Access Control Lists (ACLs)

Access Control Lists (ACLs) are router configuration statements that control how packets are processed by a router.

At Sunnyslope school, there is a need to restrict traffic from the Curriculum (C) VLAN entering the Administration / Staff (A) VLAN except for traffic destined for the server that provides the Network Operating System (NOS), Domain Name service (DNS) and email. This is achieved by applying access list 101 to the ethernet 0 interface (A LAN interface) in an outbound direction. The access list statement is shown below:

Packets routed to the ethernet 0 interface are checked against the statements of the access list. They can be permitted and queued for delivery or denied and dropped.

The first line of the access list checks to confirm that the source address is from a host on the C LAN, 130.10.8.0 and the destination is the server at 130.10.6.159. The wildcard mask, 0.0.1.255, causes the router to ignore the source host addresses but match the subnet network address. The statement host informs the router to check and match the destination host address. If a match is made, the packet is permitted. If no match is made, the next line is checked.

The second line checks for a source address on the C LAN and any destination on the A LAN. If a match is made, the packet is denied. If no match is made, the next line is checked.

The third line checks for any source and any destination address and if a match is made, the packet is permitted. If no match is made the packet is dropped due to the implicit deny statement.

At Sunnyslope school there is also a need to restrict access from the C LAN to particular services outwith the school. These being WWW, DNS and email. This is achieved by applying access list 102 to the serial 0 interface (WAN interface) to check outbound traffic.

In line 1, a match is made if the source address is a host on the C LAN, the destination is any and the TCP port number is 80, i.e. WWW. If matched, the packet is permitted.

If not matched, line 2 is checked. A match is made if the source address is a host on the C LAN, the destination is any and the TCP port number is 25, i.e. SMTP (email). If matched, the packed is permitted.

If not matched, line 3 is checked. A match is made if the source address is a host on the C LAN, the destination is any and the TCP port number is 53, i.e. DNS. If matched, the packed is permitted.

If not matched, line 4 is checked. A match is made if the source address is a host on the C LAN, the destination is any and the UDP port number is 53, i.e. DNS. If matched, the packed is permitted.

If not matched, line 5 is checked. A match is made if the source address is a host on the C LAN, the destination is any address. If matched, the packed is denied.

If not matched, line 6 is checked. A match is made if the protocol is IP and any source and any destination address. If matched, the packed is permitted.

Again the implicit deny statement denies traffic that does not meet any of the conditions.

The Firewall router has a similar access list to access list 101 above restricting traffic to WWW, DNS and SMTP only.

The access list allows any source and destination address and makes use of the implicit deny statement to restrict traffic. This access list is applied to both the ethernet 0 and serial 0 interfaces in an outbound direction allowing only WWW, DNS and SMTP traffic between the Internet and the Public Backbone.

The PhoenixCOA router has the access list shown below applied to the ethernet 2 interface in an inbound direction. While inbound ACLs are normally considered less efficient, in this instance only traffic from the Public Backbone is checked not internal traffic through the router.

Established means that only traffic returning to hosts using an already established connection will match the statement and be permitted, i.e. the acknowledgement (ACK) or the reset (RST) bit is set.

See also Network Security Description.

The decision to implement Novell IPX for the purposes of teaching Novell Netware in the Computer Lab will have an effect on the available bandwidth throughout the Washington Elementary School District. However, as IPX is implemented only on the curriculum LANs, the effect on the Administration LANs will be restricted to the WAN.

As routers are multi-protocol devices, they can process a number of configured routed protocols and the routing protocols required to support the routed protocols. This requires extra memory on the routers to maintain routing tables for each protocol. Furthermore, with Distance Vector routing protocols such as RIP and IGRP, routing tables are maintained by means of periodic updates sent between adjacent routers which requires bandwidth. With IPX RIP, updates are sent every 60 seconds.

Servers running IPX advertise the services they provide such as files and printing by means of SAP packets broadcast every 60 seconds. Routers do not forward these broadcasts but build tables of the services available and forward these tables to other routers every 60 seconds.

Traffic within each school, being of a switched ethernet design with VLANs, requires the services of a router for communication between the VLANs subject to the restrictions imposed by the ACLs.

Traffic between the schools is via the core WAN. This consists of 3, fully inter-connected, hub sites. Each school is connected to the nearest hub site. The connection between each hub site consists of 4 x T1 point-to-point links. Traffic to and from the Internet is via a Frame Relay PVC with a CIR of 1.544 mbits/s terminated at Phoenix NWCO hub site.

At each School, there will be no redundancy to keep costs down. Any network failure will be service interrupting. There will, however, be spare fibres in the vertical cabling which can be used for maintenance patch outs or future bandwidth requirements.

Each District Office will have redundancy on the fibre links to the telecomms company by having 2 separate fibre feeds to separate telephone exchanges.

Further redundancy will be provided by the connection of each of the 4 links to the other District Offices on a separate router. All 4 routers will be connected together, but the lack of spare network addresses prohibited their connection in a ring.

See also District WAN Description and Pros and Cons of Design

All distance vector routing protocols require routers to forward a copy of their routing tables to their neighbours. The exception to this being details of networks that were originally received from that neighbour. This process is known as split horizon and is a means of avoiding routing loops which could be caused by distributing incorrect or out-of-date routing information across the network.

In the Washington Elementary School District, two routing protocols are implemented; IGRP for the IP network and Novell IPX RIP for the IPX network.

The default frequency for sending routing table updates depends on the protocol. The default frequency for IGRP is every 90 seconds and for Novell IPX RIP it is 60 seconds. If multiple encapsulations are required to suit the different versions of Novell IPX that are implemented, it will result in more routing tables as the router maintains a separate table for every Novell IPX protocol implemented. These frequent update can have an adverse effect on bandwidth availability, particularly on serial links.

PPP is the most popular and widely implemented WAN protocol because of the features it offers, such as;

• Control of data link set-up.
• Configuration of the link.
• Link quality testing and error detection.
• Encapsulation of various network-layer protocols.
• Dynamic assignment of IP addresses.
• Negotiation of options such as data compression and network-layer addresses.

To establish, configure, maintain and terminate a point-to-point link, PPP has four stages;

• The originating node sends Link Control Protocol (LCP) frames which establish and configure the link. The configuration options the Maximum transmission Unit (MTU), compression of certain PPP fields and authentication protocols.
• Next, an optional stage confirms that the link is of sufficient quality to proceed with enabling the network-layer protocols over the link.
• The originating node now sends Network Control Protocol (NCP) frames to configure the required network-layer protocols. PPP enables multiple protocols, such as IP, IPX and Appletalk, to be configured on the same link.
• The link remains configured until LCP or NCP frames terminate the link or some event like a users intervention or a time-out occurs.

PPP supports two types of authentication, Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PAP is a 2 way process whereby the originating node repeatedly sends, in clear text, the username and password until an acknowledgement is received or the link is terminated.

CHAP uses a 3 way handshake. The originating node must receive a challenge from the remote node before sending a response. Only after this response is accepted, does the link establishment continue.

PAP only requires authorisation once, at the link establishment stage and is vulnerable to trial and error attempts at authorisation and modem playbacks. CHAP provides challenges at various intervals which require the correct response or the connection is terminated. This increases security.

Frame Relay is an efficient WAN protocol designed for use over high quality digital links, originally ISDN, which provides no error correction and relies on upper layer protocols for error correction. It is a packet switched technology which is normally implemented via a series of interconnected Frame Relay switches provided within a telecomms suppliers network. It can be provided using an entirely privately owned network. However this negates the efficient and flexible use of bandwidth enabled by sharing the bandwidth in the core network with other users.

An access link is provided between the customers router and the Frame Relay switch. This link can support multiple Permanent Virtual Circuits (PVCs) which are identified on the link by Data-Link Connection Identifiers (DLCIs). The service provider guarantees to provide an agreed rate of data transfer on each PVC which is known as the Committed Information Rate (CIR). Bursting above this rate is allowed up the bandwidth of the access link but frames received by the switch above the CIR will be tagged as Discard Eligible (DE) and will be dropped if congestion is encountered in the network. If a packet encounters congestion in the network, the routers at each end of the PVC are notified by means of a Forward Explicit Congestion Notification (FECN) sent to the receiving device and a Backward Explicit Congestion Notification (BECN) sent to the transmitting device. On receipt of a BECN, the transmission rate is reduced by 25%.

Frame Relay connections are typically not charged on the basis of radial distance between the terminals but only for the PVC CIRs and the bandwidth of the access links. Savings in customer administration time can be achieved because the telecomms company is responsible for network administration.