ACL and AAA

Abstract

With the rapid development of network, network security and network quality of service issues become increasingly prominent. Access Control List (ACL) is a technology closely related to it.

With the rapid development of network, network security and network quality of service issues become increasingly prominent. Access Control List (ACL) is a technology closely related to it.

ACL can control network access behavior, prevent network attacks and improve network bandwidth utilization by accurately identifying the message flow in the network and working in conjunction with other technologies, thus effectively guaranteeing a secure network environment and reliable network service quality.

For any network, user management is one of the basic security management requirements, and AAA (Authentication, Authorization, Accounting) is a management framework that provides a security mechanism to authorize some users to access specified resources and record their operation behaviors. It is widely used for its good scalability as well as convenient centralized management of user information. AAA can be implemented by various protocols, and in practice, the most commonly used one is Remote Authentication Dial-in User Service (RADIUS).

In this chapter, we will introduce the basic principles and basic roles of ACL, its different types and characteristics, its basic composition and matching order, the usage of wildcard masks and ACL-related configuration, the basic concepts of AAA, the implementation methods of AAA, the basic configuration of AAA and common AAA application scenarios.

9.1 Working Principles of ACL

9.1.1 Overview of ACL

ACL is an extensively used network technology, and its basic principles are extremely simple. A network device configured with an ACL matches messages passing through the device according to pre-defined message matching rules, and then processes the matched messages as is predetermined. These matching rules and corresponding processing actions are set according to the specific network requirements. The different processing actions and the diverse matching rules allow ACLs to be effective in a variety of ways.

ACL technology is always associated with technologies such as firewall, routing policy, QoS, and traffic filter. In this book, we only briefly introduce the basic knowledge about ACL from the perspective of traffic control. In addition, it should be noted that different network equipment vendors differ in the details of how ACL is implemented. The description of ACL technology in this book is for the ACL technology implemented in Huawei network equipment.

9.1.2 Composition of ACL

As shown in Fig. 9.1, an ACL is composed of several “deny | permit” statements, each of which is a rule of ACL. The deny or permit in each statement is the processing action corresponding to the rule. In particular, it should be noted that ACL technology is always used in combination with other technologies, so for different technologies combined, “permit” and “deny” have different meanings and functions. For example, when ACL technology is used in conjunction with traffic filter technology, permit means “permit passage” and deny means “deny passage”.

Fig. 9.1

Composition of ACL

After receiving a message, a device configured with the ACL will match the message against the rules in the ACL one by one. If the message cannot match current rule, it will continue to be matched against next rule. Once the message matches a rule, the device will perform the processing action (“permit” or “deny”) defined in the rule on the message, and stop matching the massage against subsequent rules. If the message cannot match any of the rules of ACL, the device “permits” the message. The last implicit default rule of ACL in Huawei router is to allow any address to pass. You can add a rule at the end of the ACL to deny packets from any address. In this way, the implicit default rule will never work.

Each rule in an ACL has a corresponding number, called the “rule-id”. By default, messages are always matched against the rules from the smallest to largest rule-id. And by default, the device will automatically assign a number to each rule during the creation of the ACL. If the step length of the rule-id is set to be 10 (Note: the default value of the step length of rule-id is 5), the rule-ids will be automatically assigned as 10, 20, 30, 40… If the step length of the rule-id is set to 2, the rule-ids will be automatically assigned as 2, 4, 6, 8… The step length indicates the interval between adjacent rule-ids. In fact, the interval exists to facilitate the insertion of a new rule between two adjacent rules.

9.1.3 Classification of ACLs

ACLs are classified into different types according to their characteristics, namely basic ACLs, advanced ACLs, Layer 2 ACLs, and user-defined ACLs, among which basic ACL and advanced ACL are the more widely used. When configuring ACL on network devices, each ACL needs to be assigned a number, called ACL number. The number range of basic ACL is from 2000–2999, that of advanced ACL is 3000–3999, that of Layer 2 ACL is 4000–4999, and that of user-defined ACL is 5000–5999. When configuring ACL, the type of ACL should be consistent with the corresponding number range.

Basic ACLs can only define rules based on the source IP address, message fragmentation tag and time period information of IP messages. The structure of the command to configure a basic ACL rule is as follows.

rule [rule-id] {deny | permit } [ source { source-address source-wildcard | any } | logging | time-range time-name ]

The following is the explanation of each component of the command.

rule: indicates that this is a rule.

rule-id: is the number of this rule.

deny | permit: an either-or option, which indicates the processing action associated with this rule.

source: indicates the source IP address information.

source-address : indicates the specific source IP address.

source-wildcard: indicates a wildcard mask corresponding to the source-address . The combination of source-wildcard and source-address can determine an IP addresses set.

any: indicates that the source IP address can be any address.

logging: indicates that IP messages matching this rule are required to be logged.

time-range time-name: indicates that the time period for the rule to take effect is time-name, and the specific usage is not described here.

Advanced ACL can define rules based on information such as source IP address, destination IP address, protocol field, priority, length, source port number of TCP messages, destination port number of TCP messages, source port number of UDP messages and destination port number of UDP messages. The functions of basic ACL are only a subset of the functions of advanced ACL, and advanced ACL can define rules that are more precise, complex, and flexible than basic ACL.

The configuration of rules in advanced ACLs is much more complicated than that of rules in basic ACLs, and the format of configuration commands varies depending on the types of load data of IP messages. For example, for different types of messages such as ICMP messages, TCP messages, and UDP messages, the format of the corresponding configuration commands also varies. The following is a simplified format of the configuration command for all IP messages.

rule [rule-id] { deny | permit } ip [destination { destination-address destination-wildcard | any }][ source { source-address source-wildcard | any }]

9.1.4 Wildcard-Mask

When a wildcard-mask is combined with an IP address, it represents a set of IP addresses. A wildcard-mask is a 32-bit value that indicates which bits of an IP address need to be strictly matched and which do not. Wildcard-masks are usually represented in a dotted decimal form similar to subnet masks, but have a completely different meaning from subnet masks.

When a wildcard-mask is converted to binary, “0” means “match”, and “1” means “ignore”. As shown in Fig. 9.2, the wildcard-mask of 192.168.1.0 is 0.0.0.255, indicating that the network segment is 192.168.1.0/24.

Fig. 9.2

Wildcard-mask

Use the following command to create ACL 2000, and add four rules. The bolded part after each rule is a wildcard-mask.

[AR1]acl 2000 [AR1-acl-basic-2000]rule 5 deny source 10.1.1.1 0.0.0.0 [AR1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255 [AR1-acl-basic-2000]rule 15 permit source 172.16.0.0 0.0.255.255 [AR1-acl-basic-2000]rule 20 deny source 0.0.0.0 255.255.255.255 [AR1-acl-basic-2000]quit

rule 5: denies the passage of messages whose source IP address is 10.1.1.1. Because the wildcard-mask is all 0s, every bit must be strictly matched. Therefore, the matching host IP address is 10.1.1.1.

rule 10: allows the passage of messages whose source address is network segment address 192.168.1.0/24. The wildcard-mask is written in binary as 0.0.0.11111111, and the last 8 bits are all 1s, which means to ignore. Therefore, the last 8 bits of 192.168.1.xxxx can be any value, thus matching the network segment 192.168.1.0/24.

rule 15: allows passages of messages with whose source address is network segment address 172.16.0.0/16. The wildcard is written in binary as 0.0.111111111.11111111, and the last 16 bits are all 1s, which means to ignore. Therefore, the last 16 bits of 172.16.xxxxxxxxx.xxxxxxxxx can be any value, thus matching network segment 172.16.0.0/16.

rule 20: denies the passage of messages whose source address is network segment address 0.0.0.0/0, which is equivalent to denying all network segments. The wildcard-mask is written in binary as 111111111.11111111.111111111.11111111, and all 32 bits are 1s, which means to ignore them all. Therefore, the 32 bits of xxxxxxxxxx.xxxxxxxxx.xxxxxxxxx.xxxxxxxxx can be any value, thus matching network segment 0.0.0.0/0.

The “1” or “0” in the wildcard-mask can be non-consecutive.

When using wildcard-masks to match an odd IP address in the network segment 192.168.1.0/24, such as 192.168.1.1, 192.168.1.3 and 192.168.1.5., how to write the wildcard-mask?

As shown in Fig. 9.3, by writing the last part of the odd IP address in binary, you can see the that the last bit of all odd IP addresses is 1, so it shall be strictly matched, and the answer is “192.168.1.1 0.0.0.254 (0.0.0.11111110)”.

Fig. 9.3

The 0s and 1s in wildcard-mask can be discontinuous

Think about it. When using a wildcard-mask to match an even IP address in network segment 192.168.1.0/24, such as 192.168.1.0, 192.168.1.2, and 192.168.1.4, 192.168.1.6, how to write the wildcard-mask?

The answer is “192.168.1.0 0.0.0.254”. If readers do not understand, they can write the even address into binary, and then write the wildcard-mask.

There are also two special wildcard-masks. When matching wildcard-mask of all 0s to an IP address, it means to match a certain IP address. When matching wildcard-mask of all 1s to addresses 0.0.0.0, it means match all addresses.

9.1.5 ACL Design Roadmap

When using ACLs to control network traffic, the first thing to consider is whether to use basic ACL or advanced ACL. If the control is based only on the source IP address of the packet, then basic ACL is used. And if the control is based on the source IP address, destination IP address, protocol and destination port of the packet, then advanced ACL is used. Then you should consider which direction of which port of which router to control. Once all of these are determined, you can determine which IP addresses are the source and which are the destination in the ACL rules.

Before creating ACL rules, the order of the rules in the ACL also needs to be determined. If the address ranges in each rule do not overlap, the order of rule-ids is irrelevant; if the addresses used in multiple rules overlap, the rules with smaller address blocks should be put in the front and those with larger address blocks should be put in the back.

Only one ACL can be bound to each direction in the outbound and inbound directions of each port of the router, and one ACL can be bound to multiple ports.

Figure 9.4 shows an example to control solely the access from the intranet to the Internet, which is a control based on source IP address, so the basic ACL is sufficient. Intranet computers have to pass through two routers, R1 and R2, to access Internet, which requires consideration of which router to control and which port to bind to. If you create an ACL on router R1, you should bind it to the outbound direction of GE0/0/1 of router R1 and check the application of the ACL at the exit. In this example, ACL is created on router R2 and is bound to the inbound direction of GE0/0/0 of router R2.

Fig. 9.4

ACL example

You can see that there are four matching rules in the ACL in Fig. 9.4. The last implicit default rule of the ACL in Huawei routers is to allow any address to pass, and the matching rule 4 created in this example is to deny any address to pass, then the implicit default rule will never be used. This is because the rules in the ACL are matched from the smallest to largest, and once it is successfully matched, it will not be matched against subsequent rules.

In this example, the source address in rule 2 contains the Host A in rule 1, that is, the addresses in the rules overlap, as shown in Fig. 9.4. This requires the rule for Host A to precede the rule for Subnet B. If the order is reversed, the rule for Host A will not have a chance to be matched.

The created ACL should be bound to the port and the direction should be specified. The direction is viewed from the router’s point of view. Entering the router through the port is the inbound direction, and leaving the router through the port is the outbound direction. In this example, the defined ACL is bound to port GE0/0/0 of router R2, which is the inbound direction, and to port GE0/0/1 port of router R2, which is the outbound direction.

The packet from Subnet C in Fig. 9.4 comes in through GE0/0/0 of router R2. It compares rule 1 and rule 2 in order and finally matches rule 3, and the processing action is to permit. Subnet E is not explicitly specified in the rule, but it will match rule 4, and the processing action is to deny, so that the implicit default rule will not be used.

Let’s think about it. Is it OK to bind this ACL to the outbound direction of GE 0/0/1 of router R2? Is it OK to bind it to the inbound direction of GE0/0/1 of router R2?

Answer: it can be bound to the outbound direction of GE0/0/1 of R2, but it cannot be bound to the inbound direction of GE0/0/1 of R2, because all source addresses are intranet addresses when the rule is created, and the access from intranet to Internet is controlled.

9.1.6 Implementation of Basic ACL Configuration

The following is an example of an enterprise network, which is used to introduce the implementation of basic ACLs.

Packet filtering is performed at a mandatory destination (a port of a router) based on the path of packets from the source network to the destination network. Before creating an ACL, you need to determine which direction of which port of which router along the path to perform packet filtering on in order to determine the source address in the ACL rule.

As shown in Fig. 9.5, an enterprise intranet has three network segments. VLAN 10 is the finance department server, VLAN 20 is the engineering department network segment, VLAN 30 is the finance department network segment, and the enterprise router AR1 is connected to the Internet. Now you need to create an ACL on AR1 to achieve the following functions.

• Traffic whose source IP address is a private address cannot enter the enterprise network from the Internet.

• The finance department server can only be accessed by the computers in the finance department.

First you need to determine the two ACLs to be created, one bound to the inbound direction of port GE0/0/0 of router AR1 and the other bound to the outbound direction of port Vlanif 10 of AR1.

Fig. 9.5

Enterprise network

Create two basic ACLs on AR1: ACL 2000 and ACL 2010.

[RA1]acl ? INTEGER<2000-2999> Basic access-list(add to current using rules) --Basic ACL number range INTEGER<3000-3999> Advanced access-list(add to current using rules) --Advanced ACL number range INTEGER<4000-4999> Specify a L2 acl group ipv6 ACL IPv6 name Specify a named ACL number Specify a numbered ACL [AR1]acl 2000 --Create ACL [AR1-acl-basic-2000]rule deny source 10.0.0.0 0.255.255.255 [AR1-acl-basic-2000]rule deny source 172.16.0.0 0.15.255.255 [AR1-acl-basic-2000]rule deny source 192.168.0.0 0.0.255.255 [AR1-acl-basic-2000]quit [AR1]acl 2010 [AR1-acl-basic-2010]rule permit source 10.10.30.0 0.0.0.255 [AR1-acl-basic-2010]rule 20 deny source any --Specify rule-id [AR1-acl-basic-2010]quit

Enter “display acl all” to view all ACLs, and enter “display acl 2000” to view ACL 2000.

[AR1]display acl all Total quantity of nonempty ACL number is 2 Basic ACL 2000, 3 rules Acl's step is 5 rule 5 deny source 10.0.0.0 0.255.255.255 rule 10 deny source 172.16.0.0 0.15.255.255 rule 15 deny source 192.168.0.0 0.0.255.255 Basic ACL 2010, 2 rules Acl's step is 5 rule 5 permit source 10.10.30.0 0.0.0.255 rule 20 deny

Bind the created ACL to the interface.

[AR1]interface GigabitEthernet 0/0/0 [AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 --Inbound [AR1-GigabitEthernet0/0/0]quit [AR1]interface Vlanif 1 [AR1-Vlanif1]quit [AR1]interface Vlanif 10 [AR1-Vlanif10]traffic-filter outbound acl 2010 -Outbound [AR1-Vlanif10]quit

After the ACL is defined, you can also edit it to delete some of its rules or insert the rules in the specified location.

Now modify ACL 2000 to delete rule 10 and add a rule to allow network segment 10.30.30.0/24 to pass through. Think about it. Where should this rule be placed?

[RA1]acl 2000 [RA1-acl-basic-2000]undo rule 10 --删除rule 10 [RA1-acl-basic-2000]rule 2 permit source 10.30.30.0 0.0.0.255 --Insert rule 2 with a number less than 5 [RA1-acl-basic-2000]rule 15 permit source 192.168.0.0 0.0.255.255 --Modify rule 15 to permit [AR1-acl-basic-2000]display this [V200R003C00] # acl number 2000 rule 2 permit source 10.30.30.0 0.0.0.255 rule 5 deny source 10.0.0.0 0.255.255.255 rule 15 permit source 192.168.0.0 0.0.255.255 # return

Deleting the ACL does not automatically remove the binding to the interface, and the ACL bound to the interface needs to be deleted.

[RA1]undo acl 2000 --Delete ACL [RA1]interface GigabitEthernet 0/0/0 [AR1-GigabitEthernet0/0/0]display this [V200R003C00] # interface GigabitEthernet0/0/0 ip address 20.1.1.1 255.255.255.0 traffic-filter inbound acl 2000 --ACL 2000 is still bound to the inbound interface # return [AR1-GigabitEthernet0/0/0]undo traffic-filter inbound --Delete inbound binding

9.1.7 Implementation of Advanced ACL Configuration

As shown in Fig. 9.6, an advanced ACL is required to be created on router AR1 to enable the following functions.

• Permit the engineering department to access the Internet.

• Permit the finance department to access the Internet, but it is only allowed to access websites as well as send and receive emails.

• Permit the finance department to use the ping command to test whether the network to the Internet is unobstructed.

• Deny the finance department server to access the Internet.

The traffic control in this case is based on the source IP address, destination IP address, protocol and port number of the packet, so an advanced ACL is needed. Create an advanced ACL on AR1 and bind this ACL to the outbound direction of interface GE 0/0/0 of AR1.

Fig. 9.6

Application of advanced ACL

Permit the finance department to access the Internet websites. Accessing the website requires domain name resolution, which uses DNS protocol, and the DNS protocol uses Port 53 of UDP. The HTTP protocol and HTTPS protocol are used to access websites, and the former uses TCP port 80, while the latter uses TCP port 443.

To avoid the impact of the basic ACLs previously created on this operation, delete all ACLs first, and then unbind the ACLs bound to Vlanif 10 and GE0/0/0.

[AR1]undo acl all --Delete all ACLs previously created [AR1]interface Vlanif 10 [AR1-Vlanif10]undo traffic-filter outbound --Delete the binding to the interface

To create advanced ACLs on AR1, the destination port shall be specified when creating rules based on TCP and UDP.

[AR1]acl 3000 --Create advanced ACL [AR1-acl-adv-3000]rule 5 permit ? --View available protocols <1-255> Protocol number gre GRE tunneling(47) icmp Internet Control Message Protocol(1) igmp Internet Group Management Protocol(2) ip Any IP protocol --IP protocols include TCP, UDP and ICMP ipinip IP in IP tunneling(4) ospf OSPF routing protocol(89) tcp Transmission Control Protocol (6) udp User Datagram Protocol (17) [AR1-acl-adv-3000]rule 5 permit ip source 10.10.20.0 0.0.0.255 destination any [AR1-acl-adv-3000]rule 10 permit udp source 10.10.30.0 0.0.0.255 destination any ? --View available parameters destination-port Specify destination port dscp Specify dscp fragment Check fragment packet none-first-fragment Check the subsequence fragment packet …… [AR1-acl-adv-3000]rule 10 permit udp source 10.10.30.0 0.0.0.255 destination any destination-port ? --Specify the destination port to be greater, smaller than or equal to a given port number or in a port range eq Equal to given port number gt Greater than given port number lt Less than given port number range Between two port numbers [AR1-acl-adv-3000]rule 10 permit udp source 10.10.30.0 0.0.0.255 destination any destination-port eq ? --You can specify port number or access layer protocol name <0-65535> Port number biff Mail notify (512) bootpc Bootstrap Protocol Client (68) bootps Bootstrap Protocol Server (67) discard Discard (9) dns Domain Name Service (53) dnsix DNSIX Security Attribute Token Map (90) echo Echo (7) …… [AR1-acl-adv-3000]rule 10 permit udp source 10.10.30.0 0.0.0.255 destination any destination-port eq dns [AR1-acl-adv-3000]rule 15 permit tcp source 10.10.30.0 0.0.0.255 destination-port eq www [AR1-acl-adv-3000]rule 20 permit tcp source 10.10.30.0 0.0.0.255 destination-port eq 443 [AR1-acl-adv-3000]rule 25 permit icmp source 10.10.30.0 0.0.0.255 [AR1-acl-adv-3000]rule 30 deny ip [AR1-acl-adv-3000]quit

Bind the ACL to the interface.

[AR1]interface GigabitEthernet 0/0/0 [AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 3000

9.2 AAA

Network devices or operating systems are usually accessed by multiple users. Different access authority can be set for different users. Accesses of users shall also be tracked for security.

To login to an operating system or network device, users need to enter their account name and password to verify their identity. This process is called authentication. The process of granting different authorities to different users is called authorization. For security purposes, access or changes to system resources after a user logs in can be recorded, which is a process called accounting. These three independent security functions are collectively called AAA. Accounting is not discussed in this book.

9.2.1 Working Modes of AAA

A network device can use two modes perform authentication, authorization, and accounting on users who initiate administrative access. One mode is done locally, as shown in Fig. 9.7, that is, the network device authenticates and authorizes the user through the username and password information in its own local database.

Fig. 9.7

Illustration of how local AAA works

The other mode is done through an external AAA server. When a user initiates administrative access to the network device, the network device sends query information to the AAA server located at the specified address, so that the AAA server can determine whether to allow this user to access and what authority this user has, etc., as shown in Fig. 9.8.

Fig. 9.8

Illustration of how AAA works using an AAA server

Compared with performing AAA operations locally on the device, AAA services can be provided centrally for network devices via AAA servers. The most obvious advantage of this approach is scalability. Therefore, in medium- to large-scale networks, relying on AAA servers to centrally provide AAA services, as shown in Fig. 9.8, is more common. In this environment, the standard for communication between managed devices and AAA servers needs to be defined. RADIUS protocol is the standard protocol for communication between managed devices and AAA servers, with the AAA server being the RADIUS server and the router being the RADIUS client.

This book will not explain in detail how the AAA server performs AAA or the RADIUS protocol.

9.2.2 Configuration of AAA

This section explains configuring AAA local authentication for Huawei routers. When using Telnet to remotely login to a Huawei router, you can use password authentication, and there is no way to set different authorities for different users using password authentication. To improve security and grant different access authorities to different users, it is necessary to use AAA for local authentication when using Telnet to login. The network environment used in this case is shown in Fig. 9.9.

Fig. 9.9

Login authentication using AAA local authentication

In this environment, to enable AAA local authentication for Telnet on router AR1, users can only successfully login to AR1 via Telnet if they have entered the correct username and password.

On a Huawei network device, there is a default authentication-scheme named default, which cannot be deleted by the administrator but can be modified. In the default authentication-scheme, the default authentication mode is local authentication, which means that the router will use the local database to authenticate the user’s login behavior. In this case, we directly use the default authentication-scheme and leave the default authentication mode “local” unchanged.

Check the default AAA configuration information on AR1.

[AR1]aaa [AR1-aaa]display this [V200R003C00] # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # return [AR1-aaa]

Enter AAA view using the aaa comment, and then the display this command is used in the AAA view. With this command, you are able to view the configuration commands in the current view. In the output of the display this command, we focus on authentication-scheme default and domain default_admin.

• authentication-scheme default: this is the default authentication scheme. If you enter “authentication-scheme default” in AAA view, you can enter the default authentication scheme view and modify the parameters in “default”. In the default authentication scheme view, the administrator can use the authentication-mode local command to set the local authentication mode. Since this is the default authentication mode, even if the administrator enters this command, the setting is not visible in the configuration.

[AR1-aaa]authentication-scheme default [AR1-aaa-authen-default]authentication-mode ? -- View authentication modes supported hwtacacs HWTACACS local Local none None radius RADIUS [AR1-aaa-authen-default]authentication-mode local

• domain default_admin: this is the default administrator domain “default_admin”, which is the domain of the user logging in to the device via HTTP, SSH, Telnet, Terminal or FTP. If you enter “domain default_admin” in the AAA view, you can enter the “default_admin” domain view and modify the parameters in this domain.

[AR1-aaa]domain default_admin [AR1-aaa-domain-default_admin]? aaa-domain-default_admin view commands: accounting-scheme Configure accounting scheme arp-ping ARP-ping authentication-scheme Configure authentication scheme authorization-scheme Configure authorization scheme backup Backup information ……

Users logging in to the device via Telnet belong to the “default_admin” domain that uses the default authentication-scheme. The default authentication-scheme in turn sets the default local authentication mode. In this nested configuration, if the administer wants to protect Telnet through AAA local authentication, there is no need to make any change. Thus, the next step is to create the local user that will login via Telnet.

The following commands creates two users, user1 and user2, on router AR1. When creating user1, the administrator specifies the username (user1) and password (huawei111), and sets the access service type of user1 to “telnet”. When creating user2, in addition to specifying the username (user2) and password (huawei222) and setting the access service type of user 2 to “telnet”, the administrator also specifies user2’s privilege level to be 15, which is the highest level. The administrator does not specify a privilege level for user1, so user1 has the default level of 0, the lowest one.

[AR1]aaa [AR1-aaa]local-user user1 password cipher huawei111 Info: Add a new user. [AR1-aaa]local-user user1 service-type telnet [AR1-aaa]local-user user2 privilege level 15 password cipher huawei222 Info: Add a new user. [AR1-aaa]local-user user2 service-type telnet

Finally, the administrator also needs to configure the VTY user interface and set its authentication mode to AAA.

[AR1]user-interface vty 0 4 [AR1-ui-vty0-4]authentication-mode aaa [AR1-ui-vty0-4]quit

Apply the account user1, Telnet and router AR1 on a Windows system. After a successful login, by entering a question mark, you can query the commands that are currently available, and then you will find that the commands listed are very limited because user1’s level is 0. Figure 9.10 shows the commands available after user1 logs in.

Fig. 9.10

Login test using user1

As shown in Fig. 9.11, after logging in with user2 and entering the question mark to query the commands that can be used currently, it is found that user2 can use a lot of commands because its privilege level is 15, which is the highest level, meaning that user2 can use all commands.

Fig. 9.11

Login test with user2

By using the display local-user command, you can view the locally configured user information of the device.

[AR1]display local-user --------------------------------------------------------------- User-name State AuthMask AdminLevel --------------------------------------------------------------- admin A H - user1 A T - user2 A T 15 --------------------------------------------------------------- Total 3 user(s) [AR1]

In the above output, if the state is A, the user is active, and of the state is B, the user is blocked. AuthMask indicates the access type of local users. The access type of admin is H (HTTP), the access type of user1 and user2 is T (Telnet), and there are other access types such as S(SSH) and F(FTP). AdminLevel represents the user level of the local user, and from here you can also see that the level of user2 is 15.

The display local-user user name user name command allows you to view the information of a particular user, and next let’s view the information of user2.

[AR1]display local-user user name user2 The contents of local user(s): Password : **************** State : active Service-type-mask : T Privilege level : 15 Ftp-directory : - Access-limit : - Accessed-num : 0 Idle-timeout : - User-group : -

9.3 Exercises

1. 1.

   Regarding the correspondence between access control list number and type, which of the following descriptions is correct ( ).

   1. A.

      The number range of basic access control list is from 1000 to 2999

   2. B.

      The number range of advanced access control list is from 3000 to 4000

   3. C.

      The number range of Layer 2 access control list is from 4000 to 4999

   4. D.

      The number range of port-based access control list is from 1000 to 2000

2. 2.

   Complete the following ACL configuration on router RTA. Which of the following descriptions is correct ( ).

   [RTA]acl 2001 [RTA-acl-basic-2001]rule 20 permit source 20.1.1.0 0.0.0.255 [RTA-acl-basic-2001]rule 10 deny source 20.1.1.0 0.0.0.255

   1. A.

      The VRP system will automatically adjust the sequence number of the first rule to 5 based on the configuration order

   2. B.

      The VRP system will not adjust the sequence number, but will first match the first configured rule “20.1.1.0 0.0.0.255”

   3. C.

      The configuration is incorrect, as the sequence number of rules must be configured from the smallest to largest

   4. D.

      The VRP system will match the second rule “deny source 20.1.1.0 0.0.0.0.255” first according to the sequence number

3. 3.

   (Multi-selection) Each rule in the ACL has a corresponding rule-id to indicate the matching order. In the configuration shown below, which of the descriptions of the numbers of two rules is correct ( )?

   [RTA]acl 2002 [RTA-acl-basic-2002]rule permit source 20.1.1.10 [RTA-acl-base-2002]rule permit source 30.1.1.10

   1. A.

      The sequence number of the first rule is 1

   2. B.

      The sequence number of the first rule is 5

   3. C.

      The sequence number of the second rule is 2

   4. D.

      The sequence number of the second rule is 10

4. 4.

   As shown in Fig. 9.12, the network administrator wants to forbid Host A to access WebServer, but does not restrict its access to other servers, then which of the following ACLs of RTA can meet the demand ( ).

   1. A.

      rule deny tcp source 10.1.1.10 destination 202.100.1.12 0.0.0.0 destination-port eq. 21

   2. B.

      rule deny tcp source 10.1.1.10 destination 202.100.1.12 0.0.0.0 destination-port eq. 80

   3. C.

      rule deny udp source 10.1.1.10 destination 202.100.1.12 0.0.0.0 destination-port eq. 21

   4. D.

      rule deny udp source 10.1.1.10 destination 202.100.1.12 0.0.0.0 destination-port eq. 80

5. 5.

   The following ACL configuration is used on an AR2220 router to filter packets, and which of the following descriptions is correct ( ).

   [RTA]acl 2001 [RTA-acl-basic-2001]rule permit source 10.0.1.0 0.0.0.255 [RTA-acl-basic-2001]rule deny source 10.0.1.0 0.0.0.255

   1. A.

      Packets on network segment 10.0.1.0/24 will be denied

   2. B.

      Packets on network segment 10.0.1.0/24 will be permitted

   3. C.

      The ACL is incorrectly configured

   4. D.

      All of the above choices are incorrect

6. 6.

   (Multi-selection) As shown in Fig. 9.13, the network administrator uses ACL 2000 to filter packets on router RTA, then which of the following descriptions is correct ( ).

   1. A.

      RTA forwards packets from Host A

   2. B.

      RTA discards packets from Host A

   3. C.

      RTA forwards packets from Host B

   4. D.

      RTA discards packets from Host B

7. 7.

   (Multi-selection) When using the following ACL to match routing entries in router RTA, which of the following entries will be matched? ( )

[RTA]acl 2002 [RTA-acl-basic-2002]rule deny source 172.16.1.1 0.0.0.0 [RTA-acl-basic-2002]rule deny source 172.16.0.0 0.0.255.255

1. A.

   172.16.1.1/32

2. B.

   172.16.1.0/24

3. C.

   192.17.0.0/24

4. D.

   172.18.0.0/16

1. 8.

   Which of the following parameters cannot be used for the advanced access control list? ( )

   1. A.

      Physical port

   2. B.

      Destination port number

   3. C.

      Protocol number

   4. D.

      Time range

2. 9.

   (Multi-selection) When logging in to the router by Telnet, which authentication methods can be selected? ( )

   1. A.

      AAA local authentication

   2. B.

      No authentication

   3. C.

      Password authentication

   4. D.

      MD5 cipher authentication

3. 10.

   (Multi-selection) At present, the company has a network administrator, and the AR2200 in the company’s network can perform remote management by directly entering the password through Telnet. After the arrival of two new network administrators, the company wants to assign all the administrators their own usernames and passwords, as well as different privilege levels. So how should this be done? ( )

   1. A.

      When configuring each administrator’s account, different privilege levels need to be configured

   2. B.

      The user authentication mode configured by Telnet must use the AAA mode

   3. C.

      Configure three usernames and their corresponding passwords in the AAA view

   4. D.

      Each administrator uses a different public IP address of the device when running Telnet commands

4. 11.

   The AAA protocol is a RADIUS protocol. This statement is ( ).

   1. A.

      Correct

   2. B.

      Incorrect

5. 12.

   As shown in Fig. 9.14, create an ACL on router RTA to deny 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 to access each other and allow these three network segments to access the Internet. Determine whether a basic ACL or an advanced ACL should be used, and the location and direction of the ACL binding. Create the ACL and bind it to the appropriate interface.

Fig. 9.12

Question 4

Fig. 9.13

Question 6

Fig. 9.14

Topology