Cisco Systems CCNA 2 Module 11: Access Control List (ACLs)

119 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11 Copyright © 2004, Cisco Systems, Inc.

Module 11: Access Control List (ACLs)

Overview

When teaching Module 11, emphasize the importance of access control lists (ACLs). Network

administrators must establish a way to deny unwanted access to a network and allow internal

users to access necessary services. Security tools such as passwords, callback equipment,

and physical security devices are helpful. However, they often lack the flexibility of basic traffic

filtering and the controls most administrators prefer. ACLs will be used for many aspects of

networking. These include security, dial on demand routing, and all types of route filtering

techniques. Quality of Service routers provide basic traffic filtering capabilities such as the use

of ACLs to block Internet traffic. An ACL is a sequential list of permit or deny statements that

apply to addresses or upper-layer protocols.

Module Caution: It may be difficult for students to understand the concept of ACLs. This topic

will require additional time for students to understand. Work through numerous examples.

Have students finish the hands-on labs and e-Labs. Consider spending less time on Modules

1, 5, 8, and 10 to make sure ACLs are properly learned.

Students who complete this module should be able to perform the following tasks:

• Describe the differences between standard and extended ACLs

• Explain the rules for placement of ACLs

• Create and apply named ACLs

• Describe the function of firewalls

• Use ACLs to restrict virtual terminal access

11.1 Access Control List Fundamentals

Essential Labs: None

Optional Labs: None

Core TIs: All

Optional TIs: none

Course-Level Claim: Students can identify the application of packet control with various

access control lists.

Certification-Level Claim: Students can implement access lists, develop an access list to

meet user specifications, and evaluate rules for packet control.

Hands-on skills: none

Contents

Main I. Page Page II. Course Overview Target Audience Prerequisites Course Description Course Objectives Lab Requirements Certification Alignment Course Overview Page III. Teaching Guide for Each TI Nomenclature Page Module 1: WANs and Routers 1.1 WANs 1.1.1 Introduction to WANs 1.1.2 Introduction to routers in a WAN 1.1.3 Router LANs and WANs 1.1.4 Role of Routers in a WAN 1.1.5 Academy approach to hands-on labs 1.2 Routers 1.2.1 Introduction to WANs 1.2.2 Router physical characteristics 1.2.3 Router external connections 1.2.4 Management port connections 1.2.5 Console Port Connections 1.2.6 Connecting Router LAN interfaces 1.2.7 Connecting WAN interfaces Module 1 Summary Module 2: Introduction to Routers 2.1 Operating Cisco IOS Software 2.1.1 The purpose of Cisco IOS software 2.1.2 Router user interface 2.1.3 Router user interface modes 2.1.4 Cisco IOS software features 2.1.5 Operation of Cisco IOS software 2.2 Starting a Router 2.2.1 Initial startup of Cisco routers 2.2.2 Router LED indicators 2.2.3 The initial router bootup 2.2.4 Establish a console session 2.2.5 Router login 2.2.6 Keyboard help in the router CLI 2.2.7 Enhanced editing commands 2.2.8 Router command history 2.2.9 Troubleshooting command line errors 2.2.10 The show version command Module 2 Summary Module 3: Configuring a Router Page 3.1 Configure a Router 3.1.1 CLI command modes 3.1.2 Configuring a router name 3.1.3 Configuring router passwords 3.1.4 Examining the show commands 3.1.5 Configuring a serial interface 3.1.6 Making configuration changes 3.1.7 Configuring an Ethernet interface 3.2 Finishing the Configuration 3.2.1 Importance of configuration standards 3.2.2 Interface descriptions 3.2.3 Configuring an interface description 3.2.4 Login banners 3.2.5 Configuring message-of-the-day (MOTD) 3.2.6 Host name resolutions 3.2.7 Configuring host tables 3.2.8 Configuration backup and documentation 3.2.9 Backing up configuration files Page Module 3 Summary Module 4: Learning about Other Devices 4.1 Discovering and Connecting to Neighbors 4.1.1 Introduction to CDP 4.1.2 Information obtained with CDP 4.1.3 Implementation, monitoring, and maintenance of CDP 4.1.4 Creating a network map of the environment 4.1.5 Disabling CDP 4.1.6 Troubleshooting CDP Command Purpose 4.2 Getting Information about Remote Devices 4.2.1 Telnet 4.2.2 Establishing and verifying a Telnet connection 4.2.3 Disconnecting and suspending Telnet sessions 4.2.4 Advanced Telnet operation 4.2.5 Alternative connectivity tests Page 4.2.6 Troubleshooting IP addressing issues Module 4 Summary Module 5: Managing Cisco IOS Software 5.1 Router Boot Sequence and Verification 5.1.1 Stages of the router power-on boot sequence 5.1.2 How a Cisco device locates and loads the Cisco IOS 5.1.3 Using the boot system command 5.1.4 Configuration register 5.1.5 Troubleshooting IOS boot failure 5.2 Managing the Cisco File System 5.2.1 IOS file system overview 5.2.2 IOS naming convention 5.2.3 Managing configuration files using TFTP 5.2.4 Managing configuration files using copy and paste Page 5.2.5 Managing IOS images using TFTP 5.2.6 Managing IOS images using XModem 5.2.7 Environment variables 5.2.8 File system verification Page Module 5 Summary Module 6: Routing and Routing Protocols 6.1 Introduction to Static Routing 6.1.1 Introduction to routing 6.1.2 Static route operation Page 6.1.3 Configuring static routes 6.1.4 Configuring default route forwarding 6.1.5 Verifying static route configuration 6.1.6 Troubleshooting static route configuration Page 6.2 Dynamic Routing Overview 6.2.1 Introduction to routing protocols 6.2.2 Autonomous systems 6.2.3 Purpose of a routing protocol and autonomous systems 6.2.4 Identifying the classes of routing protocols 6.2.5 Distance vector routing protocol features 6.2.6 Link-state routing protocol features 6.3 Routing Protocols Overview 6.3.1 Path determination 6.3.2 Routing configuration 6.3.3 Routing protocols Page Module 6 Summary Module 7: Distance Vector Routing Protocols 7.1. Distance Vector Routing 7.1.1 Distance vector routing updates 7.1.2 Distance vector routing loop issues Page 7.1.3 Defining a maximum count 7.1.4 Eliminating routing loops through split horizon Page 7.1.5 Route poisoning X 7.1.6 Avoiding routing loops with triggered updates 7.1.7 Preventing routing loops with holddown timers 7.2 RIP 7.2.1 RIP routing process 7.2.2 Configuring RIP 7.2.3 Using the ip classless command 7.2.4 Common RIP configuration issues 7.2.5 Verifying RIP configuration 7.2.6 Troubleshooting RIP update issues 7.2.7 Preventing routing updates through an interface 7.2.8 Load Balancing with RIP 7.2.9 Load balancing across multiple paths 7.2.10 Integrating static routes with RIP 7.3 IGRP 7.3.1 IGRP features 7.3.2 IGRP metrics 7.3.3 IGRP routes 7.3.4 IGRP stability features 7.3.5 Configuring IGRP 7.3.6 Migrating from RIP to IGRP 7.3.7 Verifying IGRP Configuration 7.3.8 Troubleshooting IGRP Module 7 Summary Page Module 8: TCP/IP Suite Error and Control Messages 8.1 Overview of TCP/IP Error Message 8.1.1 ICMP 8.1.2 Error reporting and error correction 8.1.3 ICMP message delivery 8.1.4 Unreachable networks 8.1.5 Using ping to test destination reachability 8.1.6 Detecting excessively long routes 8.1.7 Echo messages 8.1.8 Destination unreachable message 8.1.9 Miscellaneous error reporting 8.2 TCP/IP Suite Control Messages 8.2.1 Introduction to control messages 8.2.2 ICMP redirect/change requests 8.2.3 Clock synchronization and transit time estimation 8.2.4 Information requests and reply message formats 8.2.5 Address mask requests 8.2.6 Router discovery message 8.2.7 Router solicitation message 8.2.8 Congestion and flow control messages Module 8 Summary Module 9: Basic Router Troubleshooting 9.1 Examining the Routing Table 9.1.1 The show ip route command 9.1.2 Determining the gateway of last resort 9.1.3 Determining route source and destination 9.1.4 Determining L2 and L3 addresses 9.1.5 Determining route administrative distance 9.1.6 Determining the route metric 9.1.7 Determining the route next hop 9.1.8 Determining the last routing update 9.1.9 Observing multiple paths to destination 9.2 Network Testing 9.2.1 Introduction to network testing 9.2.2 Using a structured approach to troubleshooting 9.2.3 Testing by OSI layers 9.2.4 Layer 1 troubleshooting using indicators 9.2.5 Layer 3 troubleshooting using ping 9.2.6 Layer 7 troubleshooting using Telnet 9.3 Troubleshooting Router Issues Overview 9.3.1 Troubleshooting Layer 1 using show interfaces 9.3.2 Troubleshooting Layer 2 using the show interfaces 9.3.3 Troubleshooting using show cdp 9.3.4 Troubleshooting using traceroute 9.3.5 Troubleshooting routing issues 9.3.6 Troubleshooting using show controllers 9.3.7 Introduction to debug Module 9 Summary Module 10: Intermediate TCP/IP 10.1 TCP Operation 10.1.1 TCP operation 10.1.2 Synchronization or three-way handshake 10.1.3 Denial of service attacks 10.1.4 Windowing and window size 10.1.5 Sequencing numbers 10.1.6 Positive acknowledgements 10.1.7 UDP operation 10.2 Overview of Transport Layer Ports 10.2.1 Multiple conversations between hosts 10.2.2 Ports for services 10.2.3 Ports for clients 10.2.4 Port numbering and well known port numbers 10.2.5 Example of multiple sessions between hosts 10.2.6 Comparison of MAC addresses, IP addresses, and port numbers Module 10 Summary Module 11: Access Control List (ACLs) Overview 11.1 Access Control List Fundamentals 11.1.1 Introduction to ACLs 11.1.2 How ACLs work 11.1.3 Creating ACLs Page 11.1.4 The function of a wildcard mask 11.1.5 Verifying ACLs 11.2 Access Control Lists (ACLs) 11.2.1 Standard ACLs 11.2.2 Extended ACLs 11.2.3 Named ACLs 11.2.4 Placing ACLs 11.2.5 Firewalls 11.2.6 Restricting virtual terminal access Module 11 Summary IV. Case Study Overview and Objectives Scenario and Phase 1: Project Description Page Phase 3: Basic Router and Workstation Configuration Page Phase 4: Access Control Lists Phase 5: Documenting the Network Case Study Deliverables General Documentation: Technical Documentation: Page Case Study Instructor Notes Phase 1: Project Description Phase 2: IP Addressing Phase 3: Basic Router and Workstation Configuration Phase 4: Access Control Lists Phase 5: Documenting the Network Optional Case Study Instructor Sample Outputs Phase 5: Documenting the Network Sample outputs Boaz (2500) Configuration Management documentation Boaz (2500) Page Page Security Management documentation Boaz (2500) Page Phase 5: Documenting the Network Sample outputs Centre (2500) Configuration Management documentation Page Page Security Management documentation Centre (2500) Page Phase 5: Documenting the Network Sample outputs Eva (2500) Configuration Management documentation Eva (2500) Page Page Security Management documentation Eva (2500) Page Page Appendix A: Cisco Online Tools and Utilities 1 Output Interpreter Page Page Page Page Page Page Page 9 TAC Advanced Search Appendix B: Instructional Best Practices B.1 Definition of Best Practices B.1.1 What is meant by best practices? Page Page Page B.1.4 TIMSS report B.1.5 Student-centered learning B.1.6 Multiple intelligences Page Page Page Page Page B.2 Lab-Centric Instruction B.2.1 CCNA labs Page B.2.2 CCNP labs Page B.2.3 NETLAB Page B.2.4 Simulations B.2.5 Sponsored curriculum labs Page Page Page Page Page Page B.2.7 Troubleshooting Page B.3 Project-based Instruction B.3.1 Challenges and projects Page B.3.2 Design activities Page B.3.3 Brainstorming Page B.3.4 Case studies Page B.3.5 Web research B.4 Instructional Strategies B.4.1 Instructor-led classrooms Page B.4.2 Self-paced instruction B.4.3 Cooperative/collaborative work Page Page B.4.4 Jigsaws B.4.5 Ask the right questions Page B.4.6 PMI Page Page Page Page Page Page Page Page B.4.8 Setting goals Page Page B.5 Assessment Strategies B.5.1 Review strategies B.5.2 Journals and reflection Page Page B.5.3 Rubrics Page B.5.4 Portfolio Page Page B.5.6 Lab exams Page B.5.7 Six lenses