARA></LISTITEM>
<LISTITEM><PARA>There is an implicit "deny" at the end of each access list-this means that if a packet doesn't match up to any lines in the access list, it'll be discarded.</PARA></LISTITEM>
</LIST>
<PARA>Each of these rules has some powerful implications when IP and IPX packets are filtered with access lists.</PARA>
<PARA>There are two types of access lists used with IP and IPX that we will discuss here:</PARA>
<RUNINPARA>These use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX addresses. IP standard access lists use numbers 1-99 and IPX standard access lists use numbers 800-899.</RUNINPARA></RUNINBLOCK>
<RUNINPARA>These check for both source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. IPX extended access lists use the source and destination IPX addresses, the Network layer protocol field, and socket numbers in the Transport layer header. IP extended access lists use numbers 100-199 and IPX extended access lists use numbers 900-999. </RUNINPARA></RUNINBLOCK>
<PARA>Once you create an access list, you apply it to an interface with either an inbound or outbound list:</PARA>
<RUNINPARA>Packets are routed to the outbound interface and then processed through the access list. </RUNINPARA></RUNINBLOCK>
<PARA>There are also some guidelines that should be followed when you're creating and implementing access lists on a router:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>You can assign only one access list per interface, per protocol, or per direction. This means that if you are creating IP access lists, you can have only one inbound access list and one outbound access list per interface. </PARA></LISTITEM>
<LISTITEM><PARA>Organize your access lists so that the more specific tests are at the top. </PARA></LISTITEM>
<LISTITEM><PARA>When a new test statement is added to the access list, it will be placed at the bottom of the list.</PARA></LISTITEM>
<LISTITEM><PARA>You cannot remove one line from an access list. If you try to, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when you're using named access lists. </PARA></LISTITEM>
<LISTITEM><PARA>Unless your access list ends with a <INLINECODE>permit any</INLINECODE> command, all packets will be discarded if they do not meet any of the list's tests. Every list should have at least one permit statement, or you might as well shut the interface down.</PARA></LISTITEM>
<LISTITEM><PARA>Create access lists and then apply them to an interface. Any access list applied to an interface without an access-list present will not filter traffic. </PARA></LISTITEM>
<LISTITEM><PARA>Access lists are designed to filter traffic going through the router. They will not filter traffic originating from the router. </PARA></LISTITEM>
<LISTITEM><PARA>Place IP standard access lists as close to the destination as possible.</PARA></LISTITEM>
<LISTITEM><PARA>Place IP extended access lists as close to the source as possible.</PARA></LISTITEM>
</LIST>
<SECTION ID="11.4.1.1"><TITLE>Wildcards</TITLE>
<PARA>Wildcards are used with access list configuration and summarization and with Open Shortest Path First (OSPF) configuration. Although applying wildcards looks more difficult than it really is, it is important to understand how. </PARA>
<PARA>Wildcards are used with access lists to specify a specific host, network, or part of a network. To understand wildcards, you need to understand block sizes. Block sizes are used to specify a range of addresses. There are different block sizes available, including 64, 32, 16, 8, and 4.</PARA>
<PARA>When you need to specify a range of addresses, you choose the block size closest to your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you specify only 2 networks, then a block size of 4 would work. </PARA>
<PARA>Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a specific host, the address would look like this:</PARA>
<PARA>The four zeros represent each octet of the address. Whenever a zero is presented, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, here is how a full subnet is specified with a wildcard:</PARA>
<PARA>This tells the router to match up the first three octets exactly, but the fourth octet can be any value. </PARA>
<PARA>Now, that was the easy part. What if you want to specify only a small range of subnets? This is where the block sizes come in. You have to specify the range of values in a block size. In other words, you can't choose to specify 20 networks. You can specify only the exact amount as the block size value. For example, the range would have to be either 16 or 32, but not 20. </PARA>
<PARA>Let's say that you want to block access to a part of a network, the part that's in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255. Whoa! What is that? The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0. </PARA>
<PARA>It is actually easier than it looks. We could certainly go through the binary math for you, but actually, all you have to do is remember that the wildcard is always one number less than the block size. So, in our example, the wildcard would be 7 because our block size is 8. If you used a block size of 16, the wildcard would be 15. Easy, huh?</PARA>
<PARA>Here are some examples to help you really understand it.</PARA>
<PARA>The following example tells the router to match the first three octets exactly but that the fourth octet can be anything:</PARA>
<PARACONTINUED>The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.0.</PARACONTINUED>
<PARA>The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0:</PARA>
<PARA>Here are two more things to keep in mind when you're working with block sizes and wildcards:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Each block size must start at 0. For example, you can't say that you want a block size of 8 and start at 12. You must use 0-7, 8-15, 16-23, and so on. For a block size of 32, the ranges are 0-31, 32-63, 64-95, and so on. </PARA></LISTITEM>
<LISTITEM><PARA>Using the command <INLINECODE>any</INLINECODE> is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255.</PARA></LISTITEM>
<PARA>The distribute route command can be used to limit the number of networks advertised by permitting advertisements only to those specified. Distribution lists are applied from within a routing protocol to manipulate which route updates are sent and accepted on the specified interface. All that's necessary for networks in which the edge routers rely only on the default route is to advertise a few choice networks to them. Reducing the advertised routes conserves bandwidth and reduces the load on the edge router.</PARA>
<PARA>Controlling the routing table of the core block reduces the routing table size on the core and can also stop users from accessing networks that you don't advertise unless you specifically provide them with a static route. </PARA>
<PARA>You can also use access lists to manipulate route advertisements. As an example of this, look at the route table in the router output below before any changes are made in the EIGRP session:</PARA>
<CODESNIPPET><CODELINE>Router_C#<EMPHASIS FORMAT="bold">show ip route</EMPHASIS></CODELINE>
<CODELINE>Codes: C - connected, S - static, I - IGRP, R - RIP, M - [output cut]</CODELINE>
<CODELINE>Gateway of last resort is not set</CODELINE>
<CODELINE></CODELINE>
<CODELINE> 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks</CODELINE>
<CODELINE>C 172.16.40.4/30 is directly connected, Serial0</CODELINE>
<CODELINE>D 172.16.30.0/24 [90/2195456] via 172.16.40.5 , 00:42:51, Serial0</CODELINE>
<CODELINE>D 172.16.20.4/30 [90/2681856] via 172.16.40.5 , 02:33:25, Serial0</CODELINE>
<CODELINE>D 172.16.0.0/16 is a summary, 03:03:56, Null0</CODELINE>
<CODELINE>Router_C#</CODELINE></CODESNIPPET>
<PARA>This information shows that there are three routes learned via EIGRP and one route that's directly connected. Next, we'll filter out the route for the 172.16.30.0 network:</PARA>
<PARA>After applying access list 30 via the <INLINECODE>distribute-list</INLINECODE> command, we executed another <INLINECODE>show ip route</INLINECODE> on the router. Here is the result:</PARA>
<CODESNIPPET><CODELINE>Router_C#<EMPHASIS FORMAT="bold">show ip route</EMPHASIS></CODELINE>
<CODELINE>Codes: C - connected, S - static, I - IGRP, R - RIP, M - [output cut]</CODELINE>
<CODELINE>Gateway of last resort is not set</CODELINE>
<CODELINE></CODELINE>
<CODELINE> 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks</CODELINE>
<CODELINE>C 172.16.40.4/30 is directly connected, Serial0</CODELINE>
<CODELINE>D 172.16.20.4/30 [90/2681856] via 172.16.40.5, 00:00:02, Serial0</CODELINE>
<CODELINE>D 172.16.0.0/16 is a summary, 00:00:02, Null0</CODELINE>
<CODELINE>Router_C#</CODELINE></CODESNIPPET>
<PARA>You can see that the 172.16.30.0 network is no longer in the routing table. This is how the <INLINECODE>distribute-list</INLINECODE> command works. </PARA>
</SECTION>
</SECTION>
<SECTION ID="11.5"><TITLE>Summary</TITLE>
<PARA><DROPCAP>T</DROPCAP>his chapter covered the different aspects of designing and implementing access polices on your internetwork. It is important to create for your network access policies that start at physical security and extend through the entire internetwork. </PARA>
<PARA>In this chapter, we covered the following:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Defining and applying access policies at the access layer and distribution layer</PARA></LISTITEM>
<LISTITEM><PARA>Managing network devices by setting passwords, using privilege levels and banners, and limiting VTY and HTTP access </PARA></LISTITEM>
<LISTITEM><PARA>Managing the MAC address table by configuring port security</PARA></LISTITEM>
<LISTITEM><PARA>Providing an overview of access lists and route filtering</PARA></LISTITEM>
<TABULARENTRY>Configures an access list for use on a routing table</TABULARENTRY>
</TABULARROW>
</TABULARBODY>
</TABULARDATA>
</SECTION>
</SECTION>
<TESTSECTION ID="11.6"><TITLE>Written Lab</TITLE>
<!-- <TESTDATA>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>Port security is typically an access policy at which layer?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>Access lists are typically used for an access policy at which layer?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command applies an access list to a routing table?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command applies an access list to a VTY line?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command applies an access list to an HTTP server running on a router?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What is the standard IP access list number range?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>Where would you place extended access lists in the network?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>How do you set port security on a set-based switch?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>If you wanted to set usernames and passwords for the console port, which command must you set under the <INLINECODE>line console 0</INLINECODE> command?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What are the four types of banners you can set on a Cisco router?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
</TESTDATA> -->
<SLUG NONUM="w1"/>
</TESTSECTION>
<TESTSECTION ID="11.7"><TITLE>Answers to Written Lab</TITLE>
