In the video tutorial below I use Packet Tracer to demonstrate how a layer 3 access-list based firewall functions in a network scenario featuring a private LAN and a public DMZ. The goal is to improve security by using a layer 4 firewall that is TCP aware. You can add layer 4 firewall capability with a TCP Established ACL (Access List).
In the second tutorial, I demonstrate how a hacker could bypass a layer 2 access-list firewall by masquerading the port number. I also demonstrate how to solve this problem by using a tcp-established access list.
Two further advancements in Cisco stateful firewalls are the CBAC firewall and Zone Based Firewall. Both of these modular firewalls were great improvements over the early TCP established firewall.
Today, there are even more advanced firewalls that can detect application data at layer 7 and connect to cloud based security centers to share and respond to potential zero day threats with global analysis and response.
A named access list can be either a standard or extended access list, with the only difference being that it is identified by name rather than by number. The IOS command for starting a named access list is slightly different than a numbered access list, in that the command starts with ip access-list rather than just access-list, see below:
router>enable
router#configure terminal
router(config)#ip access-list <standard | extended> <name>
router(config-std-nacl)#<permit | deny> <source host or network> <wildcard> <destination host or network> <wildcard>
router(config-ext-nacl)#<permit | deny> <protocol> <source host or network> <wildcard> <destination host or network> <wildcard> <operator> <port>
Video Tutorial
In this tutorial, I write a named access list (extended) and apply it to the router to permit traffic to a web server on port 80
Extended access lists offer greater flexibility than standard access list due to the fact that you can filter, not only source IP addresses, but also destination IP addresses, as well as other protocols ports and services, like TCP port 23 telnet for instance. Since you are able to declare both the source and the destination addresses, you can apply the extended ACL on the router that is closest to the source network, this allows you to immediately filter packets from the network, without allowing them to traverse the entire network before being filtered and dropped; applied in this way extended ACLs can conserve bandwidth and router resources.
Standard ACL (1-99)
Extended ACL (100-199)
applied closest to the destination
applied closest to the source
Denies or Permits:
source IP address
Denies or Permits:
source IP address,
destination IP address,
port or service (optional)
Two Steps:
1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)
1. Create:
Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)
2. Apply:
Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.
IOS Commands
Extended access list command formats:
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>
Extended access list examples:
Deny and permit a source class c network to a destination class c network:
router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
Deny or permit a source host to a destination /24 network: router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255 router(config)#access-list 100 deny ip host 192.168.1.100192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255
Deny or permit any host to any destination on port 80 (http): router(config)#access-list 100 deny tcp any any eq 80 router(config)#access-list 100 permit tcp any any eq 80
Deny or permit all hosts:
router(config)#access-list 100 deny any any router(config)#access-list 100 permit any any
Apply the access list to a router interface outbound and inbound
router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 100 out
router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 100 in
Video Tutorial
If you would like to follow along in Packet Tracer, click here to download the PT starter file: acl-extended1-begin
In part 1, I demonstrate how to write and apply a basic extended access list
In part 2, I demonstrate how to permit only a port (service) using an extended access list
I created a Packet Tracer activity for a CCNA Switching class final. I hope this Packet Tracer final exercise will help prepare you for your VLAN and Switching final, as well as any cumulative lab simulation involving switching and VLANs. The packet tracer involves VLANs, VTP, STP, Inter-VLAN routing, port security and wireless. The instructions for the lab final are included in the Packet Tracer file. You can download it here: CCNA3-dansFinal.zip
Note: This lab was created for the older CCNA 4.0 Switching curriculum which at the time was part of the CCNA3 course. The switching content material is now part of the CCNA2 course
Cisco IOS Commands
You need to know the following commands for my Packet Tracer Switching Practice Final (see below). The commands below use sample data only, you will need to fill in your own specific names and numbers based on the requirements of the lab.
switch# show running-config
switch# show vlan
switch# show vtp status
switch# show spanning-tree
switch# configure terminal
switch(config)# line console 0
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# line vty 0 15
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# enable secret class
switch(config)# vlan 5
switch(config-vlan)# name danscourses-vlan
switch(config)# vtp mode server
switch(config)# vtp mode client
switch(config)# vtp domain dansvtpdomain
switch(config)# vtp password danspass
switch(config)# spanning-tree vlan 1-1005 priority 4096
switch(config)# int vlan 99
switch(config-if)# ip address 192.168.99.2 255.255.255.0
switch(config)# ip default-gateway 192.168.99.1
switch(config)# int range fa0/1-3
switch(config-if-range)# switchport mode trunk
switch(config-if-range)# switchport trunk allowed vlan 1-50
{loadposition adposition6}switch(config-if-range)# switchport trunk native vlan 22
switch(config)# int fa0/10
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 3
switch(config-if)# switchport port-security violation shutdown
switch(config-if)# switchport port-security mac-address sticky
switch# copy run start
router# show running-config
router# show ip route
router# configure terminal
router(config)# line console 0
router(config-line)# password cisco
router(config-line)# login
router(config)# line vty 0 4
router(config-line)# password cisco
router(config-line)# login
router(config)# enable secret class
router(config)# int fa0/0
router(config-if)# no shutdown
router(config)# int fa0/0.5
router(config-subif)# encapsulation dot1q 5
router(config-subif)# ip address 192.168.5.1 255.255.255.0
router(config)# int fa0/0.44
router(config-subif)# encapsulation dot1q 44 native
router(config-subif)# ip address 192.168.44.1 255.255.255.0
router# copy run start
Access lists are used as a form of firewall security on a router. Access lists are statements that a router will use to check traffic against, and if there is a match, the router can filter that traffic by either permitting or denying the packets based on the access list statement. Cisco routers can be configured to utilize a variety of access lists with the most basic being the standard ACL, or access list. The standard access list number range is 1 to 99 and 2000 to 2699. The basic access lists in the Cisco CCNA curriculum are the standard access list, the extended access list and the named access list. The named access list is given a name instead of a number and is configured to be either a standard or extended access list.
Access lists are written and read line-by-line, each line in the access list is a statement or rule. At the end of the access list is an implicit “deny all” or “deny any,” meaning even though you cannot see it, there is a “deny all” at the end of the access list. This can cause a problem because many people assume that by default an access list is permissive, and that you only have to write statements that deny the traffic you want to filter, and that everything else will be permitted, but this is in fact false.
Two Steps
1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)
1. Create the ACL
Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)
2. Apply the ACL
Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic. {loadposition adposition6}
Cisco IOS CLI Commands
Standard access list command format: access-list <1-99> <deny | permit> <source ip address> <wildcard bits>
Standard access list command format: access-list <1-99> <deny | permit> host <source ip address>
examples:
Deny or permit a class c network:
router(config)#access-list 1 deny 192.168.1.0 0.0.0.255 router(config)#access-list 1 permit 192.168.2.0 0.0.0.255
{loadposition adposition5}Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol, that when enabled and configured correctly, uses advertisements to contact the switch on the other end of the link, and auto-negotiate a switchport to either an access or trunk link. When a switchport on either end of the link is misconfigured you will end up with a broken link (see chart below). DTP is enabled by default on the Cisco switches that are commonly used in the CCNA curriculum. There are four switchport modes that DTP will negotiate with in order to determine whether the link will be a trunk or an access link, the four modes are: Access, Trunk, Dynamic Auto, and Dynamic Desirable. The default switchport mode when DTP is enabled is Dynamic Auto. If both switches on either end of a link have DTP enabled, and both switchports are by default in Dynamic Auto mode then the resulting link modes will be Access on both ends of the link. By contrast, if one switchport, on one end of the link, is in Dynamic Auto mode, and the other switchport on the other end of the link, is configured for Trunk mode, then the DTP negotiation will result in the Dynamic Auto switchport changing its mode to Trunk mode and the link will become a trunk. See the chart below for the result when two DTP enabled Cisco switches negotiate switchport modes. Since only Cisco switches support DTP, when connecting to a non-Cisco switch DTP should be disabled.
{loadposition adposition9}
The following chart shows how the link will auto negotiate when DTP is enabled on both switches and different DTP modes are configured on either end of the link. When DTP is enabled by default on a switch, the default switchport mode is Dynamic Auto.
DTP auto-negotiation resulting link states
Port Mode
Access
Trunk
Dynamic Auto
Dynamic Desirable
Access
access
not recommended
access
access
Trunk
not recommended
trunk
trunk
trunk
Dynamic Auto
access
trunk
access
trunk
Dynamic Desirable
access
trunk
trunk
trunk
{loadposition adposition10}
Video Tutorial – Packet Tracer
In the following video tutorial, I demonstrate in Packet Tracer, how two Cisco switches running DTP, are able to auto-negotiate the link to either a trunking or access state. If you have Packet Tracer and would like to follow along with the demonstration you can download my PT files here: DTP-1-begin.zip , DTP-1-Finished.zip
In the following videos, I build off of previous Packet Tracer video tutorials (see VLANs & Trunking PT Lab) and add a trunk to a router, DHCP services, and a voice VLAN for VOIP phones. The tutorials should be easy to follow along with, if you have a current version of Packet Tracer, 5.3.2 or higher.
In this part, I configure a trunk to a router, subinterfaces, 802.1Q encapsulation, and a Voice VLAN
In this part, I configure DHCP services on the router, telephony services, and VOIP phones