Which command would you use to apply an access list to a router interface?
A. ip access-list 101 out
B. access-list ip 101 in
C. ip access-group 101 in
D. access-group ip 101 in
Answer: Option C
Solution(By Examveda Team)
To apply an access list, the proper command is ip access-group 101 in.clear access-list ipv4
To clear IPv4 access list counters, use the clear access-list ipv4 command in EXEC mode.
clear access-list ipv4 access-list name [ sequence-number | hardware { ingress | egress}] [interface type interface-path-id] [ location node-id | sequence number ]
Syntax Description
access-list-name | Name of a particular IPv4 access list. The name cannot contain a spaces or quotation marks, but can include numbers. | ||
sequence-number | (Optional) Specific sequence number with which counters are cleared for an access list. Range is 1 to 2147483644 . | ||
hardware | Identifies the access list as an access group for an interface. | ||
ingress | Specifies an inbound direction. | ||
egress | Specifies an outbound direction. | ||
interface | (Optional) Clears the interface statistics. | ||
type | Interface type. For more information, use the question mark (?) online help function. | ||
interface-path-id | Physical interface or virtual interface.
For more information about the syntax for the router, use the question mark (?) online help function. | ||
location node-id | (Optional) Clears hardware resource counters from the designated node. The node-id argument is entered in the rack/slot/module notation. | ||
sequence number | (Optional) Clears counters for an access list with a specific sequence number. Range is 1 to 2147483644 . |
We apologize for the inconvenience...
...but your activity and behavior on this site made us think that you are a bot.
Note: A number of things could be going on here.
- If you are attempting to access this site using an anonymous Private/Proxy network, please disable that and try accessing site again.
- Due to previously detected malicious behavior which originated from the network you're using, please request unblock to site.
Answer This Question
Standard Access-List
Prerequisite – Access-lists (ACL)
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.
Standard Access-list –
These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.
Features –
- Standard Access-list is generally applied close to destination (but not always).
- In a standard access list, the whole network or sub-network is denied.
- Standard access-list uses the range 1-99 and extended range 1300-1999.
- Standard access-list is implemented using source IP address only.
- If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
- If named with standard Access-list is used then you have the flexibility to delete a rule from the access list.
Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic.
Configuration –
Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network.
Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department.
Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used (0.0.0.255 which means Subnet mask 255.255.255.0). 10 is used from the number standard access-list range.
Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped.
By specifying any means that source having any IP address traffic will reach the finance department except the traffic which it matches the above rules that you have made.
Now, you have to apply the access list on the interface of the router:
As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied.
Named standard Access-list example –
Now, considering the same topology, you will make a named standard access list.
By using this command you have made an access-list named blockacl.
And then the same configuration you have done in numbered access-list.
Standard access-list for Telnet example –
As you know, you cannot specify particular IP traffic to be denied in standard access-list but telnet connection can be permitted or denied using standard access-list by applying access-list on line vty lines.
Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same:
Access List Commands
show access-lists | Displays all access lists and their parameters configured on the router.This command doesn't show which interface the list is configured on. |
show access-list [list #] | Shows only the parameters for the access list specified.This command does not show you the interface the list is configured on. |
show ip access-list | Shows only the IP access lists configured on the router. |
show ipx access-list | Shows only the IPX access lists configured on the router. |
show ip interface | Shows which interfaces have IP access lists on them. |
show ipx interface | Shows which interfaces have IPX access lists on them. |
show running-config | Shows the access lists and which interfaces have access lists set. |
any | Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. |
host | Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host) |
clear access-list counter [list#] | Clears extended access lists counter of the number of matches per line of the access list. |
-1 | Applies to any IPX network or any protocol when used in extended IPX access lists. |
0 | Used for all sockets in extended IPX access lists. |
ip access-group | Applies an IP access list to an interface. |
ipx access-group | Applies an IPX access list to an interface. |
ipx input-sap-filter | Applies an inbound IPX SAP filter to an interface. |
ipx output-sap-filter | Applies an outbound IPX SAP filter to an interface. |
Access List Ranges
Standard IP Access Lists | 1-99 |
Extended IP Access Lists | 100-199 |
Standard IPX Access Lists | 800-899 |
Extended IPX Access Lists | 900-999 |
IPX SAP Filters | 1000-1099 |