CCNA 新版（英文）D20S06L02.pps

© 2002, Cisco Systems, Inc. All rights reserved.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Configuring IP Access Lists
Objectives
pleting this lesson, you will be able to:
Use Cisco mands to configure IP standard and extended access lists, given a functioning router
Use mands to identify anomalies in IP standard and extended access lists, given an operational router
Access List Configuration Guidelines
Access list numbers indicate which protocol is filtered.
One access list per interface, per protocol, per direction is allowed.
The order of access list statements controls testing.
Place the most restrictive statements at the top of list.
There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.
Create access lists before applying them to interfaces.
Access lists filter traffic going through the router; they do not apply to traffic originating from the router.
Step 1: Set parameters for this access list test statement (which can be one of several statements).
Step 2: Enable an interface to use the specified access list.
Router(config-if)#{protocol} access-group access-list-number {in | out}
Access mand Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)#access-list access-list-number {permit | deny} {test conditions}
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes access list from the interface
Router(config-if)#ip access-group access-list-number {in | out}
Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask =
no access-list access-list-number removes entire access list
remark option lets you add a description for the access list
Router(config)#access-list access-list-number {permit | deny | remark} source [mask]
Standard