Documente Academic
Documente Profesional
Documente Cultură
Module 11
Access Control Lists
Objectives
Router (config)#
access-list
access-list access-list-number
access-list-number
{deny
{deny || permit}
permit} source
source [source-wildcard]
[source-wildcard] [log]
[log]
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}
Wildcard any
Wildcard host
Show ip interface
Show access-lists
Router (config)#
access-list
access-list access-list-number
access-list-number {permit
{permit || deny}
deny}
[tcp
[tcp || udp]
udp] source
source [s-mask
[s-mask operator
operator s-port]
s-port]
destination
destination [d-mask
[d-mask operator
operator d-port]
d-port] [established]
[established]
[log
[log || log
log input]
input]
established: only match if ACK bit is set
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}
Parameters Description
Icmp type (Optional) A number from between 0 and 255
specifying the ICMP message type
Icmp code (Optional) ICMP packets that are filtered by ICMP
message type can also be filtered by the ICMP
message code. The code is a number from 0 to
255.
Recommended Rule
line vty 0 4
login
password cisco
access-class access-list-number {in|out}
• Interface access lists are applied only to traffics passing the router,
not to traffics originated from the router.
VTY Control Example
RA
172.16.3.100
Access List Requirements
1. Prevents telnet and ftp access from Internet to 172.16.3.100 and
172.16.4.13
2. Prevents all hosts except 172.16.4.13 on network 172.16.4.0 to
access server 65.10.13.133
3. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to
access 172.16.4.13 using web and tftp
4. Allow all hosts on local network as well as Internet to access
company’s web site on server 172.16.4.13. Block all other types of
access to this server.
ACL Challenge
•Outer-network can’t ping into inner-
network
Internet
•Do not allow outer-network to access
inner-network except web service in E0
• ACL definition
• How ACL works
• Wild-card mask
• Standard numbered ACL configuration
• Extended numbered ACL configuration
• Named numbered ACL configuration
• Placing ACLs
CCNA2 – Module11