Difference between revisions of "Access-list Cisco IOS"
From Teknologisk videncenter
m |
m (→IP named access lists) |
||
| Line 36: | Line 36: | ||
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet | permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet | ||
</pre> | </pre> | ||
| + | = Protecting telnet management = | ||
| + | To protect unauthorized users from accessing the Router you can use an access list. | ||
| + | <pre> | ||
| + | access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet | ||
| + | ! | ||
| + | line vty 0 4 | ||
| + | access-class 100 in | ||
| + | </pre> | ||
| + | |||
=Links= | =Links= | ||
[http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#acltypes Cisco ACL] or as pdf [[Media:confaccesslists.pdf|Cisco ACL]] | [http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#acltypes Cisco ACL] or as pdf [[Media:confaccesslists.pdf|Cisco ACL]] | ||
[[Category:Cisco]] | [[Category:Cisco]] | ||
Revision as of 09:25, 19 March 2009
Cisco Access-list acl
Contents
Placement of Access-lists
- The general rule is to put the extended ACLs as close as possible to the source of the traffic denied.
- Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.
Standard IP access lists
Standard IP Access lists are access lists from 1 to 99. Standard access list only checks the source IP address. Example:
interface fastethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group 1 in ! access-list 1 permit 10.1.1.0 0.0.0.255
Extended IP access lists
Extended IP Access lists are access lists from 101 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP) Example:
interface Ethernet0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 101 in ! access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 101 permit ip any 10.1.1.0 0.0.0.255
IP named access lists
IP named access lists you can give standard and extended access lists names instead of numbers. Example:
interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group TELNET-IN in ! ip access-list extended TELNET-IN permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
Protecting telnet management
To protect unauthorized users from accessing the Router you can use an access list.
access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet ! line vty 0 4 access-class 100 in