460
Chapter 7: Understanding Access List Security
Foundation Topics
Filtering IP Traffic
IP access lists perform a variety of functions in a Cisco router. The CCNA exam requires that
you know only how to use access lists for filtering; however, access lists can be used to filter
routing updates, to match packets for prioritization, and to filter packets. Filtering often is used
to make a network more secure, hence the name of this chapter. Table 7-2 and Table 7-3 list the
more popular configuration commands and EXEC commands about access lists.
The logic used for access lists can best be summarized by Figure 7-2.
Table 7-2
IP Access List Configuration Commands
Command
Configuration Mode and Purpose
access-list
{
1-99
} {
permit
|
deny
}
source-addr
[
source-mask
]
Global command for standard numbered access
lists
access-list
{
100-199
} {
permit
|
deny
}
protocol
source-addr
[
source-mask
] [
operator operand
]
destination-addr
[
destination-mask
] [
operator
operand
] [
established
]
Global command for extended numbered access
lists
ip access-group
{
number
|
name
[
in
|
out
] }
Interface subcommand to enable access lists
ip access-list
{
standard
|
extended
}
name
Global command for standard and extended
named access lists
deny
{
source
[
source-wildcard
] |
any
}[
log
]
Standard named access list subcommand
{
permit
|
deny
}
protocol
source-addr
[
source-
mask
] [
operator operand
]
destination-addr
[
destination-mask
] [
operator operand
]
[
established
]
Extended named access list subcommand
access-class
number
|
name
[
in
|
out
]
Line subcommand for standard or extended
access lists
Table 7-3
IP Access List EXEC Commands
Command
Function
show ip interface
Includes reference to the access lists enabled on
the interface
show access-list
Shows details of configured access lists for all
protocols
show ip access-list
[
number
]
Shows IP access lists
ch07.fm Page 460 Monday, March 20, 2000 5:14 PM