Command
Description
show access-lists
Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on.
show access-list [list #]
Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on.
show ip access-list
Shows only the IP access lists configured on the router.
show ipx access-list
Shows only the IPX access lists configured on the router.
show ip interface
Shows which interfaces have IP access lists on them.
show ipx interface
Shows which interfaces have IPX access lists on them.
show running-config
Shows the access lists and which interfaces have access lists set.
any
Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list.
host
Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host)
clear access-list counter [list#]
Clears extended access lists counter of the number of matches per line of the access list.
-1
Applies to any IPX network or any protocol when used in extended IPX access lists.
0
Used for all sockets in extended IPX access lists.
ip access-group
Applies an IP access list to an interface.
ipx access-group
Applies an IPX access list to an interface.
ipx input-sap-filter
Applies an inbound IPX SAP filter to an interface.
ipx output-sap-filter
Applies an outbound IPX SAP filter to an interface.
Access List Ranges
Access List Type
Number
Standard IP Access Lists
1-99
Extended IP Access Lists
100-199
Standard IPX Access Lists
800-899
Extended IPX Access Lists
900-999
IPX SAP Filters
1000-1099
Standard Access List Syntax
IP access-list 1-99 {permitdeny} address mask
Variable
Definition
1-99
Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater.
{permitdeny}
Used to specify the nature of the access list, either a permit or deny statement.
address
The IP address of the source.
mask
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.
IPX access-list 800-899 {denypermit} source-network[.source-address[source-mask]] destination-network[.destination-address[destination-mask]]
Variable
Definition
800-899
Standard IPX access lists are represented by a number ranging from 800-899.
{denypermit}
Used to specify the nature of the access list either a permit or deny statement.
source-network[.source-address[source-mask]]
The IPX address of the source network or node.
destination-network[.destination-address[destination-mask]]
The IPX address of the destination network or node.
Extended Access List Syntax
IP access-list 100-199 {permitdeny} {iptcpudpicmp} source source-mask [ltgteqneq] [source-port] destination dest-mask [ltgteqneq] [dest-port] [log]
Variable
Definition
100-199
Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater.
{permitdeny}
Used to specify the nature of the access list either a permit or deny statement.
{iptcpudpicmp}
The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
source
The IP address of the source
source-mask
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.
[ltgteqneq]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[source-port]
If necessary, the source port number of the protocol to be filtered.
destination
The IP address of the destination
dest-mask
A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant.
[ltgteqneq]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[dest-port]
If necessary, the destination port number of the protocol to be filtered.
[log]
Turns on logging of access list activity.
IPX access-list 900-999 {denypermit} protocol source-network.[source-address[source-mask]] socket destination-network.[destination-address[dest-mask]] destination-socket
Variable
Definition
900-999
Extended IPX access lists are represented by a number ranging from 900-999.
{denypermit}
Used to specify the nature of the access list either a permit or deny statement.
protocol
IPX protocol, a -1 specifies all IPX protocols.
source-network.[source-address[source-mask]]
The IPX address of the source network or node.
socket
Source socket similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
destination-network.[destination-address[dest-mask]]
The IPX address of the destination network or node.
socket
Destination socket, similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
SAP Filters
SAP access-list 1000-1099 {permitdeny} network.[address] [service-type]
Variable
Definition
1000-1099
IPX SAP filters are represented by a number in the range of 1000-1099.
{permitdeny}
Used to specify the nature of the access list either a permit or deny statement.
network.[address]
The IPX address of the source network or node.
[service-type]
IPX services such as print services, file services, or directory services, a 0 is for all services
Access Lists
Access lists regulate network traffic flow and security by using permit and deny statements that filter traffic based on source address, destination address, and protocol type of a packet. They are available for IP, IPX, AppleTalk, and other protocols.
Access lists must be entered in sequentially, you can't move individual statements once they are entered. You can disable the access list with the no access-list [list #] command. It is common to create the access list separately and apply it by copying and pasting it into the router configuration.
To copy an externally created access list, for example from a TFTP server, create the list on the TFTP host and save the file as plain text (ASCII). Then, from your router, use the copy tftp running-config file_id command to copy the access list to your router. Finally, perform the copy running-config startup-config command to save the access list to your router's NVRAM. The first command of an edited access list file should delete the previous access list (for example, type a no access-list command at the beginning of the file) else the new rules will be appended to the end of the access list.
If you telnet into a router and apply an access list, there is the possibility that you could be blocked from the router. To avoid the inconvenience of being locked out, use the command reload in [hh:mm]. This command will cause the router to restart and load a startup-config without the access list that blocked access.
Access List Rules
Access lists must be applied sequentially and they always end with an implicit deny statement. Since all traffic not explicitly permitted in the access list is blocked, using the command access-list [list #] permit any at the end of the access list allows remaining traffic that hasn't been blocked with a deny statement through the interface. This is why you can't append new rules to an access list, any statements added after the permit any or implicit deny command wouldn't be evaluated, a packet is only evaluated by an access list until it matches a statement. You should place first on the list the lines that are most likely to find a match, this will reduce unnecessary processing and save CPU time. To remove an access-list use the command no access-list [list #]. This command removes the entire access list. If you don't remove an access list first, all new lines will be appended to the end of the old one. After you create access lists, you must apply them to an interface so they can filter traffic. They can be either outgoing or incoming filters.
Access List Type
Number
Standard IP Access Lists
1-99
Extended IP Access Lists
100-199
Standard IPX Access Lists
800-899
Extended IPX Access Lists
900-999
IPX SAP Filters
1000-1099
Applying an Access List Router(config-if)#ip access-group ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name
The following command filters incoming traffic with standard IP access-list 1 Router(config-if)#ip access-group 1 in
The following command filters outgoing traffic with standard IP access-list 1 Router(config-if)#ip access-group 1 out
If the filter direction (in or out) isn't specified, it uses outbound by default. An interface can't have more than one inbound or more than one outbound access list applied to it. Multiple lists are allowed if the lists are for different protocols.
Access Lists Follow These Rules
Routers apply lists sequentially in the order in which you type them into the router.
Routers apply lists to packets sequentially, from the top down, one line at a time.
Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements.
Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.
Access lists must be applied to an interface as either inbound or outbound traffic filters.
Only one list, per protocol, per direction can be applied to an interface.
Two Main Types of Access Lists
1. Standard
Standard IP Access Lists
Standard IP access lists filter network traffic based on the source IP address. Using a standard access list, you can filter traffic by a host IP address, subnet, or a network address. In order to configure standard IP access lists, you you must first create the access list and then apply it to an interface using the following syntax: access-list [list #] [permitdeny] [source address] [source wildcard mask]
Variable
Definition
[list #]
Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[source address]
The IP address of the source
[source wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of the source address are significant
Wildcard masks are the inverse of the subnet, the 0's are significant and the 1's are not significant. If you compare the source address to the wildcard mask, the source address bits that match up with the 0's specifies the network (only one) and the source address bits that match the 1's are all the hosts to which the list applies.
Wildcard Examples
Source
Wildcard
Host Range
Matches
192.168.1.55
0.0.0.0
192.168.1.55
One host
192.168.1.0
0.0.0.255
192.168.1.1 - 192.168.1.255
Last octet (one network)
192.168.0.0
0.0.255.255
192.168.0.1 - 192.168.255.255
Last two octets (entire 192.168.0.0 network)
142.110.16.0
0.0.7.255
142.110.16.1 - 142.110.23.255
Last octet and right 3 bits of second from right octet (part of the network)
172.16.32.0
0.0.31.255
172.16.32.1 - 172.16.63.255
Last octet and right 5 bits of second from right octet (part of the network)
Example for Standard IP Access Lists Router(config)#access-list 1 deny host 192.168.1.4 Router(config)#access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)#int e0 Router(config-if)#ip access-group 1 out
This access list allows traffic from 192.168.1.4 to enter the router, but the access list denies it from exiting on interface Ethernet 0. The deny statement uses the default wildcard mask of 0.0.0.0 (i.e. all bits are significant and it only applies to one host). The 0.0.0.0 255.255.255.255 can be replaced with the word any. The list is applied to the outbound of one interface as opposed to the inbound. This will prevent the host being blocked from other networks on the router that might not have been intended since traffic from 192.168.1.4 can enter the router and be switched to other networks on interfaces other than ethernet 0. You should apply the standard IP access list as close to the destination network as possible, or you could inadvertently block access to portions of your network. Use the command show access-lists to see the access lists on your router. For just IP access lists use the command show ip access-list.
To remove the access list use the command no access-list [list #]. Use the show ip interface and the show interface commands to verify that an access list has been successfully applied to an interface.
Standard IPX Access Lists
Standard IPX Access Lists are similar to standard IP access lists, except they can filter based on source and destination addresses or networks. access-list [list #] [permitdeny] [source network/ node address] [destination network/ destination address]
Variable
Definition
[list #]
Standard IPX access lists are represented by a number ranging from 800-899
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[source network/ node address]
The IPX address of the source network or node
[destination network/ destination address]
The IPX address of the destination network or node
The following access list denies IPX network 500 from accessing IPX network 200 on inbound ethernet 0 and then permits all others. This access list should be applied as close to network 500 as possible to reduce network traffic.
Example Router(config)#access-list 800 deny 500 200 Router(config)#access-list 800 permit -1 -1 Router(config)#int e0 Router(config-if)#ipx access-group 800 in
The -1 is like the IP's any command, it applies to all hosts. Standard IPX access lists can be seen with the command show access-lists or show ipx accest-list.
2. Extended
Extended IP Access Lists
Extended IP access lists can filter based on source IP address, destination IP address, protocol type, and application destination and source port numbers, whereas standard IP access lists only filter sources addresses. You also configure extended IP access lists by creating the list and applying it to an interface using the following syntax: access-list [list #] [permitdeny] [protocol] [source IP addr] [source wildcard mask] [operator] [port] [destination IP addr] [destination wildcard mask] [operator] [port] [log]
Variable
Definition
[list #]
Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[protocol]
The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others
[source address]
The IP address of the source
[source wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant
[operator]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number
[port]
If necessary, the source port number or name of the protocol to be filtered.
[destination address]
The IP address of the destination
[destination wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant
[operator]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number
[port]
If necessary, the destination port number or name of the protocol to be filtered
[log]
Turns on logging of access list activity
Example: This access list will block 192.168.1.10 from accessing TCP port www (http[80]) on host 192.168.2.2. The host keyword is a shortcut for the 0.0.0.0 wildcard mask. Since extended IP access lists use destination addresses, the list should be applied as close to the source as possible to reduce unnecessary traffic on the network. Router(config)#access-list 100 deny tcp host 192.168.1.10 host 192.168.2.2 eq www Router(config)#access-list 100 permit ip any any Router(config)#int e0 Router(config-if)#ip access-group 100 in
To remove the access list use the command no ip access-group [list #]. Use the same commands to monitor an extended IP access list as a standard access list i.e. show access-lists or show ip access-list. Extended IP access lists show the number of matches per line of the access list; to clear these counters, use the command clear access-list counter [list #].
Extended IPX Access Lists
Extended IPX access lists allow you to filter based on source and destination network or node address, IPX protocol type, and IPX socket #.access-list [list #] [permitdeny] [protocol] [source network/ node address] [socket] [destination network/ node address] [socket]
Variable
Definition
[list #]
Extended IP access lists are represented by a number ranging from 900-999.
[permitdeny]
Used to specify the nature of the access list, either a permit or deny statement.
[protocol]
IPX protocol, a -1 specifies all IPX protocols.
[source network/ node address]
The IPX address of the source network or node.
[socket]
Similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
[destination network/ node address]
The IPX address of the destination network or node.
[socket]
Similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
Example: The -1s are for any ipx protocol or network. This access list denies all protocols (-1) and all sockets (0) from IPX network 500 from going to IP network 200 (all sockets also). The access list should be applied to the inbound interface that IPX network 500 is on. This will reduce network traffic and save router resources. Router(config)#access-list 900 deny -1 500 0 200 0 Router(config)#access-list 900 permit -1 -1 0 -1 0 Router(config)#int e0 Router(config-if)#ipx access-group 900 in
Again you can see the IPX extended access list with the command show access-lists or show ipx acces-list.
IPX SAP Filters
IPX SAP filters limit SAP traffic in order to control what resources on the IPX network will be visible to IPX clients. This allows you to limit the advertisement of particular servers and services to a particular IPX network segment. Since SAP advertisements are broadcasts, limiting them can reduce network traffic. Can be used to block server advertisements between separate departments.
access-list [list #] [permitdeny] [source network / node address] [service-type]
Variable
Definition
[list #]
IPX SAP filters are represented by a number in the range of 1000-1099.
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement.
[source network/ node address]
The IPX address of the source network or node.
[service-type]
IPX services such as print services, file services, or directory services, a 0 matches all services.
Example: Denies all SAP advertisements from network 200, but allows updates to all other network segments. Router(config)#access-list 1001 deny 200 0 Router(config)#access-list 1001 permit -1 0
To apply a SAP filter to an inbound interface, use the commands: Router(config)#int e0 Router(config-if)#ipx input-sap-filter 1001
OR to apply the access list to an outbound interface, use the commands: Router(config)#int e0 Router(config-if)#ipx output-sap-filter 1001
This would block all advertisements from network 200 from being passed to other routers on the internetwork. Again you can use the command show access-lists to see the access lists.
Controlling VTY Access
You can control access to VTY ports by applying a standard access list to the VTY lines. Router_2#conf t Enter configuration commands, one per line. End with CNTL/Z. Router_2(config)#access-list 15 permit host 192.168.1.71 Router_2(config)#line vty 0 4 Router_2(config-line)#access-class 15 in
Description
show access-lists
Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on.
show access-list [list #]
Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on.
show ip access-list
Shows only the IP access lists configured on the router.
show ipx access-list
Shows only the IPX access lists configured on the router.
show ip interface
Shows which interfaces have IP access lists on them.
show ipx interface
Shows which interfaces have IPX access lists on them.
show running-config
Shows the access lists and which interfaces have access lists set.
any
Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list.
host
Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host)
clear access-list counter [list#]
Clears extended access lists counter of the number of matches per line of the access list.
-1
Applies to any IPX network or any protocol when used in extended IPX access lists.
0
Used for all sockets in extended IPX access lists.
ip access-group
Applies an IP access list to an interface.
ipx access-group
Applies an IPX access list to an interface.
ipx input-sap-filter
Applies an inbound IPX SAP filter to an interface.
ipx output-sap-filter
Applies an outbound IPX SAP filter to an interface.
Access List Ranges
Access List Type
Number
Standard IP Access Lists
1-99
Extended IP Access Lists
100-199
Standard IPX Access Lists
800-899
Extended IPX Access Lists
900-999
IPX SAP Filters
1000-1099
Standard Access List Syntax
IP access-list 1-99 {permitdeny} address mask
Variable
Definition
1-99
Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater.
{permitdeny}
Used to specify the nature of the access list, either a permit or deny statement.
address
The IP address of the source.
mask
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.
IPX access-list 800-899 {denypermit} source-network[.source-address[source-mask]] destination-network[.destination-address[destination-mask]]
Variable
Definition
800-899
Standard IPX access lists are represented by a number ranging from 800-899.
{denypermit}
Used to specify the nature of the access list either a permit or deny statement.
source-network[.source-address[source-mask]]
The IPX address of the source network or node.
destination-network[.destination-address[destination-mask]]
The IPX address of the destination network or node.
Extended Access List Syntax
IP access-list 100-199 {permitdeny} {iptcpudpicmp} source source-mask [ltgteqneq] [source-port] destination dest-mask [ltgteqneq] [dest-port] [log]
Variable
Definition
100-199
Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater.
{permitdeny}
Used to specify the nature of the access list either a permit or deny statement.
{iptcpudpicmp}
The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
source
The IP address of the source
source-mask
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.
[ltgteqneq]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[source-port]
If necessary, the source port number of the protocol to be filtered.
destination
The IP address of the destination
dest-mask
A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant.
[ltgteqneq]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[dest-port]
If necessary, the destination port number of the protocol to be filtered.
[log]
Turns on logging of access list activity.
IPX access-list 900-999 {denypermit} protocol source-network.[source-address[source-mask]] socket destination-network.[destination-address[dest-mask]] destination-socket
Variable
Definition
900-999
Extended IPX access lists are represented by a number ranging from 900-999.
{denypermit}
Used to specify the nature of the access list either a permit or deny statement.
protocol
IPX protocol, a -1 specifies all IPX protocols.
source-network.[source-address[source-mask]]
The IPX address of the source network or node.
socket
Source socket similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
destination-network.[destination-address[dest-mask]]
The IPX address of the destination network or node.
socket
Destination socket, similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
SAP Filters
SAP access-list 1000-1099 {permitdeny} network.[address] [service-type]
Variable
Definition
1000-1099
IPX SAP filters are represented by a number in the range of 1000-1099.
{permitdeny}
Used to specify the nature of the access list either a permit or deny statement.
network.[address]
The IPX address of the source network or node.
[service-type]
IPX services such as print services, file services, or directory services, a 0 is for all services
Access Lists
Access lists regulate network traffic flow and security by using permit and deny statements that filter traffic based on source address, destination address, and protocol type of a packet. They are available for IP, IPX, AppleTalk, and other protocols.
Access lists must be entered in sequentially, you can't move individual statements once they are entered. You can disable the access list with the no access-list [list #] command. It is common to create the access list separately and apply it by copying and pasting it into the router configuration.
To copy an externally created access list, for example from a TFTP server, create the list on the TFTP host and save the file as plain text (ASCII). Then, from your router, use the copy tftp running-config file_id command to copy the access list to your router. Finally, perform the copy running-config startup-config command to save the access list to your router's NVRAM. The first command of an edited access list file should delete the previous access list (for example, type a no access-list command at the beginning of the file) else the new rules will be appended to the end of the access list.
If you telnet into a router and apply an access list, there is the possibility that you could be blocked from the router. To avoid the inconvenience of being locked out, use the command reload in [hh:mm]. This command will cause the router to restart and load a startup-config without the access list that blocked access.
Access List Rules
Access lists must be applied sequentially and they always end with an implicit deny statement. Since all traffic not explicitly permitted in the access list is blocked, using the command access-list [list #] permit any at the end of the access list allows remaining traffic that hasn't been blocked with a deny statement through the interface. This is why you can't append new rules to an access list, any statements added after the permit any or implicit deny command wouldn't be evaluated, a packet is only evaluated by an access list until it matches a statement. You should place first on the list the lines that are most likely to find a match, this will reduce unnecessary processing and save CPU time. To remove an access-list use the command no access-list [list #]. This command removes the entire access list. If you don't remove an access list first, all new lines will be appended to the end of the old one. After you create access lists, you must apply them to an interface so they can filter traffic. They can be either outgoing or incoming filters.
Access List Type
Number
Standard IP Access Lists
1-99
Extended IP Access Lists
100-199
Standard IPX Access Lists
800-899
Extended IPX Access Lists
900-999
IPX SAP Filters
1000-1099
Applying an Access List Router(config-if)#ip access-group ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name
The following command filters incoming traffic with standard IP access-list 1 Router(config-if)#ip access-group 1 in
The following command filters outgoing traffic with standard IP access-list 1 Router(config-if)#ip access-group 1 out
If the filter direction (in or out) isn't specified, it uses outbound by default. An interface can't have more than one inbound or more than one outbound access list applied to it. Multiple lists are allowed if the lists are for different protocols.
Access Lists Follow These Rules
Routers apply lists sequentially in the order in which you type them into the router.
Routers apply lists to packets sequentially, from the top down, one line at a time.
Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements.
Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.
Access lists must be applied to an interface as either inbound or outbound traffic filters.
Only one list, per protocol, per direction can be applied to an interface.
Two Main Types of Access Lists
1. Standard
Standard IP Access Lists
Standard IP access lists filter network traffic based on the source IP address. Using a standard access list, you can filter traffic by a host IP address, subnet, or a network address. In order to configure standard IP access lists, you you must first create the access list and then apply it to an interface using the following syntax: access-list [list #] [permitdeny] [source address] [source wildcard mask]
Variable
Definition
[list #]
Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[source address]
The IP address of the source
[source wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of the source address are significant
Wildcard masks are the inverse of the subnet, the 0's are significant and the 1's are not significant. If you compare the source address to the wildcard mask, the source address bits that match up with the 0's specifies the network (only one) and the source address bits that match the 1's are all the hosts to which the list applies.
Wildcard Examples
Source
Wildcard
Host Range
Matches
192.168.1.55
0.0.0.0
192.168.1.55
One host
192.168.1.0
0.0.0.255
192.168.1.1 - 192.168.1.255
Last octet (one network)
192.168.0.0
0.0.255.255
192.168.0.1 - 192.168.255.255
Last two octets (entire 192.168.0.0 network)
142.110.16.0
0.0.7.255
142.110.16.1 - 142.110.23.255
Last octet and right 3 bits of second from right octet (part of the network)
172.16.32.0
0.0.31.255
172.16.32.1 - 172.16.63.255
Last octet and right 5 bits of second from right octet (part of the network)
Example for Standard IP Access Lists Router(config)#access-list 1 deny host 192.168.1.4 Router(config)#access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)#int e0 Router(config-if)#ip access-group 1 out
This access list allows traffic from 192.168.1.4 to enter the router, but the access list denies it from exiting on interface Ethernet 0. The deny statement uses the default wildcard mask of 0.0.0.0 (i.e. all bits are significant and it only applies to one host). The 0.0.0.0 255.255.255.255 can be replaced with the word any. The list is applied to the outbound of one interface as opposed to the inbound. This will prevent the host being blocked from other networks on the router that might not have been intended since traffic from 192.168.1.4 can enter the router and be switched to other networks on interfaces other than ethernet 0. You should apply the standard IP access list as close to the destination network as possible, or you could inadvertently block access to portions of your network. Use the command show access-lists to see the access lists on your router. For just IP access lists use the command show ip access-list.
To remove the access list use the command no access-list [list #]. Use the show ip interface and the show interface commands to verify that an access list has been successfully applied to an interface.
Standard IPX Access Lists
Standard IPX Access Lists are similar to standard IP access lists, except they can filter based on source and destination addresses or networks. access-list [list #] [permitdeny] [source network/ node address] [destination network/ destination address]
Variable
Definition
[list #]
Standard IPX access lists are represented by a number ranging from 800-899
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[source network/ node address]
The IPX address of the source network or node
[destination network/ destination address]
The IPX address of the destination network or node
The following access list denies IPX network 500 from accessing IPX network 200 on inbound ethernet 0 and then permits all others. This access list should be applied as close to network 500 as possible to reduce network traffic.
Example Router(config)#access-list 800 deny 500 200 Router(config)#access-list 800 permit -1 -1 Router(config)#int e0 Router(config-if)#ipx access-group 800 in
The -1 is like the IP's any command, it applies to all hosts. Standard IPX access lists can be seen with the command show access-lists or show ipx accest-list.
2. Extended
Extended IP Access Lists
Extended IP access lists can filter based on source IP address, destination IP address, protocol type, and application destination and source port numbers, whereas standard IP access lists only filter sources addresses. You also configure extended IP access lists by creating the list and applying it to an interface using the following syntax: access-list [list #] [permitdeny] [protocol] [source IP addr] [source wildcard mask] [operator] [port] [destination IP addr] [destination wildcard mask] [operator] [port] [log]
Variable
Definition
[list #]
Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement
[protocol]
The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others
[source address]
The IP address of the source
[source wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant
[operator]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number
[port]
If necessary, the source port number or name of the protocol to be filtered.
[destination address]
The IP address of the destination
[destination wildcard mask]
A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant
[operator]
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number
[port]
If necessary, the destination port number or name of the protocol to be filtered
[log]
Turns on logging of access list activity
Example: This access list will block 192.168.1.10 from accessing TCP port www (http[80]) on host 192.168.2.2. The host keyword is a shortcut for the 0.0.0.0 wildcard mask. Since extended IP access lists use destination addresses, the list should be applied as close to the source as possible to reduce unnecessary traffic on the network. Router(config)#access-list 100 deny tcp host 192.168.1.10 host 192.168.2.2 eq www Router(config)#access-list 100 permit ip any any Router(config)#int e0 Router(config-if)#ip access-group 100 in
To remove the access list use the command no ip access-group [list #]. Use the same commands to monitor an extended IP access list as a standard access list i.e. show access-lists or show ip access-list. Extended IP access lists show the number of matches per line of the access list; to clear these counters, use the command clear access-list counter [list #].
Extended IPX Access Lists
Extended IPX access lists allow you to filter based on source and destination network or node address, IPX protocol type, and IPX socket #.access-list [list #] [permitdeny] [protocol] [source network/ node address] [socket] [destination network/ node address] [socket]
Variable
Definition
[list #]
Extended IP access lists are represented by a number ranging from 900-999.
[permitdeny]
Used to specify the nature of the access list, either a permit or deny statement.
[protocol]
IPX protocol, a -1 specifies all IPX protocols.
[source network/ node address]
The IPX address of the source network or node.
[socket]
Similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
[destination network/ node address]
The IPX address of the destination network or node.
[socket]
Similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
Example: The -1s are for any ipx protocol or network. This access list denies all protocols (-1) and all sockets (0) from IPX network 500 from going to IP network 200 (all sockets also). The access list should be applied to the inbound interface that IPX network 500 is on. This will reduce network traffic and save router resources. Router(config)#access-list 900 deny -1 500 0 200 0 Router(config)#access-list 900 permit -1 -1 0 -1 0 Router(config)#int e0 Router(config-if)#ipx access-group 900 in
Again you can see the IPX extended access list with the command show access-lists or show ipx acces-list.
IPX SAP Filters
IPX SAP filters limit SAP traffic in order to control what resources on the IPX network will be visible to IPX clients. This allows you to limit the advertisement of particular servers and services to a particular IPX network segment. Since SAP advertisements are broadcasts, limiting them can reduce network traffic. Can be used to block server advertisements between separate departments.
access-list [list #] [permitdeny] [source network / node address] [service-type]
Variable
Definition
[list #]
IPX SAP filters are represented by a number in the range of 1000-1099.
[permitdeny]
Used to specify the nature of the access list either a permit or deny statement.
[source network/ node address]
The IPX address of the source network or node.
[service-type]
IPX services such as print services, file services, or directory services, a 0 matches all services.
Example: Denies all SAP advertisements from network 200, but allows updates to all other network segments. Router(config)#access-list 1001 deny 200 0 Router(config)#access-list 1001 permit -1 0
To apply a SAP filter to an inbound interface, use the commands: Router(config)#int e0 Router(config-if)#ipx input-sap-filter 1001
OR to apply the access list to an outbound interface, use the commands: Router(config)#int e0 Router(config-if)#ipx output-sap-filter 1001
This would block all advertisements from network 200 from being passed to other routers on the internetwork. Again you can use the command show access-lists to see the access lists.
Controlling VTY Access
You can control access to VTY ports by applying a standard access list to the VTY lines. Router_2#conf t Enter configuration commands, one per line. End with CNTL/Z. Router_2(config)#access-list 15 permit host 192.168.1.71 Router_2(config)#line vty 0 4 Router_2(config-line)#access-class 15 in
0 comments:
Post a Comment