Access lists can use or deny packets' movement between routers, permit or deny Telnet (VTY) access between routers, and establish dial-on demand (DDR), meaningful traffic, triggering dial to a remote location.
ACCESS LIST
Access list is a very important condition list, which controls access. Powerful tools control access between network segments, it filters unnecessary packets and implements security policies. With access lists, network managers will have greater strength to strengthen almost any invented access policies. IP and IPX Access Lists artifacts are very similar. They are more filtered packets, classification, once Access Lists are established, they can be applied to internal and external network traffic on any interface. Applying Access Lists will cause the router to analyze each packet passing through the interface in a specified direction and behavior basis.
Here are some important rules to follow when Access Lists start comparing packets
It always compares each line of Access Lists in order, from line 1, line 2, line 3
It compares the lines of Access Lists until it matches, and once the packet matches Access Lists, it follows and the comparison does not happen anymore
The implied rejection will be at the bottom of Access Lists. What it means is that if a packet does not have a line that matches any Access Lists, it will be discarded
Each rule has some powerful meaning when Access Lists filters IP and IX packets.
There are two types of Access Lists using IP and IPX:
standard Access Lists: Only filter the IP address of the network source, basically license or reject all protocols. IPX standards can filter the source and target IPX addresses
extended access list: It checks the source and target IP addresses, protocol segments of the network layer header, and transport layer header port numbers. IPX extended Access List uses the source and target IPX addresses, protocol segments of the network layer header, and transport layer header socket numbers.
Once you have established an Access Lists, you apply it to an inbound or outbound list interface
inbound Access Lists: Before routing packets to the outbound interface, they are processed through Access Lists.
outbound Access Lists: The packet is routed to the outbound interface and then processed through Access Lists.
There are still some Access Lists guidelines when establishing and implementing Access Lists on a router, you can just allocate an Access Lists to an interface, a protocol, or a direction, which means you can only have an inbound Access Lists and an ountbound Access Lists on an interface to organize your Access Lists for more explicit testing at the top of Access Lists. At any time a new List is added to Access Lists will be placed at the bottom of the list. You can't move the line inside Access Lists. If you want to move it you will move all the lists, it's best to copy Access Lists to a body edit before editing it. It is only exceptional when using the name Access Lists.
Unless you obtain permission before you reach the end of Access Lists, all packets will be discarded, you will have to close the interface.
Create an Access Lists and apply it to an interface, any Access Lists to an interface will not be applied if no Access Lists is rendered.
Access Lists are designed to filter traffic through the router, so they only filter packets to the router without filtering packets from the router.
Put IP standard Access Lists as close as possible to the target
Put IP extended Access Lists as close as possible to the source
standard IP access lists
This uses the source IP address, you use Access Lists number 1-99 to create a standard IP Access Lists
Router(config)# access-list 10 deny ..........
There are now three options available, you can use any command to license or deny any host or network,
You can use an IP address to specify or match a clear network or IP host.
You can use the host command to specify only one explicit host
Router(config)# access-list 10 deny host 202.202.202.111
Router(config)# access-list 10 deny 202.202.202.111 is also OK
Router(config)# access-list 10 deny any can also use the following
Router(config)# access-list 10 deny 0.0.0.0 255.255.255.255
However, there is another way to specify a host. You can use wildcards to specify a network or a subnet. You have no choice but you can use wildcards in Access Lists
Wildcards
It is Access Lists that specifies using a host, network, or part of the network, and you need to understand block sizes. Block sizes are used to specify an address range. The following shows that some different block sizes are available for use.
64 32 16 8 4
When you need to specify an address range, you choose the closest block size to the largest, if you need to specify 34 networks. You need 64, if you want to specify 18 hosts, you need 32,
202.202.8.0 to 202.202.15.0
15-8=7
7 The closest to 8
So it is 202.202.202.8.0
So it's 0.0.7.255 From 0-7 it's 8.
standard IP Access List example
router(config)#access-list 10 deny 172.16.40.0 0.0.0.255
router(config)#access-list 10 permit any=0.0.0.0 255.255.255.255
After setting the access list, the following is the application to the interface
router(config)#int e0
router(config-if)# ip access-group 10 out
The above result is that all the data from ethernet 0 will be stopped.
extended ip Access List
In the standard IP access list, notice that you should block all subnets from somewhere, what if you want them to only get access to a few servers? In the standard access list, you cannot allow users to use only part of the network, but extending the IP access list may solve this problem, which allows you to select your IP source and destination address, and also choose a port number.
router(config)#access-list 110 deny ?
tcp ...........
ip ..................
Here you want to choose the access list type, which is very important. You must understand that if you want to use application filtering, you must choose a network protocol project that allows you to pass IOS mode, Example 1, if you want to filter telnet or ftp, you must choose TCP, if you choose IP, you will not be able to leave the network layer, so you cannot allow any higher-level filtering.
router(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 ftp
This way you prevent all packets from passing through port 23 to 172.16.30.2 via FTP
[1][2] Next page
Article entry: csh Editor in charge: csh
But in this way, you will actually deny all communications, because all those that cannot be found in the access list will be denied, so you have to
router(config)#access-list 110 permit ip any any
router(config-if)# ip access-group 110 in
monitoring ip access lists
show access-list: Show all, but cannot see which interface to which access list is connected
show access-list 110: Show all of 110, but can't see which interface to connect to the access list
show ip access-list: Show only the IP access list of the router
show ip interface: Show which interface sets which access list
show run: Show all access lists and interfaces
IPX access lists
IPX standard: Filter source, target, host, network number (800-899)
ipx extended: filter source, target, host, network number, socket number (900-999)
ipx sap filter: control SAP traffic (100-1099)
IPX standard: router(config)#access-list 810 permit 20 40
router(config)#int e0
router(config-if)#ipx access-group 810 out
ipx extended access-list number permit/deny protocol source socket destination socket
ipx SAP: access-list number permit/deny source service type
access-list 1010 permit -1(=any) 4 sales(=sap server name)
router(config-if)#ipx input-sap-filter (stops all SAP updates from the project)
router(config-if)#ipx output-sap-filter (stops regular 60-second SAP updates for certain SAPs)
verity ipx access list
router#sh ipx int
router#sh ipx access
Previous page [1][2]
Article entry: csh Editor in charge: csh