access−class—Applies the access list to an interface for security purposes. This command identifies
users of specified VTY lines. By default, five VTY lines come in to your Cisco Internetwork
Operating System (IOS) or router. Because you do not know which one you will be using when you
Telnet into your switch or router, you must apply the same access list to all the interfaces.
access−group—Allows you to apply an access list configured in Global Configuration mode to an
interface that can be used to filter data traffic based on source address, destination address, or many
other protocol identifiers. For example, if a standard access list has been created and numbered access
list 2 in Global Configuration mode and you want to deny traffic for the source address identified in
the access list, use the command ip access−group 2 followed by either in or out. The in or out syntax
indicates whether data will be filtered based on traffic entering or exiting out of the interface.
distribute−list—Identifies the routing update information that applies rules to allow the switch to
learn new routes or advertise known routes to other routers or route processors. This is used on the
(config−router) command mode when enabling a routing protocol.
ipx output−sap−filter—Allows the applied access list to determine what IPX protocol services will
be advertised in or out of an interface.
Applying Access Lists to Route Filtering
By controlling the routing tables at the Core layer, you can limit the size of the tables on your network
devices. Doing so allows the switches to process data more quickly, prevents users from getting to networks
that do not have a default or static route, and maintains routing information integrity.
To do this, apply an access list using the distribute−list command. After creating a standard access list, you
can apply it to an inbound or outbound interface. The following is the distribute−list command and the
syntax for an inbound interface:
distribute−list {access−list number|name} in [type number]
Here is the syntax when using the distribute−list command to apply an access list to an outbound interface:
distribute−list {access−list number|name} out
[interface name|routing process|autonomous system number]
Figure 13.3 shows a standard Class C network in which two subnets intersect at the Distribution layer switch.
Subnet 128 belongs to a production network, and subnet 129 is used only for testing and development of new
LAN topologies. We want subnet 128 to be permitted through to the Core layer on Gigabit Ethernet port g0/0,
which connects to the Core layer switch. The second network is used for testing purposes only, so the access
list should block any traffic from that subnet from reaching the Core layer switches. For this scenario, we will
assume there are no other subnets in our switch block to contend with.
Figure 13.3: Two Class C IP subnets connected from the Access layer to the Distribution layer switch.
Let’s create an access list that allows traffic from network 192.128.0.0 but denies traffic from
interface192.129.0.0. Use the following command, keeping in mind that an implied “deny all” exists at the
end of our access list:
access−list 2 permit 192.128.0.0 0.0.255.255
260