Access List:
You can use the console or telnet to one of the interfaces in your router.
Example 1: Applying access list 102 (Inbound) to Serial 0.
Router>enable
Router#Config term
Router(config)# interface serial 0
Router(config-if)# ip access-group 102 in
Router(config-if)#exit
(config)#exit
Example 2 : Applying access list 101 (Outbound) to Ethernet 0 .
Router# config term
Router (Config)# interface Ethernet 0
Router (Config-if)# ip access-group 101 out
Router (config-if)#exit
(Config)#exit
Example 3 : To remove access list from Serial 0
Router>Config term
Router(config)# interface Serial 0
Router(config-if)# no ip access-group 101 out
Router(config-if)#exit
(config)#exit
Some helpful commands to monitor and verify the access list.
Show running-config {displays active configuration and presence of
access group}.
access group}.
show access-list {displays all access-list}
show access-list 1xx {displays access list 1xx only}
show ip access-list {displays IP access-list}
show interface serial 0 {displays info on serial 0 interface)
no access-list 1xx {remove access-list 1xx only}
copy running-config start-up config {save the active configuration to NVRAM}
Access List Guidelines :
1. Access List numbers indicate which protocol is filtered. Extended IP is from 100-199
2. Only one access list per protocol, per direction, per interface is allowed.
3. Top-down processing. Most restrictive statements should be at the top.
4. At the end of the access list is an implicit deny all. Due to the implicit deny, there
should be at least one permit statement on every access list.
5. New Entries are added to the bottom. Any new access list are added to the bottom of the list. If modifications are necessary, delete access list and recreate the entire access list off-line such as with text editor and upload any changes from TFTP server or Cut and Paste from a computer.
6. Create access list before applying it to the interface.
7. Access lists only filter traffic going through the router. It does not apply to traffic
originated from the router.
2. Only one access list per protocol, per direction, per interface is allowed.
3. Top-down processing. Most restrictive statements should be at the top.
4. At the end of the access list is an implicit deny all. Due to the implicit deny, there
should be at least one permit statement on every access list.
5. New Entries are added to the bottom. Any new access list are added to the bottom of the list. If modifications are necessary, delete access list and recreate the entire access list off-line such as with text editor and upload any changes from TFTP server or Cut and Paste from a computer.
6. Create access list before applying it to the interface.
7. Access lists only filter traffic going through the router. It does not apply to traffic
originated from the router.
0 comments:
Post a Comment