The following configuration deny administrative access to the router except for the 192.168.1.0/24 network hosting admin workstations. The access-class command is used to apply the access list on the Virtual Terminal Line. Only numbered access-lists are supported on the Virtual Terminal Line. Placing the ACL near the destination will make the trafic travel through the network before beeing blocked, resulting in bandwidth waste.Īccess-list 1 permit ip 10.2.25.0 0.0.0.255 10.1.0.0 0.0.255.255Īccess-list 101 permit icmp any 10.1.0.0 0.0.255.255 echoĪccess-list 1 deny ip any any Configuration on Cisco 2911 ISR Router Restrict remote telnet or SSH access to the ISR routerĪccess lists can be used to restrict remote SSH or Telnet access to the ISR router management interface (VTY) from specific networks only. This kind of ACL has to be placed near the source as it allows fine grained control to ressources accessed. Such ACLs can also be named access lists in which the ACL number is replaced by a keyword. In numbered ACLs, the access-list number can be any number from 100 to 199 or 2000 to 2699 (available in IOS versions >12.0.1). Extended ACLs : Introduced in IOS version 8.3, the extended ACLs are more complex and allow filtering of the IP traffic based on a combination of multiple criterias : source IP address, destination IP address, TCP or UDP port, protocol.This kind of ACL has to be placed near the destination to avoid blocking legitimate trafic from the source. The access-list number can be any number from 1 to 99. Traffic is filtered based on the source IP address of IP packets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |