Configuring IP Services

Filtering IP Packets Using Access Lists

2.Apply the access list to interfaces or terminal lines.

These and other tasks are described in this section and are labeled as required or optional. Either the first or second task is required, depending on whether you identify your access list with a number or a name.

Creating Standard and Extended Access Lists Using Numbers (Required)

Creating Standard and Extended Access Lists Using Names (Required)

Specifying IP Extended Access Lists with Fragment Control (Optional)

Enabling Turbo Access Control Lists (Optional)

Applying Time Ranges to Access Lists (Optional)

Including Comments About Entries in Access Lists (Optional)

Applying Access Lists (Required)

Creating Standard and Extended Access Lists Using Numbers

Cisco IOS software supports the following types of access lists for IP:

Standard IP access lists that use source addresses for matching operations.

Extended IP access lists that use source and destination addresses for matching operations, and optional protocol type information for finer granularity of control.

Dynamic extended IP access lists that grant access per user to a specific source or destination host basis through a user authentication process. In essence, you can allow user access through a firewall dynamically, without compromising security restrictions. Dynamic access lists and lock-and-key access are described in the “Configuring Traffic Filters” chapter of the Cisco IOS Security Configuration Guide.

Reflexive access lists that allow IP packets to be filtered based on session information. Reflexive access lists contain temporary entries, and are nested within an extended, named IP access list. For information on reflexive access lists, refer to the “Configuring IP Session Filtering (Reflexive Access Lists)” chapter in the Cisco IOS Security Configuration Guide and the “Reflexive Access List Commands” chapter in the Cisco IOS Security Command Reference.

Note Release 11.1 introduced substantial changes to IP access lists. These extensions are backward compatible; migrating from a release earlier than Release 11.1 to the current release will convert your access lists automatically. However, the current implementation of access lists is incompatible with Cisco IOS Release 11.1 or earlier. If you create an access list using the current Cisco IOS release and then load older Cisco IOS software, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems. Save your old configuration file before booting Release 11.1 or earlier images.

Cisco IOS IP Configuration Guide

IPC-88

Page 134
Image 134
Cisco Systems 78-11741-02 manual Creating Standard and Extended Access Lists Using Numbers, IPC-88