Cisco Certifications Tutorials

Google
30 http:\\ciscocertifications.info Router(config-if)# <protocol> access-group <list number> <out/in> This applies the access list to all traffic on the selected interface. Out means packets leaving the inter- face and in means packets entering the interface. Extended IP Access Lists Extended IP access lists operate the same as standard IP access lists but they use the number from 100- 199 instead of 1-99. Also more options are available instead of only checking the source address. You can now specify: · Source Address · Destination Address · IP Protocol (TCP, UDP, ICMP etc...) · Port Information (www, DNS, ftp, etc..) Access-list <number 100-199> <permit or deny> <protocol> <source address> <destination address> <operator> <port> EX: access-list 100 deny tcp 172.18.16.0 0.0.0.255 any eq ftp The above example will deny any ftp traffic from 172.18.16.x to any destination address. ANY can be used to specify any source or destination address which is the same as 0.0.0.0 255.255.255.255. HOST can be used to specify a host. Host 172.18.16.2 is the same as 172.18.16.2 0.0.0.0. Extended IP access lists are applied to an interface in the same way as standard IP access lists. show access-lists Displays all access lists running on the router. show ip access-lists Displays all IP access lists running on the router. show ip int Shows the IP interface information and indicates any Outbound or inbound access lists. sh run Shows the running config and any access lists that are globally set up and to which interfaces. *Keypoints: To display the contents of a particular access list, you would use the "show access-list <list #>" command. To display the contents of all access lists, you would just enter the "show access-lists" command without specifying a number. Know that you should place Standard IP access lists close to the destination router, but that you place Extended IP access lists close to the source router. You can display your access lists by using the "show access-lists" or "show running-config" com- mands. Standard IPX Access Lists Standard IPX access lists permit or deny packets based upon the source and destination IPX addresses. This differs from IP where it only looks at the source address. There are no wildcard masks with IPX and you can use either the Node Address or Network Address. Router(config)# access-list 810 permit 4b 5c The above line will only allow packets from network 4b to reach network 5c. These are applied in a similar way to IP from the interface config mode: