Chapter 13
`
`In this case, the destination router returns an ICMP Destination
`Unreachable message to the sending IP host with the code field indicating
`that fragmentation is needed to complete the delivery, but that the DF bit
`is set. The sending IP host must support the IP Path MTU Discovery mech-
`anism in order to complete the delivery of the packet. If the sending IP host
`does not support the mechanism, the connection fails. The sending IP host
`will require that its largest packet size be reduced to a size manageable by
`the majority of the connected networks. Most network designers end up
`avoiding this problem by making the MTU of an interface, and conse-
`quently the IP MTU size, 1500 bytes, which is typically the largest packet
`size allowed on an Ethernet LAN.
`
`The MTU packet size is the largest size available for any protocol on the
`interface. This varies depending on the interface type. The following com-
`mand can be used to modify just the IP protocol MTU size when specified
`under the interface configuration mode,
`
`ip mtu bytes
`
`where bytes is the size of the largest IP MTU allowedon the network sup-
`ported by the interface being defined. The minimum is 128 and the maxi-
`mum is dependent on the media connected to the interface. Ifthe DF bit is
`not set, the Cisco router will automatically fragment the packet to the sup-
`ported MTU size of the next hop interface.
`
`Filter IP Packets Using Access
`Lists
`
`The most widely used method for controlling access to a router, and subse-
`quently networks attached to a router, is the access list feature of Cisco IOS.
`The access list is a filter that either permits the packet to pass through the
`router or denies the packet and returns an ICMP Destination Unreachable
`message to the source IP host of the denied packet. There are four types of
`access lists: standard, extended, dynamic, and reflexive.
`An access list is a sequential comparison of the packet to the filters
`defined by the access-list global configuration command. The filters created
`can be applied to the following:
`
`Control packet transmissions on an interface
`Control access via virtual terminal lines
`
`For restricting the contents of routing updates
`
`401
`
`

`
`IP Configuration
`
`3 7 7
`
`The packet IP address is tested against the conditions defined for each
`access list. The Cisco IOS software performs the test sequentially down the
`list. The first match found is the action taken on the packet and further con-
`ditional testing on the packet stops.
`A list number or a name identifies access lists. IP access list numbers 1
`
`to 99 are for use by standard access lists, while list numbers 100 to 199 are
`reserved for extended access lists. Standard IP access lists apply the condi-
`tion to the source IP address field only. Extended access lists apply the con-
`dition test to protocols and possibly port numbers along with the source and
`destination IP addresses.
`
`The dynamic filter is a feature of the extended IP access list that is used
`to grant access on a per-user basis by applying a conditional test to the
`source or destination IP host using a user authentication process, thereby
`allowing dynamic access without compromising security The reflexive
`access list is nested within an extended named IP access list, basing the fil-
`ter on session information. Using a name to identify an IP access list
`enables the router administrator to use more than 199 filters against IP
`packets.
`
`NOTE: Cisco IOS Release 11.1 and higher have modified IP access lists.
`The IP access lists created by releases prior to IOS 11.1 are automatically
`converted to the new IP access list format.
`
`Do not use an access list created with Cisco IOS 11. I or higher on pre-1 1. 1
`IOS releases. Pre-11.1 releases are not compatible with the new access list
`format. This may result in security violations.
`
`The IP access lists are applied to an interface on which a filter is
`required. The application of the filter is specific to packets inbound to the
`interface or outbound to the interface. An IP access list is applied to an
`interface under interface configuration mode using
`
`ip access-group access-list-number | access-list-name [in | out]
`
`The access list by default is applied to the outbound packets when nei-
`ther the in or out keywords are specified on the ip access-group com-
`mand. The access list itself is identified by either specifying the appropriate
`access-list-number or access-list-name of a previously defined access list. If
`a value is used that is not defined by an access list statement, all packets
`are permitted. Either a number or a name can be used when the access list
`is applied to a router interface. Only a number is allowed when applying an
`access list to a virtual terminal line.
`
`402
`
`

`
`Chapter 13
`
`NOTE: Enabling outbound access lists automatically disables autonomous
`switching for the interface. Inbound access lists on a cbus or cxbus interface
`board disable autonomous switching for all the interfaces on the board, with
`the exception of those using SSE switching and simple access lists for
`outbound packets, and they still perform SSE switching. All other packets are
`sent using process switching.
`
`Create Standard Access Lists Using Numbers
`and Names
`
`The format for creating a standard IP access list is
`
`access-list access-list-number {deny | permit} any I
`source [source-wildcard] [log]
`
`The access-list-number value is any available number in the range of 1‘
`through 99, indicating a standard IP access list. More than one access-list
`command can be defined with the same access-list number. Be aware that
`all the conditions defined in the list group are applied to the packet being
`tested.
`The deny | permit keywords indicate that if the condition being tested
`is true, the packet is dropped (deny) or forwarded (permit). The any key-
`word defines the use of the standard IP access list when the source is 0.0.0.0
`and the source-wildcard is 255.255.255.255, essentially meaning all pack-
`ets. The source variable is a four-part dotted decimal IP address and the
`source—wildcard is a dotted decimal value, indicating which bits of the
`source value are to be tested. The bits set to a one in the source-wildcard
`value are ignored.
`The log keyword first appeared in IOS Release 11.3(3)T. Specifying this
`keyword causes the filtering process to write messages to the router mes-
`sage log. These messages include the access-list-number, whether the
`packet was permitted or denied, what the source address of the packet was,
`and the number of packets filtered. After the first successful match, a mes-
`sage is generated every five minutes with the number of packets permitted
`or denied within that interval.
`
`NOTE: An implicit deny filter for all packets can be found at the end of
`each access list.
`
`403
`
`

`
`IP Configuration
`
`Suppose a resource with IP address 192.168.22.8, for example, requires
`access to the network, but all other hosts of the 192,168.00 network are
`restricted. The standard IP access list would be defmed as
`
`interface serial 0
`ip address 10.10.100.100 25.255.255.0
`ip access-group 1 in
`access—1ist 1 permit 192.168.22.B 0.0.0.0
`
`OT
`
`access-list 1 permit 192.168.22.8
`
`The difference between the two statements is the exclusion of the source-
`
`wildcard value in the second access—list statement. Not coding the source-
`wildcard value assumes that the whole IP address entered as the source is
`
`tested. If a packet arrives with 192.168.22.10, it will fail the conditional
`testing, due to the implicit deny statement for the access list. All packets
`other than those with 192.168.22.8 will be discarded when applied against
`the defined access list.
`
`In another example, suppose packets with 10.8.1.0 have restricted access
`with this router, but all other IP hosts in the 10.0.0.0 network are allowed.
`
`One other twist, address 10.8.1.23 needs access to the resources attached to
`this router. The standard access list is coded as
`
`interface serial 0
`ip address 10.10.100.100 25.255.255.0
`ip access-group 1 in
`access—1ist 1 permit 10.B.1.23
`access—list 1 deny 10.8.1.0 0.0.0.255
`access-list 1 permit 10.0.0.
`0.255.255.255
`
`The statements’ order of appearance in this access list is crucial for deliv-
`ering the desired outcome. This example illustrates the best practice for
`defining access lists. Coding the most granular permits first, followed by the
`most granular denies, enables more global permits or denies to take place.
`Suppose a packet with IP address 10.8.2.200 is presented to the access list
`conditions. In this case, the packet is permitted because the IP address
`10.8.2.200 falls into a different subnet than the deny statement.
`
`NOTE. Coding an explicit deny all statement causes the Cisco IOS to add
`new access list statements after the explicit deny all statement, causing the
`new access-list statements to be ignored. Because of this, the implicit deny all
`statement is recommended.
`
`404
`
`

`
`Chapter 13
`
`Using a name as the access list identifier alleviates the 1P access list
`
`restriction to 199 conditions. Only packet and route filters are currently
`supported using named access lists. The use of a name was first introduced
`
`in Cisco IOS Release 11.2 software. Thus, Cisco IOS releases previous to
`Release 11.2 will not be compatible with the use of names for access lists.
`The global configuration commands required to assign a name to an IP
`standard access list are as follows:
`
`ip access-list standard name
`deny {source [source-wildcard] I any}[log]
`permit {source [source-wildcard] | any}[log]
`
`The variables and keywords of the deny and permit statements shown
`have the same meaning as that discussed for creating access lists with
`number identifiers. The difference in using names is that the deny and
`permit statements are subcommands of the ip access-list standard com-
`mand. The name variable of the ip access-list standard command is a
`unique name assigned to this named list of deny and permit subcommands.
`
`NOTE: As with numbered lists, additional deny or permit statements are
`added to the bottom ofthe list. The no deny or no permit command, however;
`can be entered against a named access list to remove the condition taking
`immediate efifect.
`
`Applying names to the previous numbered access lists in our examples
`results in the following configuration:
`
`interface serial 0
`ip address 10.10.100.100 255.255.255.0
`ip access—group customer in
`ip access—group sales out
`
`I i
`
`p access-list standard customer
`permit 192.168.22.8 log
`
`I i
`
`p access—1ist standard sales
`permit 10.B.1.23
`deny 10.8.1.0 0.0.255.255
`permit 10.0.0.0 0.255.255.255
`
`The log keyword is added to the customer access list definition to log
`messages on the activity used by the permitted resource. The use of names
`is anadded value since they now give an identity to the reason or group of
`users against which the filter is applied.
`
`405
`
`

`
`IP Configuration
`
`Extended Access Lists
`
`The extended format of the IP access-list command is
`
`access-list access-list-number {deny I permit} protocol source source-
`wildcard destination destination-wildcard [precedence precedence]
`[tos tos] [log]
`
`The access-list-number is the extended access list identifier. The valid
`
`range for extended IP access lists is from decimal 100 to 199. The extended
`access list differs from a standard access list in its use of destination IP net-
`
`works or IP host addresses, a precedence field, a Type of Service (TOS) field,
`and the keyword established. The variables are
`protocol, source, source-wildcard, destination, and destination-wildcard
`The protocol variable can be any of the following IP protocol names or a
`valid integer assigned to the protocol, such as
`
`eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, top, or udp.
`
`A value of ip denotes that all IP protocols listed will provide a match.
`The source and destination variable values identify the IP network or IP
`host address to which the filter is applied. The source- and destination-wild
`card variable values define the interesting bits of the IP network or IP host
`address to which the filter applies. These can be specified in the following
`ways:
`
`Using dotted-decimal format, such as 10.10.200.20 or 192.168.63.0.
`
`/
`
`Using the any keyword when the filter applies to a value IP network or
`IP host address of 0.0.0.0 and the accompanying wildcard variable is
`255.255.255.255.
`
`Using the host keyword when the wildcard value being applied is
`0.0.0.0, indicating all bits are interesting.
`
`The optional precedence Variable is optional and is used to further define
`the type of packet being filtered by referencing the importance of the packet
`type. The possible values for precedence are listed below:
`
`critical matches packets with critical precedence (5).
`
`flash matches packets with flash precedence (3).
`
`flash-override matches packets with flash override precedence (4).
`
`immediate matches packets with immediate precedence (2).
`
`internet matches packets with internetwork control precedence (6).
`
`network matches packets with network control precedence (7).
`
`priority matches packets with priority precedence (1).
`
`406
`
`

`
`Chapter 13
`
`routine matches packets with routine precedence (0).
`
`The optional tos variable allows the extended filter to be placed against
`a specific type of service that meets the source and destination packet cri-
`teria. The tos variable values that can be used are listed below:
`
`<0-15> is the type of service value.
`
`max-reliability matches packets with max reliable TOS (2).
`
`max-throughput matches packets with max throughput TOS (4).
`
`min-delay matches packets with min delay TOS (8).
`
`min-moneta7y—cost matches packets with min monetary cost TOS (1).
`
`normal matches packets with normal TOS (0).
`
`The specification of the optional log keyword indicates that any packets
`meeting the filter criteria will be written to the router’s log file.
`Further detailed filtering of ICMP, IGMP, TCP, and UDP protocols is pos-
`sible using the extended access list. Specifying any of these protocols for the
`protocol variable modifies the format of the command to accept parameters
`with specific criteria within the protocol.
`The complete format for specifying the ICMP as the protocol variable
`value is
`
`access-list access-list—number {deny | permit}
`icmp source source—wildcard destination destination-wildcard
`[icmp-type [icmp-code] |icmp-message] [precedence precedence] [tos tos]
`[log]
`
`In the icmp format of the extended access list are three optional vari-
`ables for further granular filtering. The icmp-type, along with the optional
`icmp-code parameter, allows criteria for an ICMP packet against the
`numerical values associated with the ICMP protocol. The numeric value is
`0-255 for both the icmp-type and icmp-code variables. The icmp-message
`variable can be used, instead of the paired icmp-type and icmp-code vari-
`ables. Using the icmp—message variable, ICMP packets are filtered based on
`a valid name provided by Cisco IOS software that describes the ICMP mes-
`sage type or ICMP message type and code within the message type. The fol-
`lowing is the list of possible icmp-message values available:
`
`administratively—pr0hibited: Administratively prohibited
`alternate-address: Alternate address
`
`conversion-error: Datagram conversion
`
`dod—host-prohibited: Host prohibited
`
`dod-net-prohibited: Net prohibited
`
`407
`
`

`
`IP Configuration
`
`echo: Echo (ping)
`
`echo-reply: Echo reply
`
`general-parameter-problem: Paralneter problem
`host—isolated: Host isolated
`
`host—precedence-unreachable2 Host unreachable for precedence
`host-redirect: Host redirect
`
`host-tos—redirect: Host redirect for TOS
`
`host-tos-unreachable: Host unreachable for TOS
`
`host—unknown: Host unknown
`
`host-unreachable: Host unreachable
`information-reply: Information replies
`
`information-request: Information requests
`
`mask—reply: Mask replies
`
`mask-request: Mask requests
`mobile-redirect: Mobile host redirect
`
`net-redirect: Network redirect
`
`net-tos—redirect: Net redirect for TOS
`
`net-tos-unreachable: Network unreachable for TOS
`
`net-unreachable: Net unreachable
`
`network-unknown: Network unknown
`
`no—r0om-for-option: Parameter required but no room
`
`option-missing: Parameter required but not present
`
`,packet—too-big: Fragmentation needed and DF set
`
`parameter-problem: All parameter problems
`
`port—unreachable: Port unreachable
`
`precedence-unreachable: Precedence cutoff
`
`protocol—unreachable: Protocol unreachable
`
`reassembly-timeout: Reassembly timeout
`redirect: All redirects
`
`router-advertisement: Router discovery advertisements
`
`router-solicitation: Router discovery solicitations
`
`source-quench: Source quenches
`source-route-failed: Source route failed
`
`time-exceeded: All time exceeded
`
`408
`
`

`
`Chapter 13
`
`timestamp-reply: Timestamp replies
`
`timestamp-request: Timestamp requests
`traceroute: Traceroute
`
`ttl—exceeded: TTL exceeded
`
`unreachable: All unreachables
`
`In the following example, the serial 0 interface connects the router to the
`Internet. The access list 100 is applied to the outbound packets of the ser-
`ial 0 interface, allowing the internal network to ping devices on the Inter-
`net. The access-list 101 is applied to inbound packets of the serialO
`interface, thereby prohibiting Internet IP hosts from being able to ping
`internal IP hosts. The filters also allow echo-reply messages to flow.
`
`interface serial 0
`ip address 209.196.9.34 255.255.255.0
`ip access—group 100 out
`ip access-group 101 in
`access—list 100 permit icmp 10.0.0.0 0.255.255.255 any echo log
`access—list 101 deny icm any 10.0.0.0 0.255.255.255 echo log
`
`When specifying the Internet Group Management Protocol (IGMP) on an
`extended access list-, the format allows for the inclusion of specific IGMP
`message types. The format of the IGMP extended access list is
`
`access-list access-list-number {deny 1 permit}
`igmp source source-wildcard destination destination-wildcard [igmp-type]
`[precedence precedence] [tos tos] [log]
`
`The igmp-type Variable can be a Valid IGMP message type number rang-
`ing from O to 15, or it can be one of the IGMP message names found in the
`following list:
`
`dvmrpz Distance Vector Multicast Routing Protocol
`
`host-query: Host query
`
`host-report: Host report
`
`pim: Protocol Independent Multicast
`trace: Multicast trace
`
`In the following example, the serialO interface connects the router to the
`Internet. The host—report IGMP message is prohibited from being trans-
`mitted between any internal hosts and any external hosts on the Internet.
`
`interface serial 0
`ip address 209.196.9.34 255.255.255.0
`ip access—group 102 out
`access—list 102 deny igmp any any host—report
`
`log
`
`409
`
`

`
`IP Configuration
`
`3 8 5
`
`Specifying the TCP protocol on an extended access list enables the Cisco
`IOS software to apply filter criteria to packets that indicate a TCP connec-
`tion is already traversing the router along with applying a comparison to
`specific TCP applications using the applications port number. The format of
`the extended access list when applying the filter to TCP is
`
`access-list access—list-number {deny | permit}
`tcp source source-wildcard [operator port [port]] destination
`destination-wildcard [operator port [port]] [established] [precedence
`precedence] [tos tos] [log]
`
`The optional established keyword is used to match the filter and the
`packet only if the ACK or RST bits of the TCP header are set. This means
`that the filter is not applied to the packets during the initial TCP hand-
`shake used to form the connection.
`
`The optional operator variable can be applied to the source and/or desti-
`nation IP network or IP host address. The Variable can be any of the fol-
`lowing Values:
`
`eq matches only packets on a given port number.
`
`gt matches only packets with a greater port number.
`
`lt matches only packets with a lower port number.
`
`neq matches only packets not on a given port number.
`
`range matches only packets in the range of port numbers.
`
`The operator Value specified indicates the scope of the filter. Using the
`range value for the operator variable requires a second port number,
`thereby restricting the match within a sequential range of TCP port num-
`bers.
`
`The port Variable is a TCP port number used by the packets of interest.
`The Cisco IOS software has the following list of port numbers that can also
`be assigned using the associated TCP port number name. These are
`
`bgp: Border Gateway Protocol (179)
`
`chargen: Character generator (19)
`cmd: Remote commands (rcmd, 514)
`
`daytime: Daytime (13)
`discard: Discard (9)
`
`domain: Domain Name Service (53)
`
`echo: Echo (7)
`
`exec: Exec (rsh, 512)
`
`410
`
`

`
`Chapter 13
`
`finger: Finger (79)
`
`ftp: File Transfer Protocol (21)
`
`ftp-data: FTP data connections (used infrequently, 20)
`
`gopher: Gopher (70)
`
`hostname: NIC hostname server (101)
`
`ident: Ident Protocol (113)
`
`irc: Internet Relay Chat (194)
`
`klogin: Kerberos login (543)
`
`kshell: Kerberos shell (544)
`
`login: Login (rlogin, 513)
`
`lpd: Printer service (515)
`
`nntp: Network News Transport Protocol (119)
`
`pop2: Post Office Protocol V2 (109)
`
`pop3: Post Office Protocol V3 (110)
`
`smtp: Simple Mail Transport Protocol (25)
`
`sunrpc: Sun Remote Procedure Call (111)
`syslog: Syslog (514)
`
`tacacs: TAC Access Control System (49)
`talk: Talk (5 17)
`
`telnet: Telnet (23)
`
`time: Time (3 7)
`
`uucp: Unix-to-Unix Copy Program (540)
`Whois: Nicname (43)
`
`WWW: World Wide Web (HTTP, 80)
`
`The TCP port numbers listed represent Well-known port numbers
`reserved for standardized TCP protocols.
`
`]If applying a filter to a user-defined TCP application, the port
`NOTE.
`number must be specified since the user—defined TCP application name is
`unknown to the Cisco IOS.
`
`411
`
`

`
`IP Configuration
`
`In the following example, the TCP protocol is being filtered on the inbound
`side of the serial 0 interface, which connects the router to the Internet. In
`this filter, a remote IP host with the address 192.168.39.8 is allowed to
`access an internal IP host at IP address 10.1.1.200 with only the Telnet pro-
`tocol. Placing the filter on the inbound side of the serial interface ensures
`that the remote IP host cannot try to access any other host on the internal
`network.
`
`interface serial 0
`ip address 10.200.20.1 255.255.255.0
`ip access-group 103 in
`access-list 103 permit tcp host 192.168.39.8 eq telnet host
`10.1.1.200 eq telnet log
`
`Applying an extended access list to UDP, like TCP, allows for comparison
`to UDP port numbers on the source and/or destination IP network or IP
`host address. The format of the extended access list for use with filtering
`UDP messages is
`'
`
`access-list access-list-number {deny | permit}
`udp source source-wildcard [operator port [port]] destination
`destination-wildcard [operator port [port]] [precedence precedence]
`[tos tos] [log]
`The function of the operator and port variables is identical to the func-
`tion and values of their use with TCP. However, UDP port numbers are
`unique to UDP applications. The UDP application names available for the
`port variable value, along with their associated port number, are as follows:
`biff: Biff (mail notification, comsat, 512)
`
`bootpc: Bootstrap Protocol (BOOTP) client (68)
`
`bootps: Bootstrap Protocol (BOOTP) server (67)
`discard: Discard (9)
`
`dnsix: DNSIX security protocol auditing (195)
`
`domain: Domain Name Service (DNS, 53)
`
`echo: Echo (7)
`
`mobile-ip: Mobile IP registration (434)
`nameserver: IEN116 name service (obsolete, 42)
`
`netbios-dgm: NetBios datagram service (138)
`netbios—ns: NetBios name service (137)
`
`ntp: Network Time Protocol (123)
`
`rip: Routing Information Protocol (router, in.routed, 520)
`
`412
`
`

`
`Chapter 13
`
`snmp: Simple Network Management Protocol (161)
`
`snmptrap: SNMP Traps (162)
`
`sunrpc: Sun Remote Procedure Call (111)
`
`syslog: System Logger (514)
`
`tacacs: TAO Access Control System (49)
`
`talk: Talk (517)
`
`tftp Trivial File Transfer Protocol (69)
`time: Time (37)
`
`who: Who service (l'Wl10, 513)
`
`xdmcp: X Display Manager Control Protocol (177)
`
`For both TCP and UDP, the valid range for the port value when using a
`number to identify the port is 0 through 65535.
`In the following UDP example for extended access lists, the Ethernet
`interface 0 connects the router to the DMZ of the firewall for access to the
`Internet. To ensure that Internet RIP packets do not enter the router, an
`inbound filter denying RIP UDP packets is applied using access—list num-
`ber 104.
`
`interface ethernet: 0
`ip address 10.200.10.1 255.255.255.0
`ip access-group 104 in
`access—1:'Lst 104 pennit udp any any neq rip log
`access—1:‘Lst 104 deny udp any any eq rip log
`
`The extended access lists can also be defined using names. The format of
`the commands are as follows:
`
`ip access-list extended name
`{deny | permit} protocol source source—wildcard destination
`destination-wildcard [precedence precedence] [tos tos] [established]
`[log]
`or
`
`{deny | permit} protocol any any
`or
`
`{deny | permit} protocol host source host destination
`
`For ICMP filtering using names on extended access lists, you would use
`the following format:
`
`{deny I permit} icmp source source-wildcard
`destination destination-wildcard [icmp-type [icmp-code]
`[precedence precedence] [tos tos] [log]
`
`| icmp-message]
`
`For IGMP filtering using names on extended access lists:
`
`413
`
`

`
`IP Configuration
`
`3 8 9
`
`{deny | permit} igmp source source—wildcard destination
`destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]
`
`For TOP filtering using names on extended access lists:
`
`{deny | permit} tcp source source-wildcard [operator port [port]]
`destination destination-wildcard [operator port [port]] [established]
`[precedence precedence] [tos tos] [log]
`
`For UDP filtering using names on extended access lists:
`
`{deny | permit} udp source source-wildcard [operator port [port]]
`destination destinatiomwildcard [operator port [port]]
`[precedence precedence] [tos tos] [log]
`
`The values and placements for extended access lists using names are the
`same for specifying the denial or permission of a packet. The ip access-list
`extended command followed by a unique name indicates to the Cisco IOS
`software that the following statements are grouped under the specified
`name.
`
`We can apply the numbered extended access list examples using a name
`by specifying them using the descriptions listed below.
`Using named extended access lists on ICMP echo messages to and from
`the Internet connection on serial 0 interface:
`
`interface serial 0
`ip address 209.196.9.34 255.255.255.0
`ip access-group pingnet out
`ip access-group pingnet in
`ip access-list extended pingnet
`permit
`icmp 10.0.0.0 0.255.255.255 any echo log
`deny icmp any 10.0.0.0 0.Z55.255.255 echo log
`
`Prohibiting the host-report IGMP message from leaving the router on
`interface serialO to the Internet:
`
`interface serial 0
`ip address 209.196.9.34 255.255.255.0
`ip access-group igmpout out
`ip access-list extended igmpout
`deny igmp any any host-report log
`
`IP host at
`Permitting Telnet access only between an Internet
`192.168.39.8 and an internal IP host at 10.1.1200 through the serial 0
`interface using named extended access lists:
`
`interface serial 0
`ip address 209.196.9.34 255.255.255.0
`ip access-group port25 in
`ip access-list extended port25
`permit tap host 192.168.35.8 eq telnet host 1D.1.1.200 eq telnet
`log
`
`414
`
`

`
`In the last example, an RIP protocol is filtered out on the inbound side of
`an Ethernet connection:
`
`Chapter 13
`
`0
`interface ethernet
`ip address 10.200.10.21. 255.255.255.0
`ip access—group norip in
`ip access~1ist extended norip
`deny udp any any eq rip log
`
`Fault-Tolerant Routing of IP
`Packets
`
`The Cisco IOS software can provide backup and recovery of the IP default
`gateway address using the Hot Standby Router Protocol (HSRP). Let’s use
`Figure 13-10 as the first exalnple on understanding how HSRP works with
`Cisco routers.
`
`The virtual IP address of 10.1.1.1 is the default IP gateway address for
`ELANl on the Cisco Catalyst 5000 switch in Figure 13-10. The actual IP
`addresses HSRP assigns a virtual MAC address for the LAN interface asso-
`ciating the virtual IP address. The ATM-specific definitions are discussed in
`detail in Chapter 20, “Defining ATM (LANE, Classical IP, and MPOA).”
`The following is the configuration for PR1-Router:
`hostname PRI—Router
`
`I i
`
`nterface ethernet 0
`ip address 10.10.10.3 255.255.255.0
`standby 1 ip 10.10.10.1
`standby 1 preempt
`standby 1 priority 110
`standby 1 authentication groupl
`standby 1 timers 5 15
`
`The following is the configuration for SEC—Router:
`hostname SEC—Router
`
`I i
`
`nterface ethernet 0
`ip address 10.10.10.2 255.255.255.0
`standby 1 ip 10.10.10.1
`standby 1 preempt
`standby 1 authentication groupl
`standby 1 timers 5 15
`
`415
`
`

`
`figure I 3-
`5;;
`‘n support of
`‘mg [P gateway
`s backup and
`
`Active
`HSRP
`Router
`
`priority 110
`
`ELA1
`
`Standby
`HSRP
`Router
`
`priority 100
`
`R IP Gateway
`
`IP Gateway
`
`Router
`
`priority 110
`
`Active
`HSRP
`Router
`i priority10‘0
`
`ELAN1
`
`AA IP Gateway
`
`IP Gateway
`
`416
`
`

`
`Chapter 13
`
`The HSRP feature is enabled by specifying the interface configuration
`command, standby ip. The format of this command is
`
`standby [group-number] ip [ip-address [secondaryfl
`
`The group-number is an optional numeric identifier used to designate
`the routers that belong to the HSRP group. The default is O with a valid
`range of O to 255. The ip-address variable is the virtual IP address being
`assigned to the HSRP group. The secondary keyword is used when HSRP is
`being applied as a secondary IP address. In our example, the HSRP group
`is group 1 and the 10.10.10.1 is the virtual IP address.
`
`[support up to 255 Hot Standby
`N iiEWthernet,lATM
`groups. Token Ring LANS can support only three Hot Standby groups
`numbered 0, 1, and 2.
`
`The standby priority HSRP interface command is used on a router
`interface with HSRP to ensure the election of this router interface as the
`primary router. The format of this command is
`
`standby group-number] priority priority [preempt [delay delay]]
`The group-number associates this command with an HSRP group. The
`priority value is a defined numeric value in the range of 1 to 255, default-
`‘ ing to 100 and denoting the preference of this interface to act as the pri-
`mary for the virtual IP address. The preempt keyword, if specified, directs
`the Cisco IOS to assume control as the active virtual IP address if the
`router has a higher priority than the current primary virtual interface. The
`delay variable determines the amount of time in seconds that the router
`will postpone its attempt to become the active primary interface for the vir-
`tual IP address. The delay variable defaults to 0 and can range from 0 to
`3600 seconds.
`
`In the example, PRI—Router has thepriority set to 110, While SEC-Router
`defaults to a priority of 100. During the UDP hello exchanges that occur
`with HSRP, PRI—Router is elected as the primary interface for servicing the
`virtual IP address. Should PRI-Routers HSRP interface go inactive, the
`Ethernet interface on SEC-Router will become the active interface. Once
`PRI-Router’s Ethernet interface becomes active again, it immediately
`attempts to become the active interface since the preempt keyword is
`coded and the delay value defaults to a 0. If the preempt keyword is not
`coded, the PRI—Router becomes the active router again when SEC-Router
`Ethernet is inactivated.
`
`417
`
`

`
`IP Configuration
`
`’ 393
`
`An authentication string can be used that ensures the proper learning of
`the virtual IP address and timer values interpreted for the appropriate
`HSRP group. The format of the command is
`
`standby Lgroup-number] authentication string
`
`The group-number identifies which HSRP group the authentication
`string applies. All routers participating in the same HSRP group must use
`the same authentication string. The string value defaults to the string
`“cisco” and is one to eight characters in length. In our example, the authen-
`tication string of groupl is used to verify that the parameters are for use
`with the HSRP standby group number 1.
`HSRP uses UDP hello messages to discover and convey other HSRP
`routers’ participation. The standby timer’s interface command allows the
`router administrator to fine—tune the interval between Hello messages and
`the delay in determining that an active or other standby router is no longer
`available. The format for the command is
`
`standby [group-number] timers hellotime holdtime
`
`The group-number value identifies which standby group to apply to the
`timer values. The hellotime variable is the number of seconds from 1 to 255
`
`the router will wait between sending Hello messages. Its default is three
`seconds. The holdtime value ranges from 1 to 255 and defaults to 10 sec-
`onds. This value denotes the amount of time that must pass without receiv-
`ing a Hello message from a previously known HSRP router interface before
`it is determined as unavailable. The timers configured on the active router
`override all timer settings. If coding the standby timers interface command,
`be sure to code it the same on all interfaces part