CCNA Security – Chapter 4 (ACLs Standar-Extended)

packet filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls.

R2(config)#access-list ?
<1-99>            IP standard access list
<100-199>         IP extended access list
<1000-1099>       IPX SAP access list
<1100-1199>       Extended 48-bit MAC address access list
<1200-1299>       IPX summary address access list
<1300-1999>       IP standard access list (expanded range)
<200-299>         Protocol type-code access list
<2000-2699>       IP extended access list (expanded range)
<300-399>         DECnet access list
<600-699>         Appletalk access list
<700-799>         48-bit MAC address access list
<800-899>         IPX standard access list
<900-999>         IPX extended access list
dynamic-extended  Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list
access-list 1 permit host
access-list 1 permit
access-list 100 permit ip host host
access-list 100 permit tcp host host eq 80
R2(config-if)# ip access-group 100 in
ip access-list standard STANDAR-ACL
permit host
ip access-list extended EXTENDED-ACL
permit tcp host host established
The access-class extended ACL only supports the any keyword as the destination.
ip access-list extended PERMIT-ADMIN-LINE
permit tcp host any eq 22 log
deny ip any any
line vty 0 4
access-class PERMIT-ADMIN-LINE in
If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that ACEs are added in the correct location. The ACL is processed top-down based on the sequence numbers of the ACEs (lowest to highest).
Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
the no parameter followed by the ACE will result in deleting the entire ACL.
On standard access lists, the Cisco IOS will add new entries by descending order of the IP address, regardless of the sequence number. Therefore, the sequence number in a standard ACL is used as an identifier of a specific ACE for deletion purposes.
All entries, regardless of the order in which they were entered, were placed in order of descending IP address, from specific to general.
INBOUND = Pre-Routing
OUTBOUND = Post-Routing
packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.



Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )


Conectando a %s