Cisco Commands‎ > ‎

Cisco Com 4

posted Jul 2, 2016, 3:45 PM by JR A

Access Control Lists:

Standard ACL: 1 – 99 and 1300 – 1999

  • Use a remark to describe the ACL (Optional):
1
R1(config)# access-list 1 remark ACL TO DENY ACCESS FROM SALES VLAN
  • Create the ACL, keeping the following in mind:
    • ACL uses first-match logic.
    • There is an implicit deny anyat the end of the ACL.
1
2
3
4
5
R1(config)# access-list 2 deny 192.168.1.77
R1(config)# access-list 2 deny 192.168.1.64 0.0.0.31
R1(config)# access-list 2 permit 10.1.0.0 0.0.255.255
R1(config)# access-list 2 deny 10.0.0.0 0.255.255.255
R1(config)# access-list 2 permit any
  • Enable the ACL on the chosen router interface in the correct direction (in or out):
1
R1(config-if)# ip access-group 2 out
  • Using standard ACL to limit telnet and SSH access to a router:

Create the ACL that defines the permitted telnet clients:

1
2
R1(config)# access-list 99 remark ALLOWED TELNET CLIENTS
R1(config)# access-list 99 permit 192.168.1.128 0.0.0.15

Apply the ACL inbound the vty lines

1
2
R1(config)# line vty 0 4
R1(config-line)# access-class 99 in

Extended ACL: 100 – 199 and 2000 – 2699

  • Extended ACL should be placed as close as possible to the source of the packet.
  • Extended ACL matches packets based on source & des.IP addresses, protocol, source & des. Port numbers andother criteria as well
1
2
3
4
5
6
7
8
9
R1(config)# access-list 101 remark MY_ACCESS_LIST
R1(config)# access-list 101 deny iphost 10.1.1.1 host 10.2.2.2
R1(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 23
R1(config)# access-list 101 deny icmp 10.1.1.1 0.0.0.0 any
R1(config)# access-list 101 deny tcphost 10.1.1.0 host 10.0.0.1 eq 80
R1(config)# access-list 101 deny udphost 10.1.1.7 eq 53 any
R1(config)# access-list 101 permit ip any any
R1(config)# interface fastEthernet 0/0
R1(config-if)# ip access-group 101 in

Named ACL:

  • Named ACLs use names to identify ACLs rather than numbers, and commands that permit or deny traffic are written in a sub mode called named ACL mode (nacl).
  • Named ACL enables the editing of the ACL (deleting or inserting statements) by sequencing statements of the ACL.
  • Named standard ACL:
1
2
3
4
5
6
R1(config)# ip access-list standard MY_STANDARD_ACL
R1(config-std-nacl)# permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)# deny 10.2.2.2
R1(config-std-nacl)# permit any
R1(config)# interface fastEthernet 0/1
R1(config-if)# ip access-group MY_STANDARD_ACL out
  • Named extended ACL:
1
2
3
4
5
6
R1(config)# ip access-list extended MY_EXTENDED_ACL
R1(config-ext-nacl)# deny icmp 10.1.1.1 0.0.0.0 any
R1(config-ext-nacl)# deny tcphost 10.1.1.0 host 10.0.0.1 eq 80
R1(config-ext-nacl)# permit ip any any
R1(config)# interface fastEthernet 0/1
R1(config-if)# ip access-group MY_EXTENDED_ACL in
  • Editing ACL using sequence numbers:
1
2
3
4
R1(config)# ip access-list extended MY_EXTENDED_ACL
R1(config-ext-nacl)# no 20    ! Deletes the statement of sequence number 20
R1(config)# ip access-list standard 99
R1(config-std-nacl)# 5 deny 1.1.1.1    ! inserts a statement with sequence 5

Verifying ACLs:

  • Shows all ACLs configured on a router with counters at the end of each statement:
1
2
3
R1# show access-lists
! OR
R1# show ip access-list
  • Shows only the specified ACL:
1
R1# show ip access-list 101
  • Includes a reference to the ACLs enabled on that interface either in or out:
1
R1# show ip interface f0/0

DHCP Server

  • Define a DHCP pool and give it a name:
1
R1(config)# ip dhcp pool MY_POOL
  • Define network and mask to use in this pool and the default gateway:
1
2
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
  • Define one or more DNS server (OPTIONAL):
1
R1(dhcp-config)# dns-server 213.131.65.20 8.8.8.8
  • Confine the lease time (OPTIONAL):
1
R1(dhcp-config)lease 2    ! Days
  • Define one or more scopes of excluded (reserved) addresses (OPTIONAL):
1
2
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.100
R1(config)# ip dhcp excluded-address 192.168.1.200 192.168.1.254

DHCP Verification and Troubleshooting:

  • Shows the status of the specified pool and the leased addresses from that pool:
1
R1# show ip dhcp pool POOL_1
  • Shows all the leased ip addresses from all configured DHCP pools:
1
R1# show ip dhcp binding
  • Shows any conflicts that occurred:
1
R1# show ip dhcp conflict
Comments