Configuring IP Services

Filtering IP Packets Using Access Lists

Controlling Access to a Line or Interface

After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task for both terminal lines and network interfaces. Remember the following:

When controlling access to a line, you must use a number.

When controlling access to an interface, you can use a name or number.

To restrict access to a vty and the addresses in an access list, use the following command in line configuration mode. Only numbered access lists can be applied to lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.

Command

Purpose

 

 

Router(config-line)# access-classaccess-list-number{in

Restricts incoming and outgoing connections between a

out}

particular vty (into a device) and the addresses in an

 

access list.

 

 

To restrict access to an interface, use the following command in interface configuration mode:

Command

Purpose

 

 

Router(config-if)# ip access-group{access-list-number

Controls access to an interface.

access-list-name} {in out}

 

 

 

For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.

Controlling Policy Routing and the Filtering of Routing Information

To use access lists to control policy routing and the filtering of routing information, see the “Configuring IP Routing Protocol-Independent Features” chapter of this document.

Controlling Dialer Functions

To use access lists to control dialer functions, refer to the “Preparing to Configure DDR” chapter in the Cisco IOS Dial Technologies Configuration Guide.

Cisco IOS IP Configuration Guide

IPC-99

Page 145
Image 145
Cisco Systems 78-11741-02 manual Controlling Access to a Line or Interface, Controlling Dialer Functions, IPC-99