Restricting Virtual Terminal Access 869 Restricting Virtual Terminal Access Standard and extended ACLs apply to packets traveling through a router. They are not designed to block packets that originate within the router. By default, an outbound Telnet-extended ACL does not prevent router-initiated Telnet sessions. In addition to physical ports or interfaces on the router, such as Fa0/0 and S0/0, there are virtual ports. These virtual ports are called vty lines. There are five vty lines, which are numbered zero through four, as shown in Figure 20-16. For security purposes, users can be denied or permitted virtual terminal access to the router, but denied access to destinations from that router. For example, an administrator can configure the ACL to allow terminal access to the router for management or troubleshooting purposes, while at the same time restricting access beyond this router. Figure 20-16 Restricting vty Access with ACLs Restricting vty access is not commonly used as a traffic control mechanism; instead, it is for increasing network security. vty access is accomplished using the Telnet protocol to make a nonphysical connection to the router. As a result, there is only one type of vty ACL. Identical restrictions should be placed on all vty lines because it is impossible to control which line a user will connect on. Whereas a vty ACL is created the same way as on an interface, applying the vty ACL to a terminal line requires using the access-class command instead of the access-group command. Example 20-7 demonstrates creating and applying a virtual terminal access list. Example 20-7 Restricting vty Access with ACLs ! Creating the standard list: Rt1(config)# access-list 2 permit 172.16.1.0 0.0.0.255 Rt1(config)# access-list 2 permit 172.16.2.0 0.0.0.255 Rt1(config)# access-list 2 deny any continues 1102.book Page 869 Tuesday, May 20, 2003 2:53 PM 870 Chapter 20: Access Control Lists Keep the following considerations in mind when configuring access lists on vty lines: ■ A name or number can be used when controlling access to an interface. ■ Only numbered access lists can be applied to virtual lines. ■ Identical restrictions should be set on all the virtual terminal lines because a user can attempt to connect to any of them. Verifying ACLs The show ip interface command displays IP interface information and indicates whether any ACLs are set. Example 20-8 shows the output of the show ip interface command. As you can see in rows 9 and 10 in Example 20-8, ACL 10 is set to the out- going traffic on interface Ethernet 0. There is no ACL set to inbound traffic. ! Applying the access list: Rt1(config)# line vty 0 4 Rt1(config)# login Rt1(config)# password secret Rt1(config)# access-class 2 in Example 20-8 show ip interface Command Router> show ip interface Ethernet0 is up, line protocol is up Internet address is 192.54.22.2, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255 Address determined by nonvolatile memory MTU is 1500 bytes Helper address is 192.52.71.4 Secondary address 131.192.115.2, subnet mask 255.255.255.0 Outgoing ACL 10 is set Inbound ACL is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are never sent ICMP mask replies are never sent Example 20-7 Restricting vty Access with ACLs (Continued) chpt_20.fm Page 870 Tuesday, May 27, 2003 2:21 PM Summary 871 The show access-lists command displays the contents of all ACLs. By entering the ACL name or number as an option for this command, you can see a specific list. Summary This chapter presented an overview of the following key points: ■ The two main types of ACLs are standard and extended. ■ Named ACLs allow access lists to be identified by name instead of number. ■ ACLs can be configured for all routed network protocols. ■ ACLs typically are used in firewall routers, which often are positioned between the internal network and an external network such as the Internet. ■ ACLs also can restrict virtual terminal access to the router. ■ ACLs perform several functions within a Cisco router, including implementing security/access procedures. ■ ACLs are used to control and manage traffic. ■ For some protocols, you can apply up to two ACLs to an interface: one inbound ACL and one outbound ACL. ■ With ACLs, after a packet is checked for a match with the ACL statement, it can be denied or permitted the use of an associated interface. ■ Wildcard mask bits use the numbers 1 and 0 to determine how to treat the corre- sponding IP address bits. To supplement all that you’ve learned in this chapter, refer to the chapter-specific Videos, PhotoZooms, and e-Lab activities on the CD-ROM accompanying this book. IP fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Router> Example 20-8 show ip interface Command (Continued) 1102.book Page 871 Tuesday, May 20, 2003 2:53 PM 872 Chapter 20: Access Control Lists Key Terms ACL (access control list)—A means of controlling or limiting network traffic that com- pares different criteria to a defined rule set. bit bucket—The destination of discarded bits (dropped packets), as determined by the router. border router—A router situated at the edges or end of the network boundary, which provides basic security from the outside network or from a less controlled area of the network into a more private area of the network. extended ACL—Compares source IP address, destination IP address, TCP/UDP port number, and other criteria to the rules defining an extended ACL. exterior router—In firewall architecture, the router that is connected to the Internet is referred to as the exterior router. It forces all incoming traffic to pass through the application gateway. firewall—One or more network devices, such as routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access control lists and other methods to ensure the security of the private network. interior router—The router that is connected to the internal network. The interior router accepts packets only from the application gateway. The gateway controls the delivery of network-based services both to and from the internal network. named ACL—ACL that allows standard and extended ACLs to be given names. queuing—A process by which ACLs can designate certain packets to be processed by a router before other traffic, on the basis of some configurable parameter such as speci- fying a protocol. standard ACL—ACL that compares source IP addresses to the rules defining a stan- dard ACL. Check Your Understanding Complete all the review questions to test your understanding of the topics and con- cepts in this chapter. Answers are listed in Appendix C, “Check Your Understanding Answer Key.” 1102.book Page 872 Tuesday, May 20, 2003 2:53 PM Check Your Understanding 873 1. Common ACL functions include filtering packets internally, protecting the inter- nal network from illegal Internet access, and restricting access to virtual terminal ports. True or false? A. True B. False 2. ACL is an acronym for: A. Accessibility control list B. Accountability control list C. Assessment control list D. Access control list 3. A(n) ACL works by comparing the source IP address against the ACL rules. A. Extended B. Named C. Standard D. Router 4. A(n) ACL works by comparing the source IP address, destina- tion IP address, or other parameters against the ACL rules. A. Extended B. Named C. Standard D. Router 5. A(n) ACL uses names instead of numbers to distinguish ACLs. A. Extended B. Named C. Standard D. Router 6. As a general rule, ACLs should be placed where in the network? A. In the Internet B. In the Core C. Closest to the traffic to be controlled D. None of the above 1102.book Page 873 Tuesday, May 20, 2003 2:53 PM 874 Chapter 20: Access Control Lists 7. In a firewall architecture, which router most likely will be configured with an ACL? A. The most powerful router B. The interior router C. The exterior router D. All of the above 8. Named ACLs were introduced in Cisco IOS 11.2. True or false? A. True B. False 9. What command is used to apply an ACL to a VTY port? A. ip access-list B. ip access-class C. ip access-group 10. Which of the following commands would you use to find out whether any ACLs are set on an interface? A. show running-config B. show ip protocols C. show ip interface D. show ip network 11. What do you call the additional 32 bits of information in the access-list statement? A. Wildcard bits B. Access bits C. 0 bits D. 1 bits 12. If you want to permit traffic based on its addressing or protocol type, you would use which of the following commands? A. Router #access-list access-list number {permit | deny} {test conditions} B. Router (config)#access-list access-list number {permit | deny} {test conditions} C. Router (config-if)#access-list access-list number {permit | deny} {test conditions} D. None of the above 1102.book Page 874 Tuesday, May 20, 2003 2:53 PM Check Your Understanding 875 13. Standard IP access lists permit or deny routing of a packet based on the IP address that it originates from and the protocol suite that it is destined for. True or false? A. True B. False 14. Access lists impact network security based on which of the following factors? A. The data content of the packets B. The destination subnet/host/network for the packets C. The source subnet/host/network of the packets D. The type of the network they are routed through 15. What type of networking device would be needed to implement access lists to increase network security? A. Hub B. Router C. Bridge D. Switch 16. What does the following access list allow? access-list 1 permit 204.211.19.162 0.0.0.0 A. “Deny my network only.” B. “Permit a specific host.” C. “Permit only my network.” D. None of the above. 1102.book Page 875 Tuesday, May 20, 2003 2:53 PM part_03.fm Page 876 Wednesday, May 21, 2003 8:16 AM Part III Appendixes Appendix A Structured Cabling Appendix B Glossary of Key Terms Appendix C Check Your Understanding Answer Key part_03.fm Page 877 Wednesday, May 21, 2003 8:16 AM Objectives Upon completion of this appendix, you will be able to ■ Understand the roots of structured cabling ■ Adhere to the rules of structured cabling when designing and performing instal- lations to provide scalability ■ Recognize subsystems of structured cabling, including demarcation points, tele- communications and equipment rooms including roles such as, MC, IC, and HC ■ Recognize the special requirements of cabling in the work area ■ Express familiarity with standards organizations such as Telecommunications Industry Association (TIA), the Electronic Industries Association (EIA) TIA/EIA, and the European Committee for Electrotechnical Standardization (CENELEC), as well as world-level organizations such as the International Organization for Standardization (ISO) ■ Perform low-voltage telecommunications work with attention to safety, and be safe around electricity ■ Understand basic points of ladder safety and the importance or proper attire for cabling work ■ Have a familiarity with the basic specialized hand tools of the installer’s craft, as well as with basic telecom test and measurement equipment ■ Understand which cabling tasks accompany which phase of a typical project ■ Understand the basic business processes that lead to successful cabling organization appen_a.fm Page 878 Tuesday, May 20, 2003 4:54 PM . list: Rt1(config)# access-list 2 permit 17 2 .16 .1. 0 0.0.0 .25 5 Rt1(config)# access-list 2 permit 17 2 .16 .2. 0 0.0.0 .25 5 Rt1(config)# access-list 2 deny any continues 11 02. book Page 869 Tuesday, May 20 ,. address is 25 5 .25 5 .25 5 .25 5 Address determined by nonvolatile memory MTU is 15 00 bytes Helper address is 19 2. 52. 71. 4 Secondary address 13 1 .19 2 .11 5 .2, subnet mask 25 5 .25 5 .25 5.0 Outgoing ACL 10 is set Inbound. 1 permit 20 4. 21 1 .19 .16 2 0.0.0.0 A. “Deny my network only.” B. “Permit a specific host.” C. “Permit only my network.” D. None of the above. 11 02. book Page 875 Tuesday, May 20 , 20 03 2: 53 PM part_ 03.fm