Calling the Access List

 

An access list does nothing unless packets are sent to it by a calling command, which defines how the access list is to be used. One such command is:

ip access- group access-list-number { in out }

This command is configured on an interface to create security or traffic filters and may be applied to incoming or outgoing traffic. If neither the in nor the out keyword is specified, the filter defaults to outgoing. The access list number, of course, is the access list to which this command will send packets. Figure B.9 shows two configurations of this command.

Figure B.9. The ip access-group command uses the specified access list to create a filter on an interface for either incoming or outgoing packets.

graphics/bfig09.jpg

Access list 1 in Figure B.9 filters incoming IP packets on interface E0. It has no effect on outgoing IP traffic and no effect on packets originated by other protocols, such as IPX. Access list 2 filters IP packets going out interface S3. It has no effect on incoming IP packets and no effect on packets originated by other protocols.

Multiple interfaces may make calls to the same access list, but any one interface can have only one incoming and one outgoing access list for each protocol.

In Figure B.10, the TCP, UDP, and ICMP access lists given earlier as examples are used as filters. Access list 110, from the previous two examples, has been applied to the Token Ring 0 interface to check incoming traffic. Access list 111 is applied to the same interface to check outgoing traffic. Analyze the two access lists carefully , including their interrelationship, and consider the following:

  • A ping response from 172.23.12.5 to 10.64.32.7 wants to exit interface TO0. Will it be allowed to pass?

  • Someone on 172.22.67.4 wants to ping a device at 10.64.32.20, exiting TO0. Will the ping be successful?

Figure B.10. Access list 110 is used here to filter incoming packets on the Token Ring interface. Access list 111 is used here to filter outgoing packets on the same interface.

graphics/bfig10.jpg

Another command that makes calls to an access list is the access-class command. This command is used to regulate telnet sessions to and from the router's virtual terminal lines, not for packet filtering. The format of the command is:

access-class access-list-number { in out }

Figure B.11 shows an example of the access-class command. Access list 3 regulates the addresses from which the router's VTY lines will accept telnet sessions. Access list 4 regulates the addresses to which the router's virtual terminal lines may connect.

Figure B.11. The access-class command uses an access list to regulate telnet traffic to and from the router's virtual terminal lines.

graphics/bfig11.jpg

The access-class command has no effect on telnet traffic transiting the router. It only influences telnet sessions to and from the router itself.



Routing TCP[s]IP (Vol. 11998)
Routing TCP[s]IP (Vol. 11998)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net