Asante Technologies 35516 user manual Using Access Lists, Create a Standard Access List

Page 54

5.6 Using Access Lists

An access list is a collection of criteria statements that the switch uses to determine whether to allow or block traffic based on IP addresses. Access lists can be configured to provide basic security on your network, and to prevent unnecessary traffic between network segments.

When configuring an access list, you can add multiple statements by adding criteria to the same numbered list. The order of the statements is important, as the switch tests addresses against the criteria in an access list one by one (in the order the statements are entered) until it finds a match. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical.

Important! You may not delete an individual statement from an access list; you must delete the entire access list and re-enter it with new statements.

Important! By default, if no conditions match, the software rejects the address.

The switch supports two types of access lists:

Standard: access list numbers 1 – 99 and 1300–1999 (expanded range)

Extended: access list numbers 100–199 and 200–2699 (expanded range)

5.6.1 Create a Standard Access List

Standard access lists filter at layer 3, and can allow or block access to networks and host addresses. The parameters for a standard access list are described as follows:

Access list number (1–99): Identifies the access list to which an entry belongs. There is no limit, to how many entries make up an access list, other than available memory

Remark: Access list entry comment. This may be useful to keep track of numbered lists

Permit/deny: Indicates whether this entry allows or blocks traffic from the specified source address

Source address: Enter the source IP address to match

Any: Specifies any source address to match

Source wildcard mask: Identifies which bits in the address field are to be matched. A ‘0’ indicates that positions must match; a ‘1’ indicates that position is ignored

In the following example, a standard access list will be created to allow all traffic from the 192.168.0.0 networks, while blocking all non-192.168.0.0 traffic. The last entry is redundant, since the switch will deny access if there is no match found by the end of the list.

Router# configure terminal

 

 

Router(config)# access-list

1

?

deny

Specify packets to reject

permit

Specify packets to forward

remark

Access list entry comment

Router(config)# access-list

1

permit ?

A.B.C.D

Source address to match. e.g. 10.0.0.0

any

Any source address to match

Router(config)# access-list

1 permit 192.168.0.0 ?

A.B.C.D

Source wildcard. e.g. 0.0.0.255

<cr>

 

 

 

Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255

Router(config)# access-list 1

deny any {0.0.0.0 255.255.255.255}

 

 

 

 

In the next example, a standard access list will be created to deny all traffic from 192.168.123.254 and allow all other traffic to be forwarded. Note that the last entry of this example is not redundant, as it is a permit statement. An implicit deny statement would follow the last entry, if no match was found before the end of the list. In this case, however, we are permitting any other IP address other than 192.168.123.254, and a deny statement isn’t necessary.

54

Page 53 Page 55
Image 54
Page 53 Page 55
Contents IntraCore 35516 Series IntraCore 35516 Series Technical SupportTable of Contents Page Features IntroductionPackage Contents LEDsFront and Back Panel Descriptions GbicManagement and Configuration Console InterfaceSafety Overview Hardware Installation and SetupInstallation Overview Recommended Installation ToolsEnvironmental Requirements Installation into an Equipment RackPower Requirements Cooling and AirflowInstalling a Gbic Gigabit Interface ConvertersGbic Care and Handling Installing the Optional Emergency Power SupplyRemoving a Gbic System Information System up since 103443 Fri Feb 07Connecting Power Connecting to the Network1 10/100/1000BaseT Ports Cabling Procedures Setup Gigabit Ethernet Ports Cabling ProceduresConnecting to a Console User Access Verification Password Specifies an Unencrypted line password will follow Setting PasswordsUnencrypted cleartext line password Specifies a Hidden line password will followConfiguring an IP Address Setting a Default IP Gateway AddressRouterconfig-if-veth1# Restoring Factory Defaults System Boot ParametersRouterconfig# boot system flash bank1bank2 Access Each Command Mode Understanding the Command Line Interface CLIUser Top User Exec Mode Command Show ? PurposePrivileged Top Privileged Exec Mode Router enable Password Router#Command Purpose Global Configuration Mode Command Purpose Router# configure terminalCommand Exit end Ctrl-Z Purpose Interface Configuration Mode Router Configuration Mode Route-Map Configuration ModeAdvanced Features Supported within the Command Mode Command Help PurposeRouterconfig# routed rip Invalid input detected at marker Checking Command SyntaxRouterconfig# hostname ? Word This systems network name Routerconfig# route Ambiguous command. Routerconfig#Using Command-Line Editing Features and Shortcuts Using CLI Command HistoryUsing the No and Default Forms of Commands Routerconfig# router Command incomplete. Routerconfig#Router# confTab Router# configure Moving Around on the Command LineCompleting a Partial Command Name Keystrokes PurposeDeleting Entries Editing Command Lines that WrapRouter# co? configure copy Router# co Keystrokes Purpose Press the Delete or BackspaceTransposing Mistyped Characters Redisplaying the Current Command LineScrolling Down a Line or a Screen Controlling CapitalizationPassword Passwords and Privileges CommandsEnable Password Routerconfig-line# password AsanteService Password-Encryption Changing the Password Managing the System and Configuration FilesSetting the System Clock Managing the SystemTrace Packet Routes Enable the System LogDisplaying the Operating Configuration Test Connections with Ping TestsConfiguration to Nvram Managing Configuration FilesConfiguring from the Terminal Routerconfig# hostname newname Newnameconfig# endCopying Configuration Files to a Network Server Running-config Configuring Snmp and Spanning TreeConfiguring Snmp Support Startup-configRouterconfig# duplicate-ip detect Configuring Spanning Tree Protocol STPCreate or Modify Access Control for Snmp Community Disable the Snmp ProtocolMaximum Age Forward TimeHello Time PriorityPort Priority Routerconfig# mac-address-table aging-timeMAC Address Table Port Path CostAssign IP Addresses to Network Interfaces Configuring IPConfiguring IP Addressing Class Address or Range StatusCommand Purpose Assign Multiple IP Addresses to Network InterfacesCidr Prefix Class C Equivalent Host Addresses Define a Static ARP Cache Establish Address ResolutionConfiguring IP Routing SecondaryConfiguring Static Routes Route Source Default DistanceAllow Unicast Updates for RIP Configuring RIPEnable RIP Neighbor ip-addressCommand Purpose Route-map map-tagdeny permit sequence Specify a RIP VersionRedistribute Routing Information Set Administrative Distance Set Metrics for Redistributed RoutesGenerate a Default Route Suppress Routing Updates through an InterfaceFiltering Routing Information Manage Authentication Keys Adjust TimersEnable or Disable Split-horizon Command Purpose Offset-list access-list-name in outConfiguring IP Multicast Routing Monitor and Maintain RIPConfiguring Igmp Modifying the Igmp Host-Query Message IntervalPurpose Ip igmp query-interval 1-65535 seconds Changing the Igmp Version CommandConfiguring the Router as a Statically Connected Member SecondsConfiguring Dvmrp Nbr-timeout 35-8000 secondsDefault value 200 seconds Default value 180 secondsCommand Purpose Route-expire-time 20-4000 seconds Report-intervalUsing Access Lists Create a Standard Access ListCreate an Expanded Access List Destination address to match. e.gOperator equal to Creating an Access List with a NameApplying an Access List to an Interface Operator greater thenConfigure ABR Type Configuring OspfEnable Ospf Command Purpose Router ospf StepConfigure Compatibility Configure Ospf Interface ParametersConfigure Ospf Network Type Configure Ospf Not So Stubby Area Nssa Configure Ospf for Non-broadcast NetworksConfigure Area Parameters Command Purpose Neighbor ip-address priority numberCreate Virtual Links Configure Route Summarization between Ospf AreasCommand Purpose Area area-idvirtual-link router-idhello Not-advertisedRefresh Timer Configuration Control Default MetricsConfigure Route Calculation Timers Redistribute Routes into OspfCommand Purpose Distance ospf external distance1 inter-area Change the Ospf Administrative DistancesPrevent Routes from being Advertised in Routing Updates Suppress Routes on an InterfaceRouter ip-address NameVrrp Configuration Virtual Router Redundancy Protocol VrrpMonitoring and Maintaining the Network Configuring Icmp Router Discovery Protocol IrdpEnable Irdp Processing Change Irdp ParametersShow ip prefix-list prefix-list-name Command Purpose Show arp interfaceShow access-lists access-list Show ip irdpVlan Configuration Creating or Modifying a VlanRouterconfig# interface veth2 vlan Routerconfig-if-veth2# Routerconfig# no vlan Routerconfig# exit Router# show vlanDeleting a Vlan Static Access Vlan Port Membership ModesTrunk Ieee 802.1Q Command Purpose Routerconfig# vlan dot1q tag native 3 Dot1q TunnelTrunk allowed vlan add all except Mode dot1q-tunnel Appendix A. Basic Troubleshooting Problem Possible SolutionsTechnical Support and Warranty Appendix B. SpecificationsPhysical Characteristics Standards ComplianceAppendix C. FCC Compliance and Warranty Statements FCC Compliance Statement Important Safety InstructionsIntraCare Warranty Statement Page Pin Number Signal Name Appendix D. Console Port Pin OutsAppendix E. Online Warranty Registration
Top Page Image Contents