packetlife.net
by Jeremy Stretch
v2.0
IOS IP
V
4 A
CCESS
L
ISTS
Standard ACL Syntax
permit
Actions
deny
remark
evaluate
Allow matched packets
Deny matched packets
Record a configuration comment
Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntax
access-list <number> {permit | deny}
<source>
[log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny}
<source>
[log]
ACL Numbers
TCP Options
1-99
1300-1999
IP standard
100-199
2000-2699
IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
! Legacy syntax
access-list <number> {permit | deny}
<protocol>
<source> [<ports>]
<destination> [<ports>]
[<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny}
<protocol>
<source> [<ports>]
<destination> [<ports>]
[<options>]
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
urg
established
Match URG flag
Source/Destination Definitions
any Any address
host <address> A single address
<network> <mask> Any address matched by the wildcard mask
IP Options
dscp <DSCP> Match the specified IP DSCP
fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port>
Not equal to
lt <port>
Greater than
range <port> <port> Matches a range of port numbers
neq <port>
gt <port>
Equal to
Less than
Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}
Match packets in an
established session
Logging Options
log Log ACL entry matches
log-input
Log matches including
ingress interface and
source MAC address
Wyszukiwarka
Podobne podstrony:
Access Lists
Access Lists 2
Dungeons and Dragons 3 5 Accessory Color Character Sheets with Multiple Spell Lists
All About Access Control Lists
2007 09 Access Control List (ACL) – dostęp do obiektów NET
04 QueryByExample Access
Access 2002 Projektowanie baz danych Ksiega eksperta ac22ke
access 4 progress check unit 6,7,8, Access 4 Progress Check 6
Access 3 Test 7 A
NS2 lab 4 4 7 en Configure Cisco IOS IPSec using Pre Shared Keys
Configuration Guide WAN Access(V100R006C00 02)
access programowanie w vba
Access to History 001 Gas Attack! The Canadians at Ypres, 1915
Ćwiczenie nr 1 (Access 2007)
Open Access and Academic Journal Quality
access 3
więcej podobnych podstron