Académique Documents
Professionnel Documents
Culture Documents
Shariaty@gmail.com
www.alishariaty.ir
Estimated time
03:00:00
Example
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any
Access-list 101 permit ip any any
Or
Access-list 101 permit ip any any
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any
a. 1987
b. 2187
c. 187
d. 87
Note
This access list should be implemented as near as the
destination. (because if you deny a source , it will be
denied to all the destinations)
Or
Filtering based on
Source IP address
Destination IP address
Source port
Destination port
Protocol (e.g. IP , TCP , UDP , ICMP , )
Note
IP is covering all of the protocols in the example above.
Eq
Neq
Gt
Lt
Range
Examples
Eq 80 = web
Eq 25 = SMTP
Neq 80 = all the trafics exept web
Gt 1024 = all the random ports
Lt 1024 = all the standard ports
Range 20 23 = SSH , FTP , Telnet
Note
Source IP and destination IP is mandatory , if you
are not interested use the any key word.
If the source and the destination port is not
important , just avoid writing it.
PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.
e. Protocol
f. Source IP address
g. Destination IP address
h. Destination Port address
i. URL
PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.
Note
Destination IP address and
protocols will not be written
in the access-class , because
when it is applied to the VTY
line , it is obvious that it is
even SSH or telnet.
PC1 should have access to telnet the R1, PC2 should not.
R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 1 in