1. Trang chủ
  2. » Công Nghệ Thông Tin

Access Lists for Routed Traffic

1 291 0
Tài liệu được quét OCR, nội dung có thể không chính xác
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Tiêu đề Access lists for routed traffic
Chuyên ngành Computer Networks
Thể loại Lecture notes
Định dạng
Số trang 1
Dung lượng 97,63 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

ACCESS-LISTS - ROUTED TRAFFIC Ip access-list extended MyPolicy.

Trang 1

ACCESS-LISTS - ROUTED TRAFFIC

Ip access-list extended MyPolicy <- or "standard"

Permit tco any any eq www

Deny ip any any

Interface serial 0

Ip access-group MyPolicy out

Username Ben password cisco

Username Ben autocommand access-enable

access-list 101 permit icmp any any

access-list 101 permit tcp any any gt 1023

access-list 101 dynamic MyKeyword timeout 60

permit tep host 10.1.1.1 host 20.1.1.1 eq telnet

int serial 0

List of "Permit Any"s

IP any IPX —1

Additional-zones

LSAP OxOQ000XKFEFE

4

C

login local

Additional Commands

Access-list 800 deny AAA FFFFFFEF

Access-list 800 permit -1

IPX Extended

Access-list 901 deny rip any any

Access-list 901 permit any 700.0000.0000.0000.0000

PE.FPFPP.PFEFEPF.FPPEP.PFEEEF <- denies 7O0O-7FF

Access-list 901 deny any any 452 <- denies all saps

For routes:

Ipx access-group 901 in]lout

For RIP routes:

Ipx output-network-filter or input-network-filter

On EIGRP:

Ipx router eigro 100

SYN set, and is denied

SAP Acc Acc Acc

W

on

Ipx Ipx Ipx Ipx Dia

Acc Acc Acc

Dia

Filters:

ess-list 1001 deny -1 4 <- denies all file serv ess-list 1001 deny AA <- denies any sap from AA ess-list 101 deny -1 0 tex* <- denies all sap ith name starting with "tex"

interface:

input-sap-filter output-sap-filter output-gns-filter router-sap-filter ler lists

ess-list 901 deny -1 ffffffff O FFfLffff rip ess-lisE 901 deny -1 ffffffff Ô ffffffff sap ess-list 901 permit -1

Spot The Issue

e By default, access-lists are OUT Make sure

you use the keyword IN or OUT anyway

such things as routing protocols or other

things you configured beforehand

then drops the telnet! Also, could put

"autocommand access-enable" under the vty

line, but this means that no one could telnet

to the router anymore

° REMEMBER: PERMIT RETURN TRAFFIC! Gt 1023 esta

cable-ranges, if one of the cable ranges is

filtered, the entire zone is filtered Use

apoletalk permit-partial-zones

access-list impacts the ZIT When in doubt,

save and reload!

Appletalk permit-partial-zones

GNS or ZIP filter and is applied on the interface Access-list 600 permit cable-range 10-20

Access-list 600 permit includes 50-60 <- 40-70

Access-list 600 permit other-access

GZL filters are for end system filtering ZIP filters are for inter router filtering

Access-list 301 deny 10.30 0.1 Access-list 301 deny 10.32 0.31 Access-list 301 permit 0.0 63.1023 <- permit any

interface ethernet 0 decnet access-group 300

Ngày đăng: 19/10/2013, 02:15

Xem thêm

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN