Cisco Access Lists
Cisco Access Lists
|
Access List Type |
Number |
|
Standard IP Access Lists |
1-99 |
|
Extended IP Access Lists |
100-199 |
|
Standard IPX Access Lists |
800-899 |
|
Extended IPX Access Lists |
900-999 |
|
IPX SAP Filters |
1000-1099 |
|
|
|
Standard IP Access List
Syntax:
access-list 1-99 [permit|deny] [source address] [source wildcard mask]
Example:
Router(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router(config)#access-list 1 permit 0.0.0.0 255.255.255.255 (same as any)
Apply the Access List:
Router(config)#int e0
Router(config-if)#ip access-group 1 out
Standard IPX Access List
Syntax:
access-list 800-899 [permit|deny] [source net/ node address] [dest network/ dest address]
Example:
Router(config)#access-list 800 deny 500 200
Router(config)#access-list 800 permit -1 -1
Apply the Access List:
Router(config)#int e0 Router(config-if)#ipx access-group 800 in
Extended IP Access List
Syntax:
access-list 100-199[permit|deny][protocol][src IP addr][src wildcard mask][dest IP addr][dest IP addr][dest wildcardmask][operator][port][log]
Example:
Router(config)#access-list 100 deny tcp host 192.168.1.10 host 192.168.2.2 eq www
Router(config)#access-list 100 permit ip any any
Router(config)#int e0
Router(config-if)#ip access-group 100 in
This access list will block 192.168.1.10 from accessing TCP port www (http[80]) on host 192.168.2.2. The host is a short cut to use the 0.0.0.0 wildcard mask. Since extended IP access lists use destination addresses, the list should be applied as close to the source as possible to reduce unnecessary traffic on the network.
Extended IPX Access list
Syntax:
access-list 900-999 [permit|deny] [protocol] [source network/node address] [socket] [dest network/node addr] [socket]
Example:
R_1(config)#access-list 900 deny -1 500 0 200 0
R_1(config)#access-list 900 permit -1 -1 0 -1 0 R_1(config)#int e0
R_1(config-if)#ipx access-group 900 in
Extended IPX access lists allow you to filter based on source and destination network or node address, IPX protocol type (a -1 specifies all IPX protocols), and IPX socket #.
IPX SAP Filters
Syntax:
access-list 1000-1099 [permit|deny] [src network / node addr] [service-type]
Example:
Router(config)#access-list 1000 200 0
Router(config)#access-list 1000 permit -1 0
To apply a SAP filter to an int. for inbound filtering use the cmd:
Router(config)#int e0
Router(config-if)#ipx input-sap-filter [list#]
Or for outbound filtering use the cmd:
Router(config)#int e0
Router(config-if)#ipx output-sap-filter [list#]
This would block all advertisements from network 200 from being passed to other routers on the internetwork. Again you can use the command show access-list to see the access lists.
Controlling VTY Access
Example:
R_2(config)#access-list 15 permit 192.168.1.71
R_2(config)#line vty 0 4
R_2(config-line)#access-class 15 in
This will stop all hosts except 192.168.1.71 from telneting into the router. This is accomplished by only allowing one host and then not permitting any other hosts since there is an implicit deny at the end of all access lists.
|
Access List Commands |
|
|
Command |
Description |
|
show access-lists |
Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on. |
|
show access-list [list#] |
Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on. |
|
show ip access-list |
Shows only the IP access lists configured on the router. |
|
show ipx access-list |
Shows only the IPX access lists configured on the router. |
|
show ip interface |
Shows which interfaces have IP access lists on them. |
|
show ipx interface |
Shows which interfaces have IPX access lists on them. |
|
show running-config |
Shows the access lists and which interfaces have access lists set. |
|
any |
Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. |
|
host |
Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e. will match only 1 host) |
|
clear access-list counter [list#] |
Clears extended access lists counter of the number of matches per line of the access list. |
|
-1 |
Applies to any IPX network or any protocol when used in extended IPX access lists. |
|
0 |
Used for all sockets in extended IPX access lists. |
|
ip access-group |
Applies an IP access list to an interface. |
|
ipx access-group |
Applies an IPX access list to an interface. |
|
ipx input-sap-filter |
Applies an inbound IPX SAP filter to an interface. |
|
|
|