Access Lists for Routed Traffic
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (97.63 KB, 1 trang )
ACCESS-LISTS - ROUTED TRAFFIC
Key Commands Shows and Debugs
Named IP (11.2+)
Ip access-list extended MyPolicy <- or "standard"
Permit tcp any any eq www
Deny ip any any
Interface serial 0
Ip access-group MyPolicy out
Dynamic access-list (lock-and-key)
Username Ben password cisco
Username Ben autocommand access-enable
!
access-list 101 permit icmp any any
access-list 101 permit tcp any any gt 1023
access-list 101 dynamic MyKeyword timeout 60
permit tcp host 10.1.1.1 host 20.1.1.1 eq telnet
int serial 0
ip access-group 101 in
line vty 0 4
login local
List of "Permit Any"s
IP any
IPX -1
Appletalk other-access
Additional-zones
Decnet 0.0 63.1023
NetBIOS Names *
IP AS-Path .* <- don't forget the "."
LSAP 0x00000xFFFF
Canonical to non-canonical. Byte by byte:
5a32 – 5a 32 -> 32 = 0011 0010
flip! 1100 0100 -> C 4
flip! 4 C
5a = 5a (coincidence) so:
5a32 = 543c
Additional Commands
IPX standard
Access-list 800 deny AAA FFFFFFFF
Access-list 800 permit -1
IPX Extended
Access-list 901 deny rip any any
Access-list 901 permit any 700.0000.0000.0000.0000
FF.FFFF.FFFF.FFFF.FFFF <- denies 700-7FF
Access-list 901 deny any any 452 <- denies all saps
For routes:
Ipx access-group 901 in|out
For RIP routes:
Ipx output-network-filter or input-network-filter
On EIGRP:
Ipx router eigrp 100
Distribute-list 901 in|out
The "established" parameter looks for an "ACK" flag
in the communication. The initial packet only has
SYN set, and is denied.
SAP Filters:
Access-list 1001 deny -1 4 <- denies all file serv
Access-list 1001 deny AA <- denies any sap from AA
Access-list 101 deny -1 0 tex* <- denies all sap
With name starting with "tex"
On interface:
Ipx input-sap-filter
Ipx output-sap-filter
Ipx output-gns-filter
Ipx router-sap-filter
Dialer lists
Access-list 901 deny -1 ffffffff 0 ffffffff rip
Access-list 901 deny -1 ffffffff 0 ffffffff sap
Access-list 901 permit -1
Dialer-list 1 protocol ipx permit list 901
Spot The Issue
Appletalk permit-partial-zones
When filtering a zone, the access-list if for a
GNS or ZIP filter and is applied on the interface
Access-list 600 permit cable-range 10-20
Access-list 600 permit includes 50-60 <- 40-70
would be permitted! "within" is other way around
Access-list 600 permit other-access
On interface: appletalk access-group 600 in|out
GZL filters are for end system filtering
ZIP filters are for inter router filtering
Decnet: filter routers 30-63 in area 10
Access-list 301 deny 10.30 0.1
Access-list 301 deny 10.32 0.31
Access-list 301 permit 0.0 63.1023 <- permit any
!
interface ethernet 0
decnet access-group 300
• By default, access-lists are OUT. Make sure
you use the keyword IN or OUT anyway.
• Remember when applying a filter NOT to deny
such things as routing protocols or other
things you configured beforehand.
• Dynamic access-list authenticate the user
then drops the telnet! Also, could put
"autocommand access-enable" under the vty
line, but this means that no one could telnet
to the router anymore.
• REMEMBER: PERMIT RETURN TRAFFIC! Gt 1023 esta
•
In appletalk, if a zone exists on multiple
cable-ranges, if one of the cable ranges is
filtered, the entire zone is filtered. Use
appletalk permit-partial-zones.
• It can take a couple of minutes before an
access-list impacts the ZIT. When in doubt,
save and reload!
