Chapter 10: Security

Commands:

10.1.2 Named Access List Syntax

Standard Named Access-List:
Router(config)# ip access-list standard name
Router(config-std-nacl)# permit | deny {source [source-wildcard] | any}[log]

Extended Named Access-List:
Router(config)# ip access-list extended name
Router(config-ext-nacl)# deny | permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] [time-range time-range-name]

10.1.3 Time Based Extended Access List Syntax

Router(config)# time-range time-range-name
Router(config-time-range)# periodic days-of-the-week hh:mm to[days-of-the-week] hh:mm
Router(config-time-range)# absolute [start time date] [end time date]

10.1.4 Configuring Access List Descriptions with the Remark Command

Router(config)# access-list access-list-number remark remark
Router(config-std-nacl)# remark remark

10.1.5 Syntax for Applying Access Lists

Router(config-if)# ip access-group [access-list-number | access-list-name] [in | out]

10.3.3 Configuring Lock-and-Key

Router(config)# dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

10.3.4 Configuring Lock-and-Key Authentication

Router# access-enable [host] [timeout minutes]

10.4.1 Using Extended Access Lists with the Established Argument

Router(config)# access-list access-list-number permit tcp source-address source-mask destination-address destination-mask established

10.4.5 Configuring Reflective Access Lists

Router(config)# ip access-list extended extended-list-name
Router(config-ext-nacl)# permit ip-protocol any any reflect name [timeout seconds]
Router(config-if)# ip access-group extended-list-name out
Router(config)# ip access-list extended extended-list-name
Router(config-ext-nacl)# evaluate name
Router(config-if)# ip access-group extended-list-name in
Router(config)# ip reflexive-list timeout seconds

 

10.5.5 Defining CBAC Inspection Rules

Router(config)# ip inspect name inspection-name protocol [timeout seconds]
Router(config-if)# ip inspect name inspection-name http [java-list access-list] [timeout seconds]
Router(config-if)#ip inspect inspection-name in | out

10.5.7 Verifying CBAC

Router# show ip inspect {name inspection-name | config | interfaces | session [detail] | all}