Filtering IP Packets Using Access Lists

Configuring IP Services

	Command	Purpose
Step 4
Step 4	Router(config-keychain-key)# key-stringtext	In key-chain key configuration mode, identifies the key
		string.
Step 5
Step 5	Router(config-keychain-key)# accept-lifetime	(Optional) Specifies the time period during which the key
	start-time {infinite end-time duration	can be received.
	seconds}
Step 6
Step 6	Router(config-keychain-key)# send-lifetime	(Optional) Specifies the time period during which the key
	start-time {infinite end-time duration	can be sent.
	seconds}

When configuring your key chains and keys, be aware of the following guidelines:

•The key chain configured for the DRP Server Agent in Step 1 must match the key chain in Step 2.

•The key configured in the primary agent in the remote router must match the key configured in the DRP Server Agent in order for responses to be processed.

•You can configure multiple keys with lifetimes, and the software will rotate through them.

•If authentication is enabled and multiple keys on the key chain happen to be active based on the send-lifetimevalues, the software uses only the first key it encounters for authentication.

•Use the show key chain command to display key chain information.

Note To configure lifetimes for DRP authentication, you must configure time services for your router. For information on setting time services, see the Network Time Protocol (NTP) and calendar commands in the “Performing Basic System Management” chapter of the Cisco IOS Configuration Fundamentals Configuration Guide.

Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, we provide access lists.

You can use access lists in the following ways:

•To control the transmission of packets on an interface

•To control vty access

•To restrict contents of routing updates

This section summarizes how to create IP access lists and how to apply them.

See the “IP Services Configuration Examples” section at the end of this chapter for examples of configuring IP access lists.

An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The Cisco IOS software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.

The two main tasks involved in using access lists are as follows:

1.Create an access list by specifying an access list number or name and access conditions.

Cisco IOS IP Configuration Guide

Cisco Systems 78-11741-02 manual Filtering IP Packets Using Access Lists, IPC-87

Models: 78-11741-02

Command

Filtering IP Packets Using Access Lists

IPC-87