TXT

240 Configuring IP Access Lists

By Jimmy James,2014-04-21 08:33
8 views 0
240 Configuring IP Access Lists

     ??ÎÄÓÉrvn361771??Ï×

     ??ÎÄÓÉchenyi3320??Ï×

    pptÎĵµ?ÉÄÜÔÚWAP?Ëä?ÀÀÌåÑé???Ñ????ÒéÄúÓÅÏÈÑ?ÔñTXT???òÏÂÔØÔ?ÎÄ?þµ????ú?é????

     Configuring IP Access Lists

     ÍõÁÕÁÕ

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     Access List Configuration Guidelines

     Access list numbers indicate which protocol is filtered. One access list per interface, per protocol, per direction is allowed. The order of access list statements controls testing. Place the most restrictive statements at the top of list. There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement. Create access lists before applying them to interfaces. Access lists filter traffic going through the router; they do not apply to traffic originating from the router.

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     Access List Command Overview

     Step 1: Set parameters for this access list test statement (which can be one of several statements).

     Router(config)#access-list access-list-number {permit | deny} {test conditions}

     Step 2: Enable an interface to use the specified access list.

     Router(config-if)#{protocol} access-group access-list-number {in | out}

     Standard IP lists (1-99) Extended IP lists (100-199) Standard IP lists (1300-1999) (expanded range) Extended IP lists (2000-2699) (expanded range)

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Standard IP Access List Configuration

     Router(config)#access-list access-list-number {permit | deny | remark} source [mask]

     Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = 0.0.0.0 no access-list

    access-list-number removes entire access list remark option lets you add a description for the access list

     Router(config-if)#ip access-group access-list-number {in | out}

     Activates the list on an interface Sets inbound or outbound testing Default = outbound no ip access-group access-list-number removes access list from the interface

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Standard IP Access List Example 1

     Permit my network only.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Standard IP Access List Example 2

     Deny a specific host.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Standard IP Access List Example 3

     Deny a specific subnet.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Extended IP Access List Configuration

     Router(config)#access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

     Sets parameters for this list entry

     Router(config-if)#ip access-group access-list-number

     {in | out}

     Activates the extended list on an interface

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     Extended Access List Example 1

     Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0. Permit all other traffic.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Extended Access List Example 2

     Deny only Telnet from subnet 172.16.4.0 out of E0. Permit all other traffic.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Using Named IP Access Lists

     Router(config)#ip access-list {standard | extended} name

     Alphanumeric name string must be unique.

     Router(config {std- | ext-}nacl)#{permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} no {permit | deny} {ip access list test conditions}

     Permit or deny statements have no prepended number. ? ??no?? removes the specific test from the named access list.

     Router(config-if)#ip access-group name {in | out}

     Activates the IP named access list on an interface.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Filtering vty Access to a Router

     Five virtual terminal lines (0 through 4). Filter addresses that can access into the router??s vty ports. Filter vty access out from the router.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     How to Control vty Access

     Set up an IP address filter with a standard access list statement. ? Use line configuration mode to filter access with the access-class command. ? Set identical restrictions on every vty.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     vty Commands

     Router(config)#line vty {vty# | vty-range}

     Enters configuration mode for a vty or vty range

     Router(config-line)#access-class access-list-number {in | out}

     Restricts incoming or outgoing vty connections for address in the access list

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     vty Access Example

     Controlling Inbound Access

     access-list 12 permit 192.168.1.0 0.0.0.255 (implicit deny all) ! line vty 0 4 access-class 12 in

     Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     Access List Configuration Principles

     ?C The order of access list statements is crucial.

     Recommended: Use a text editor on a PC to create the access-list statements, then cut and paste them into the router. ? Top-down processing is important. ? Place the more specific test statements first.

     ?C No reordering or removal of statements.

     Use the no access-list number command to remove the entire access list. ? Exception: Named access lists permit removal of individual statements.

     ?C Implicit deny all will be applied to any packets that do not match any access-list statement.

     Unless the access list ends with an explicit permit any statement.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Where to Place IP Access Lists

     Place extended access lists close to the source. Place standard access lists close to the destination.

     @2006 Steve6307 & Stanley WY. All rights reserved. CCNA+

     Verifying Access Lists

     wg_ro_a#show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security

    level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     Monitoring Access List Statements

     wg_ro_a#show {protocol} access-list {access-list number}

     wg_ro_a#show access-lists {access-list number}

     wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1 Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

     END

     @2006 Steve6307 & Stanley WY. All rights reserved.

     CCNA+

??TXTÓÉ??ÎÄ?â????ÏÂÔØ:http://www.mozhua.net/wenkubao

Report this document

For any questions or suggestions please email
cust-service@docsford.com