ACCESS-LISTS - ROUTED TRAFFIC Key Commands Shows and Debugs Named IP (11.2+) Ip access-list extended MyPolicy <- or "standard" Permit tcp any any eq www Deny ip any any Interface serial 0 Ip access-group MyPolicy out Dynamic access-list (lock-and-key) Username Ben password cisco Username Ben autocommand access-enable ! access-list 101 permit icmp any any access-list 101 permit tcp any any gt 1023 access-list 101 dynamic MyKeyword timeout 60 permit tcp host 10.1.1.1 host 20.1.1.1 eq telnet int serial 0 ip access-group 101 in line vty 0 4 login local List of "Permit Any"s IP any IPX -1 Appletalk other-access Additional-zones Decnet 0.0 63.1023 NetBIOS Names * IP AS-Path .* <- don't forget the "." LSAP 0x00000xFFFF Canonical to non-canonical. Byte by byte: 5a32 – 5a 32 -> 32 = 0011 0010 flip! 1100 0100 -> C 4 flip! 4 C 5a = 5a (coincidence) so: 5a32 = 543c Additional Commands IPX standard Access-list 800 deny AAA FFFFFFFF Access-list 800 permit -1 IPX Extended Access-list 901 deny rip any any Access-list 901 permit any 700.0000.0000.0000.0000 FF.FFFF.FFFF.FFFF.FFFF <- denies 700-7FF Access-list 901 deny any any 452 <- denies all saps For routes: Ipx access-group 901 in|out For RIP routes: Ipx output-network-filter or input-network-filter On EIGRP: Ipx router eigrp 100 Distribute-list 901 in|out The "established" parameter looks for an "ACK" flag in the communication. The initial packet only has SYN set, and is denied. SAP Filters: Access-list 1001 deny -1 4 <- denies all file serv Access-list 1001 deny AA <- denies any sap from AA Access-list 101 deny -1 0 tex* <- denies all sap With name starting with "tex" On interface: Ipx input-sap-filter Ipx output-sap-filter Ipx output-gns-filter Ipx router-sap-filter Dialer lists Access-list 901 deny -1 ffffffff 0 ffffffff rip Access-list 901 deny -1 ffffffff 0 ffffffff sap Access-list 901 permit -1 Dialer-list 1 protocol ipx permit list 901 Spot The Issue Appletalk permit-partial-zones When filtering a zone, the access-list if for a GNS or ZIP filter and is applied on the interface Access-list 600 permit cable-range 10-20 Access-list 600 permit includes 50-60 <- 40-70 would be permitted! "within" is other way around Access-list 600 permit other-access On interface: appletalk access-group 600 in|out GZL filters are for end system filtering ZIP filters are for inter router filtering Decnet: filter routers 30-63 in area 10 Access-list 301 deny 10.30 0.1 Access-list 301 deny 10.32 0.31 Access-list 301 permit 0.0 63.1023 <- permit any ! interface ethernet 0 decnet access-group 300 • By default, access-lists are OUT. Make sure you use the keyword IN or OUT anyway. • Remember when applying a filter NOT to deny such things as routing protocols or other things you configured beforehand. • Dynamic access-list authenticate the user then drops the telnet! Also, could put "autocommand access-enable" under the vty line, but this means that no one could telnet to the router anymore. • REMEMBER: PERMIT RETURN TRAFFIC! Gt 1023 esta • In appletalk, if a zone exists on multiple cable-ranges, if one of the cable ranges is filtered, the entire zone is filtered. Use appletalk permit-partial-zones. • It can take a couple of minutes before an access-list impacts the ZIT. When in doubt, save and reload! . ACCESS- LISTS - ROUTED TRAFFIC Key Commands Shows and Debugs Named IP (11.2+) Ip access- list extended MyPolicy <-. around Access- list 600 permit other -access On interface: appletalk access- group 600 in|out GZL filters are for end system filtering ZIP filters are for inter