Chapter 10 IP Access Lists: Standard

Similar documents
Chapter 6 Global CONFIG Commands

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Chapter 13 RIP Commands

Standard ACL Configuration Mode Commands

Chapter 9 RIP Commands

Chapter 17 BGP4 Commands

Chapter 24 PIM Commands

Chapter 15 OSPF Commands

Chapter 6 Global CONFIG Commands

Extended ACL Configuration Mode Commands

Appendix B Policies and Filters

Object Groups for ACLs

Chapter 32 VSRP Commands

Chapter 16 OSPF Version 3 Commands

Object Groups for ACLs

Lab Configuring and Verifying Standard ACLs Topology

Lab Configuring and Verifying Standard IPv4 ACLs Topology

Understanding Access Control Lists (ACLs) Semester 2 v3.1

Chapter 20 IPv6 BGP Unicast Address Family Commands

Object Groups for ACLs

Object Groups for ACLs

Antonio Cianfrani. Access Control List (ACL) Part I

Chapter 17 Configuring IPX (9300 Series Only)

EIGRP Route Tag Enhancements

Lab Configuring and Verifying Extended ACLs Topology

Chapter 9 Configuring Unicast RPF

Cisco WAAS Software Command Summary

CCNA Discovery 3 Chapter 8 Reading Organizer

Named ACL Support for Noncontiguous Ports on an Access Control Entry

VLAN Access Control Lists

Chapter 12 Configuring IPX

VLAN Access Control Lists

Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports

Chapter 2 Using the Command Line Interface

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports

7 Filtering and Firewalling

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Configuring Control Plane Policing

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

CCNA Access List Questions

Enabling Remote Access to the ACE

Chapter 13 Configuring BGP4

IP Access List Entry Sequence Numbering

Configuring the Management Interface and Security

Implementing Access Lists and Prefix Lists

Lab 5.6.2: Challenge RIP Configuration

Bridging Traffic CHAPTER3

Configuring Control Plane Policing

Cisco CCNA ACL Part II

Configuring an IP ACL

Information about Network Security with ACLs

IP Access List Entry Sequence Numbering

IP Access List Entry Sequence Numbering

IP Services Commands. Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services IP1R-157

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

Chapter 8 Configuring Basic Software Features

Managing GSS User Accounts Through a TACACS+ Server

Lab 2.8.2: Challenge Static Route Configuration

ProCurve Routing Switches

HP0-Y49. Applying HP FlexNetwork Fundamentals.

Managing GSS User Accounts Through a TACACS+ Server

Access Control List Enhancements on the Cisco Series Router

Chapter 7 Interface Commands

This document is a tutorial related to the Router Emulator which is available at:

Chapter 6 Configuring Basic Features

Access List Commands

Chapter 5 Privileged EXEC Commands

IP Named Access Control Lists

Getting Started with the VG248

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

Getting Started. Contents

King Fahd University of Petroleum & Minerals. Configuration of Routers and Establishing Routed Networks

Chapter 1 Getting Started

Chapter 3 Configuring Enhanced Quality of Service

Configuring Network Security with ACLs

Access List Commands

2002, Cisco Systems, Inc. All rights reserved.

Configuring Command Macros

Configuring a MAC ACL

Network Admission Control

Access List Commands

Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers

D Commands. Send document comments to This chapter describes the Cisco NX-OS security commands that begin with D.

Configuring DNS Sticky

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Implementing Traffic Filtering with ACLs

Match-in-VRF Support for NAT

Lab VTY Restriction Instructor Version 2500

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Configuring IPv4 Addresses

Configuring System Message Logging

Chapter 6 Using a Redundant Management Module

Configuring IP Multicast Routing

Multicast Routing and Forwarding Commands

Study Guide. Using ACLs to Secure Networks

Configuring IP Session Filtering (Reflexive Access Lists)

Release Notes for Version of the HP ProCurve Routing Switch 9304M, 9308M,

NET323 D: NETWORKS PROTOCOLS

Lab b Standard ACLs Instructor Version 2500

Transcription:

Chapter 10 IP Access Lists: Standard NOTE: This chapter contains information for standard ACLs configured using the ip access-list command. The command manages named and numbered ACLs under the standard ACL configuration level. Numbered ACLs configured using the access-list command are discussed in the section Global CONFIG Commands on page 6 1. delete Deletes a specific entry from the ACL. ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# delete 2 Syntax: delete <line-number> [remark <comment-text>] Use the remark parameter to delete a remark for an ACL entry. deny Denies the specified traffic ProCurveRS(config)# ip access-list standard "block Telnet" ProCurveRS(config-std-nac1)# deny host 209.157.22.26 log Syntax: [no] deny <hostname> <ip-address> [<wildcard> log] Syntax: [no] deny host <host-ip> <hostname> [log] Syntax: [no] deny any [log] The <ip-address> parameter specifies the source IP address. Alternatively, you can use the <hostname> parameter and specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP device s DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the global CONFIG level of the CLI. June 2005 10-1

Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy. If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24. NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file. If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format. NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command. The host <host-ip> <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses. The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy. end Moves activity to the privileged EXEC level from any level of the CLI except the user EXEC level. To move to the privileged level, enter the following from any level of the CLI. ProCurveRS(config-std-nac1)# end ProCurveRS# Syntax: end exit Moves activity up one level from the current level. In this case, activity will be moved to the global level. ProCurveRS(config-std-nac1)# exit ProCurveRS(config)# Syntax: exit 10-2 June 2005

IP Access Lists: Standard insert Adds an ACL entry at a specific sequence ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# insert 2 deny host 10.1.1.1 Syntax: insert <line-number> deny <options> permit <options> remark <comment-text> <options> Use the insert <line-number> if you want to insert an ACL entry in the middle of an ACL. The deny <options> or permit <options> parameters permit or deny traffic that matches the condition of the ACL entry See deny on page 10-1 or permit on page 10-3 for the options you can use. The remark <comment-text> adds a comment to the ACL entry. The remark can have up to 128 characters in length. no Disables other commands. To disable a command, place the word no before the command. permit Permits the specified traffic. ProCurveRS(config)# ip access-list standard "block Telnet" ProCurveRS(config-std-nac1)# permit host 209.157.22.26 log Syntax: [no] permit <hostname> <ip-address> [<wildcard> log] Syntax: [no] permit host <host-ip> <hostname> [log] Syntax: [no] permit any [log] The <ip-address> parameter specifies the source IP address. Alternatively, you can use the <hostname> parameter and specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP device s DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the global CONFIG level of the CLI. The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy. If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24. NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file. June 2005 10-3

Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format. NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command. The host <host-ip> <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses. The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy. quit Returns you from any level of the CLI to the User EXEC mode. ProCurveRS(config-msdp-router)# quit ProCurveRS> Syntax: quit remark Creates a remark for the next ACL entry you will be configuring. See delete on page 10-1, insert on page 10-3, or replace on page 10-4 if you want to delete, add, or modify remarks for specific ACL entries. ProCurveRS(config)# ip access-list extended melon ProCurveRS(config-ext-nacl)# remark Stops igmp traffic Syntax: remark <comment-text> Enter up to 128 characters in for <comment-text>. The comment must be entered separately from the actual ACL entry; that is, you cannot enter the ACL entry and the ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, the comment must be entered immediately before the ACL entry it describes. replace Modifies the definition of an ACL entry. ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# replace 2 deny host 10.1.1.1 Syntax: replace <line-number> deny <options> permit <options> remark <comment-text> Enter the line number of the ACL entry you want to modify for <line-number>. 10-4 June 2005

IP Access Lists: Standard show The deny <options> or permit <options> parameters permit or deny traffic that matches the condition of the ACL entry See deny on page 10-1 or permit on page 10-3 for the options you can use. The remark <comment-text> adds a comment to the ACL entry. The remark can have up to 128 characters in length. Displays a variety of configuration and statistical information about the device. See Show Commands on page 40-1. write memory Saves the running configuration into the startup-config file. ProCurveRS(config-std-nac1)# wr mem Syntax: write memory write terminal Displays the running configuration of the HP device on the terminal screen. NOTE: This command is equivalent to the show running-config command. ProCurveRS(config-std-nac1)# wr term Syntax: write terminal June 2005 10-5

Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches 10-6 June 2005

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback