Lecture Notes For CCNA

CHAPTER 6- SECURITY

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Access-lists

sequential order until match is made

deny any at end of list (implied)

standard ip access list only on source addr.

1-99

acc list # perm/deny 10.0.0.5 0.0.0.0

in and out are routers perspective, ie out of router

ip access-group ## [in/out] (witin config t, int e0)

wildcard matching: std, ext : reverse subnet mask, eg 0.0.0.255

extended on source, dest, ip, protocol

100-199

acc list # perm/deny protocol source dest port

access-list 110 permit tcp host 172.x.x.x host y.y.y.y eq 8080

access-list 110 permit tcp 172.x.x.0 host y.y.y.y eq 8080

access-list 110 permit tcp any any eq ww

host is same as x.x.x.x 0.0.0.0

any is 0.0.0.0 255.255.255.255

port is port no. or well known service name, www, smtp, pop3 etc.

protocol is udp, tcp, icmp when filtering by port.

monitoring access lists

show access-lists

shows all running

shows each line & no. of packets that matched!

sh ip access-list

shows only ip access lists

sh log

add log to end of command, will log:

acc list #, source addr/port, dest addr/port, no. of packets

can be redirected to syslog server

clear access-list counters [#]

show run conf and sh ip int e0 show which access lists on port

sh access-list ## shows just ##