Monitor neighbor router: R# sh cdp entry routerX; R# sh cdp neighbor detail; R# telnet routerX / ipadd, R# sh ipx add

Access Lists : A list of conditions that control access, filters un wanted pkts. IP + IPX works similar. applied inbound or outbound traffic. Rules: compared in sequential order, compared until first match, implicit deny if there is no match.

IP Std 1-99, IP Ext 100-199, IPX Std 800-899, IPX Ext 900-999, IPX SAP 1000-1099, DECnet- 3xx, AppleTalk- 6xx

Cisco IOS ver 11.2 or later allows to use Access list name rather than Number.

STD IP access list: acts up on source IP add. # config t, syntax # access-list [number] [permit / deny] [source add]

R# config t, t# int e0, if# ip access-group 10 out, only 1 Access list each on i/c & o/g is possible for each protocol.

Wild cad masking: 0-check, 255-ignore, # config t, # access-list 11 permit [172.16.50.2 0.0.0.0 / 172.16.30.0 0.0.0.255]

Eg: [172.30.16 (00010000).0] [0.0.15 (00001111).255]- permits sub nets from 16 (00010000) to 31 (00011111)

Extended IP access list: acts up on source add, dest add, IP proto, Port , number=100-199, # config t, Syntax

# access-list [number] [permit / deny] [proto] [source add] [detn add] [port],

# access-list 110 permit tcp host 172.16.50.2 host 172.16.10.2 eq 8080, # int e0, # ip access group 110 out

# access- list 110 permit tcp any any eq www, host 172.16.50.2 = 172.16.50.2 0.0.0.0, any = 0.0.0.0 255.255.255.255

Port nos.-bgp179, ftp21, ftpdata20, gopher70, lpd515, smtp25, telnet23, www80, tftp69, Dns53.

Monitoring Ext IP access list 3 ways: R# sh ip interface, R# sh acces-lists, R# sh run

# sh access-lists: sh all running access lists, no of hits/matches for each line (34matches)

o/p: Ext IP access list 110, permit tcp host x.x.x.x host x.x.x.x eq 8080 ( 15 matches)

R# sh ip access-list / xxx : shows all / xxx IP access lists. R# clear access list counters : clears no of matches counters

R# sh ip int eo : shows int config,< which ports have IP access lists applied> R# sh running config : shows full config

Logging : config t, # access-list 110 deny ip any any log- can see no of matches on the denied line eg. (4 matches)

By default will log to the console. Log contains: acc list no, source add, source port, dest add, dest port, no of pkts.

All the log info can be redirected to a syslog server and stored for security purpose.

Placing Access List : STD Access list - Close to the Destination, Extended Access list- Close to the source

Efficient Access list: Most commonly matched lines in the access list should be on top, this lets most pkts to match fast than going thro all the lines in the list causing a delay in traffic.

STD IPX access lists : based on source and dest add, config t, # access-list [number] [permit / deny] 学生大 [dest]

t# access-list 810 permit 30 10, If# ipx access-group 810 out - permits traffic from net 30 to net 10

t# access-list 811 permit -1 -1, -1 = any host, any net ID,

Extended IPX access list: based on source net/node, dest net/node, IPX proto (SAP, SPX etc.), IPX socket

# access-list [number] [permit/deny] [IPX protocol] 学生大 [socket] [dest] [socket] , # config t

# access-list 910 deny -1 50 0 30 0, # int e0, If # ipx access-group 910 out

Logging: logs source add, source socket, dest add, dest socket, proto type

Monitoring: # sh access-lists (sh list contents), # sh ipx int (sh total int config), # sh run (sh total router config)

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] 下一页