tailieunhanh - Lecture Access Control Lists: Configuring and Troubleshooting ACLs
After completing this chapter, students will be able to understand: Standard IPv4 ACLs allow you to filter based on source IP address; extended ACLs allow you to filter based on source IP address, destination IP address, protocol, and port number; named ACLs allow you to delete individual statements from an ACL; you can use the show access-lists and show ip interface commands to troubleshoot common ACL configuration errors. | Access Control Lists Configuring and Troubleshooting ACLs Testing Packets with Numbered Standard IPv4 ACLs Purpose: This graphic gives an overview of the type of TCP/IP packet tests that standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course. Activates the list on an interface. Sets inbound or outbound testing. no ip access-group access-list-number {in | out} removes the ACL from the interface. ip access-group access-list-number {in | out} Uses 1 to 99 for the access-list-number. The first entry is assigned a sequence number of 10, and successive entries are incremented by 10. Default wildcard mask is (only standard ACL). no access-list access-list-number removes the entire ACL. remark lets you add a description to the ACL. access-list access-list-number {permit | deny | remark} source [mask] RouterX(config)# RouterX(config-if)# Numbered Standard IPv4 ACL Configuration | Access Control Lists Configuring and Troubleshooting ACLs Testing Packets with Numbered Standard IPv4 ACLs Purpose: This graphic gives an overview of the type of TCP/IP packet tests that standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course. Activates the list on an interface. Sets inbound or outbound testing. no ip access-group access-list-number {in | out} removes the ACL from the interface. ip access-group access-list-number {in | out} Uses 1 to 99 for the access-list-number. The first entry is assigned a sequence number of 10, and successive entries are incremented by 10. Default wildcard mask is (only standard ACL). no access-list access-list-number removes the entire ACL. remark lets you add a description to the ACL. access-list access-list-number {permit | deny | remark} source [mask] RouterX(config)# RouterX(config-if)# Numbered Standard IPv4 ACL Configuration Layer 2 of 2 Purpose: This layer shows the ip access-group command. Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface, per direction, per protocol is allowed. The ip access-group field descriptions are as follows: list—Number of the access list to be linked to this interface. direction—Default is outbound. Note: Create the access list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access list may cause most traffic to be blocked on the interface. To remove an access list, remove it from all the interfaces first, then remove the access list. In older versions of Cisco IOS, removing the access list without removing it from the interface can .
đang nạp các trang xem trước