1、 2002, Cisco Systems, Inc. All rights reserved. 2002, Cisco Systems, Inc. All rights reserved.2Configuring IP Access ListsObjectivesUpon completing this lesson, you will be able to:Use Cisco IOS commands to configure IP standard and extended access lists, given a functioning routerUse show commands

2、to identify anomalies in IP standard and extended access lists, given an operational routerAccess List Configuration GuidelinesAccess list numbers indicate which protocol is filtered.One access list per interface, per protocol, per direction is allowed.The order of access list statements controls te

3、sting. Place the most restrictive statements at the top of list.There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.Create access lists before applying them to interfaces.Access lists filter traffic going through the router; they do no

4、t apply to traffic originating from the router.Step 1: Set parameters for this access list test statement (which can be one of several statements).Step 2: Enable an interface to use the specified access list. Router(config-if)#protocol access-group access-list-number in | out Access List Command Ove

5、rviewStandard IP lists (1-99) Extended IP lists (100-199)Standard IP lists (1300-1999) (expanded range)Extended IP lists (2000-2699) (expanded range)Router(config)#access-list access-list-number permit | deny test conditionsActivates the list on an interfaceSets inbound or outbound testingDefault =

6、outboundno ip access-group access-list-number removes access list from the interfaceRouter(config-if)#ip access-group access-list-number in | outSets parameters for this list entryIP standard access lists use 1 to 99Default wildcard mask = no access-list access-list-number removes entire access list

7、remark option lets you add a description for the access listRouter(config)#access-list access-list-number permit | deny | remark source wildcardStandard IP Access List ConfigurationPermit my network only.Standard IP Access List Example 1Deny a specific host.Standard IP Access List Example 2Deny a sp

8、ecific subnet.Standard IP Access List Example 3Router(config-if)#ip access-group access-list-number in | outExtended IP Access List ConfigurationActivates the extended list on an interfaceSets parameters for this list entryRouter(config)#access-list access-list-number permit | deny protocol source s

9、ource-wildcard operator port destination destination-wildcard operator port established logDeny FTP from subnet to subnet out of E0. Permit all other traffic.Extended Access List Example 1Deny only Telnet from subnet out of E0.Permit all other traffic.Extended Access List Example 2Router(config)#ip

10、access-list standard | extended nameRouter(config std- | ext-nacl)#permit | deny ip access list test conditionspermit | deny ip access list test conditions no permit | deny ip access list test conditions Router(config-if)#ip access-group name in | out Using Named IP Access ListsAlphanumeric name str

11、ing must be unique.Permit or deny statements have no prepended number. “no” removes the specific test from the named access list.Activates the IP named access list on an interface.Five virtual terminal lines (0 through 4).Filter addresses that can access into the routers vty ports.Filter vty access

12、out from the router.Filtering vty Access to a RouterHow to Control vty AccessSet up an IP address filter with a standard access list statement.Use line configuration mode to filter access with the access-class command.Set identical restrictions on every vty.Enters configuration mode for a vty or vty

13、 rangeRestricts ing or outgoing vty connections for address in the access listRouter(config-line)#access-class access-list-number in | outRouter(config)#line vty vty# | vty-rangevty CommandsPermits only hosts in network 55 to connect to the router vtyaccess-list 12 permit 55(implicit deny all) !line

14、 vty 0 4 access-class 12 inControlling Inbound Accessvty Access ExampleAccess List Configuration PrinciplesThe order of access list statements is crucial. mended: Use a text editor on a PC to create the access-list statements, then cut and paste them into the router.Top-down processing is important.

15、Place the more specific test statements first.No reordering or removal of statements.Use the no access-list number command to remove the entire access list.Exception: Named access lists permit removal of individual statements.Implicit deny all will be applied to any packets that do not match any acc

16、ess-list statement.Unless the access list ends with an explicit permit any statement.Place extended access lists close to the source.Place standard access lists close to the destination.Where to Place IP Access Listswg_ro_a#show ip interfaces e0Ethernet0 is up, line protocol is up Internet address i

17、s 1/24 Broadcast address is 55 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are

18、 always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled Verifying

19、 Access ListsMonitoring Access List Statementswg_ro_a#show access-lists Standard IP access list 1 permit permit permit permit Extended IP access list 101 permit tcp host any eq telnet permit tcp host any eq ftp permit tcp host any eq ftp-datawg_ro_a#show protocol access-list access-list number wg_ro

20、_a#show access-lists access-list number SummaryWell-designed and implemented access lists will add an important security component to your network. To configure standard IP access lists on a Cisco router, you will create a standard IP access list and activate an access list on an interface. Similarly, to configure extended IP access lists on a Cisco router, you will create an extended IP access list range and activate an access list on an interface. The named access list feature