Chapter 10: Managing IP Traffic

Commands:

10.2 Configuring IP Standard Access Lists

Router(config)#access-list[1-99] [permit/deny] source source-mask
Router(config)#interface interface-type interface-number
Router(config-if)#ip access group list-number [in/out]

10.3 Restricting Virtual Terminal Access

Router(config)#line vty line-number-range
Router(config-if)#access-class Access-list-number [in/out]

10.4 Configuring Extended Access Lists

Router(config)# access-list [100-199] [permit/deny] protocol source source-wildcard destination destination-wildcard operator port-number
Router(config)#interface interface-type interface-number
Router(config-if)#ip access group list-number [in/out]

10.4 Configuring Named Access Lists

Router(config)# ip access-list extended name
Router(config-nacl-ext)# [permit/deny] protocol source source-wildcard destination destination-wildcard operator port-number
Router(config)#interface interface-type interface-number
Router(config-if)#ip access group list-name [in/out]

10.4 Verifying Access List Configurations

Router# show access-list
Router# show ip access-list [access-list-number]
Router# clear access-list counters [access-list-number]

10.5 Using an Alternative to Access Lists

Router(config)# ip route address mask null 0

10.6 Configuring Lock-and-Key Security (Dynamic Access Lists)

Router(config)#access-list access-list-number [dynamic dynamic-name]
[timeout minutes]] {deny | permit} telnet source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [established] [log]
Router(config)# interface type number
Router(config-if)# ip access-group access-list-number
Router(config)# line VTY line-number [ending-line-number]
Router(config-line)# login tacacs
or
Router(config-line)#username name password secret
or
Router(config-line)#password password
Router(config-line)#login local
Router(config-line)#autocommand access-enable [host] [timeout minutes]

Verifying lock and key operation
Router# show access-lists [access-list-number]
Router# clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

10.7 Configuring IP Session Filtering (Reflective Access Lists)

Define the Reflexive Access List(s)
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one that is applied to outbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one that is applied to inbound traffic.

Router(config)# ip access-list extended name
Router(config-nacl-ext)# permit protocol any any reflect name[timeout seconds] Router(config)#interface interface type number
Router(config-if)# ip access-group name [in/out]

Nest the Reflexive Access List(s)
If you are configuring reflexive access lists for an external interface, nest the reflexive access list within an extended named IP access list applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, nest the reflexive access list within an extended named IP access list applied to outbound traffic.

Router(config)#ip access-list extended name
Router(config-nacl-ext)# evaluate name
Router(config)#interface interface type number
Router(config-if)# ip access-group name [in/out]

 

10.8 Context Based Access Control

Configure Application-Layer Protocol Inspection
Router(config)# ip inspect name inspection-name protocol [timeout seconds]
Router(config)# ip inspect name inspection-name rpc program-number number [wait-time minutes] [timeout seconds]

Configure Java Inspection
Router(config)# access-list access-list-number {deny | permit}source [source-wildcard]
Router(config)# ip inspect name inspection-name http [java-list access-list] [timeout seconds]

Configure Generic TCP and UDP Inspection
Router(config)# ip inspect name inspection-name tcp [timeout seconds]
Router(config)# ip inspect name inspection-name udp [timeout seconds]

Apply the Inspection Rule to an Interface
Router(config-if)#ip inspect inspection-name {in | out}

Display Configuration, Status, and Statistics for Context-Based Access Control
Router#show ip inspect name inspection-name
Router#show ip inspect config
Router#show ip inspect interfaces
Router#show ip inspect session [detail]
Router#show ip inspect all

Debug Context-Based Access Control
Router(config)#ip inspect audit trail

Generic Debug Commands
Router#debug ip inspect function-trace
Router#debug ip inspect object-creation
Router#debug ip inspect object-deletion
Router#debug ip inspect events
Router#debug ip inspect timers
Router#debug ip inspect detail
Router#debug ip inspect protocol