Part VIII – Access Lists
Packets are compared to the access lists
sequentially until a match is found. If no match is found, the packet is
discarded. Access lists filter content going through the router, not the
traffic originated by the router. You should place standard IP access lists as
close to the destination as possible, whereas extended IP access lists should
be as close from the source as possible. You can only assign two access lists
per interface, one in each direction.
Access Lists
|
IP
|
IPX
|
Standard
|
Use source IP
address
|
Use source and
destination IPX address
|
Extended
|
Use source,
destination IP address, protocol and port number
|
Use source,
destination IPX address, Network layer protocol and socket number
|
To define a standard IP access list (00<number<99):
config t
access-list number deny/permit sourcehostname/(address matching- range)/any/(host address)
The number will determine what protocol and type of
access list it is. It is dependant on the IOS you are using.
When using address
matching-range, the matching-range
is defined by a set of
wildcards corresponding to the number of addresses-1. The number of addresses
are restricted to the power of two (1, 2, 4, 8, 16, 32, 64, 128, 256) thus the
matching-range is restricted to (0, 1, 3, 7, 15, 31, 63, 127, 255). The address
must also start at a multiple of the block size. For example, to allow
172.10.32.0 to 172.10.63.255, you would use the command:
access-list 10 permit 172.10.32.0 0.0.31.255.
You would not be able to choose to permit from 172.10.35.0 to 172.10.66.255.
To define an extended IP access list (100<number<199):
config t
access-list number deny/dynamic/permit protocol (sourceaddress matching- range)/any/(host sourceaddress)
[(destaddress
matching- range)/any/(host destaddress)] [(eq/neq/gt/lt port#)/(range port#start
port#end)] [log/log-input]
where protocol must be transport layer (tcp, udp or icmp) if
you desire to filter out ports names. port# can also be a well known
port name.
To define a standard IPX access list (800<number<899):
config t
access-list number deny/permit sourceaddress
destaddress (where –1 defines any.)
To define an extended IPX access list (900<number<999):
config t
access-list number deny/permit protocol
sourceaddress sourcesocket destaddress destsocket
To define an IPX SAP filter list (1000<number<1099):
config t
access-list number deny/permit sourceaddress
servicetype
To set an access list on an interface, once it has been defined:
int e0
ip access-group number in/out
To set an access list on a VTY line to control Telnet access:
line vty 0 4
access-class number in/out
To apply an IPX SAP filter to an interface, use:
ipx
input-sap-filter/output-sap-filter number : stop SAP entries from
being entered in the SAP table or from being propagated out.
Other access list commands:
show access-list
[number]: displays all or a specific access list,
but does not show what interface(s) it is applied to.
show ip
access-list : shows only IP access
lists on the router but doesn’t indicate which interface (if any) they apply
to.
show ipx
access-list: shows only the access
lists and SAP filters but doesn’t indicate which interface (if any) they apply
to.
show ip
interface: shows which interfaces
have access lists applied to.
show ipx
interface [interface/brief]: shows the IPX address of all or one interface,
as well as its access list and inbound/outbound SAP filters.
show
running-config: shows the access lists
and what interfaces they are applied to.
clear access-list counters: resets the counters that keep the number of
packets filtered at each line of an access-list.
No comments:
Post a Comment