Cisco Systems RJ-45-to-AUX manual Applying Access Lists to Route Filtering, 260

∙access−class—Applies the access list to an interface for security purposes. This command identifies users of specified VTY lines. By default, five VTY lines come in to your Cisco Internetwork Operating System (IOS) or router. Because you do not know which one you will be using when you Telnet into your switch or router, you must apply the same access list to all the interfaces.

∙access−group—Allows you to apply an access list configured in Global Configuration mode to an interface that can be used to filter data traffic based on source address, destination address, or many other protocol identifiers. For example, if a standard access list has been created and numbered access list 2 in Global Configuration mode and you want to deny traffic for the source address identified in the access list, use the command ip access−group 2 followed by either in or out. The in or out syntax indicates whether data will be filtered based on traffic entering or exiting out of the interface.

∙distribute−list—Identifies the routing update information that applies rules to allow the switch to learn new routes or advertise known routes to other routers or route processors. This is used on the (config−router) command mode when enabling a routing protocol.

∙ipx output−sap−filter—Allows the applied access list to determine what IPX protocol services will be advertised in or out of an interface.

Applying Access Lists to Route Filtering

By controlling the routing tables at the Core layer, you can limit the size of the tables on your network devices. Doing so allows the switches to process data more quickly, prevents users from getting to networks that do not have a default or static route, and maintains routing information integrity.

To do this, apply an access list using the distribute−list command. After creating a standard access list, you can apply it to an inbound or outbound interface. The following is the distribute−list command and the syntax for an inbound interface:

distribute−list {access−list numbername} in [type number]

Here is the syntax when using the distribute−list command to apply an access list to an outbound interface:

distribute−list {access−list numbername} out

[interface namerouting processautonomous system number]

Figure 13.3 shows a standard Class C network in which two subnets intersect at the Distribution layer switch. Subnet 128 belongs to a production network, and subnet 129 is used only for testing and development of new LAN topologies. We want subnet 128 to be permitted through to the Core layer on Gigabit Ethernet port g0/0, which connects to the Core layer switch. The second network is used for testing purposes only, so the access list should block any traffic from that subnet from reaching the Core layer switches. For this scenario, we will assume there are no other subnets in our switch block to contend with.

Figure 13.3: Two Class C IP subnets connected from the Access layer to the Distribution layer switch. Let’s create an access list that allows traffic from network 192.128.0.0 but denies traffic from interface192.129.0.0. Use the following command, keeping in mind that an implied “deny all” exists at the end of our access list:

access−list 2 permit 192.128.0.0 0.0.255.255

260