Xem mẫu
ACCESS-LISTS - ROUTED TRAFFIC
Key Commands
Named IP (11.2+)
Ip access-list extended MyPolicy <- or "standard" Permit tcp any any eq www
Deny ip any any Interface serial 0
Ip access-group MyPolicy out
Dynamic access-list (lock-and-key) Username Ben password cisco
Username Ben autocommand access-enable !
access-list 101 permit icmp any any
access-list 101 permit tcp any any gt 1023 access-list 101 dynamic MyKeyword timeout 60
permit tcp host 10.1.1.1 host 20.1.1.1 eq telnet int serial 0
ip access-group 101 in line vty 0 4
login local
Shows and Debugs
List of "Permit Any"s
IP any IPX -1
Appletalk other-access Additional-zones
Decnet 0.0 63.1023 NetBIOS Names *
IP AS-Path .* <- don`t forget the "." LSAP 0x00000xFFFF
Canonical to non-canonical. Byte by byte: 5a32 – 5a 32 -> 32 = 0011 0010
flip! 1100 0100 -> C 4 flip! 4 C 5a = 5a (coincidence) so:
5a32 = 543c
Additional Commands
IPX standard
Access-list 800 deny AAA FFFFFFFF Access-list 800 permit -1
IPX Extended
Access-list 901 deny rip any any
Access-list 901 permit any 700.0000.0000.0000.0000 FF.FFFF.FFFF.FFFF.FFFF <- denies 700-7FF
Access-list 901 deny any any 452 <- denies all saps
For routes:
Ipx access-group 901 in|out For RIP routes:
Ipx output-network-filter or input-network-filter On EIGRP:
Ipx router eigrp 100 Distribute-list 901 in|out
The "established" parameter looks for an "ACK" flag in the communication. The initial packet only has SYN set, and is denied.
SAP Filters:
Access-list 1001 deny -1 4 <- denies all file serv Access-list 1001 deny AA <- denies any sap from AA Access-list 101 deny -1 0 tex* <- denies all sap
With name starting with "tex" On interface:
Ipx input-sap-filter Ipx output-sap-filter Ipx output-gns-filter Ipx router-sap-filter
Dialer lists
Access-list 901 deny -1 ffffffff 0 ffffffff rip Access-list 901 deny -1 ffffffff 0 ffffffff sap Access-list 901 permit -1
Dialer-list 1 protocol ipx permit list 901
Spot The Issue
• By default, access-lists are OUT. Make sure you use the keyword IN or OUT anyway.
• Remember when applying a filter NOT to deny such things as routing protocols or other things you configured beforehand.
• Dynamic access-list authenticate the user then drops the telnet! Also, could put "autocommand access-enable" under the vty line, but this means that no one could telnet to the router anymore.
• REMEMBER: PERMIT RETURN TRAFFIC! Gt 1023 esta • In appletalk, if a zone exists on multiple
cable-ranges, if one of the cable ranges is filtered, the entire zone is filtered. Use appletalk permit-partial-zones.
• It can take a couple of minutes before an access-list impacts the ZIT. When in doubt, save and reload!
Appletalk permit-partial-zones
When filtering a zone, the access-list if for a GNS or ZIP filter and is applied on the interface Access-list 600 permit cable-range 10-20
Access-list 600 permit includes 50-60 <- 40-70 would be permitted! "within" is other way around
Access-list 600 permit other-access
On interface: appletalk access-group 600 in|out GZL filters are for end system filtering
ZIP filters are for inter router filtering
Decnet: filter routers 30-63 in area 10 Access-list 301 deny 10.30 0.1
Access-list 301 deny 10.32 0.31
Access-list 301 permit 0.0 63.1023 <- permit any !
interface ethernet 0 decnet access-group 300
...
- tailieumienphi.vn
nguon tai.lieu . vn