Which command would you use to apply an access list to a router interface?
A. ip access-list 101 out
B. access-list ip 101 in
C. ip access-group 101 in
D. access-group ip 101 in
Answer: Option C
Solution[By Examveda Team]
To apply an access list, the proper command is ip access-group 101 in. clear access-list ipv4
To clear IPv4 access list counters, use the clear access-list ipv4 command in EXEC mode.
clear access-list ipv4 access-list name [ sequence-number | hardware { ingress | egress}] [interface type interface-path-id] [ location node-id | sequence number ]
Syntax Description
access-list-name | Name of a particular IPv4 access list. The name cannot contain a spaces or quotation marks, but can include numbers. |
sequence-number | [Optional] Specific sequence number with which counters are cleared for an access list. Range is 1 to 2147483644 . |
hardware
| Identifies the access list as an access group for an interface. |
ingress | Specifies an inbound direction. |
egress | Specifies an outbound direction. |
interface | [Optional] Clears the interface statistics. |
type | Interface type. For more information, use the question mark [?] online help function. |
interface-path-id | Physical interface or virtual interface. | Note | Use the show interfaces command to see a list of all interfaces currently configured on the router.
|
For more information about the syntax for the router, use the question mark [?] online help function. |
location node-id | [Optional] Clears hardware resource counters from the designated node. The node-id argument is entered in the rack/slot/module notation. |
sequence number | [Optional] Clears counters for an access list with a specific sequence number. Range is 1 to 2147483644 . |
Access List Commands
CommandDescription
| show access-lists | Displays all access lists and their parameters configured on the router.This command doesn't show which interface the list is configured on. |
| show access-list [list #] | Shows only the parameters for the access list specified.This command does not show you the interface the list is configured on. |
| show ip access-list | Shows only the IP access lists configured on the router. |
| show ipx access-list | Shows only the IPX access lists configured on the router. |
| show ip interface | Shows which interfaces have IP access lists on them. |
| show ipx interface | Shows which interfaces have IPX access lists on them. |
| show running-config | Shows the access lists and which interfaces have access lists set. |
| any | Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. |
| host | Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 [i.e will match only 1 host] |
| clear access-list counter [list#] | Clears extended access lists counter of the number of matches per line of the access list. |
| -1 | Applies to any IPX network or any protocol when used in extended IPX access lists. |
| 0 | Used for all sockets in extended IPX access lists. |
| ip access-group | Applies an IP access list to an interface. |
| ipx access-group | Applies an IPX access list to an interface. |
| ipx input-sap-filter | Applies an inbound IPX SAP filter to an interface. |
| ipx output-sap-filter | Applies an outbound IPX SAP filter to an interface. |
Access List Ranges
Access List TypeNumber
| Standard IP Access Lists | 1-99 |
| Extended IP Access Lists | 100-199 |
| Standard IPX Access Lists | 800-899 |
| Extended IPX Access Lists | 900-999 |
| IPX SAP Filters | 1000-1099 |
Standard Access List Syntax
We apologize for the inconvenience...
...but your activity and behavior on this site made us think that you are a bot.
Note: A number of things could be going on here.
- If you are attempting to access this site using an anonymous Private/Proxy network, please disable that and try accessing site again.
- Due to previously detected malicious behavior which originated from the network you're using, please request unblock to site.
Which command would you use to apply an access list to a router interface? Computer security
- ip access-list 101 out
- access-list ip 101 in
- ip access-group 101 in
- access-group ip 101 in
Answer: ip access-group 101 in
- Bookmark
- Add Comment
- Share With Friends
- Report
Answer This Question
| Name: |
| Email: |
| Answer : |
| Sum of [4+2] |
| Submit: |
How to create and configure Standard Access Control Lists, access-list IOS command and access-group IOS command
Before continuing, refer Introduction to Access Control Lists lesson , if you are not familiar with Access Contol Lists.
Refer Standard Access Control Lists lesson if you are not familiar not familiar with Standard Access Control configuration IOS commands.
Standard Access Control Lists [ACLs] - Lab Practice
The following diagram shows our Standard Access Control Lists lab setup. We have three routers, three switches, six workstations and three servers connected as below. The host names, IP addresses and the interfaces of the routers are shown in diagram. The IP addresses of the workstations and the servers are also shown in the diagram.
The purpose of this lab is to deny the workstations located at 172.16.0.0/16 network from accessing the servers at 172.20.0.0/16 network, using Standard Access Control List. Connect computers, switches and routers as shown in the figure. Configure the IP address and default gateway TCP/IP settings in all computers and servers. Configure the hostname, IP address and routing on three routers. Click the following link to learn more about configuring hostnames, IP addresses and Enhanced Interior Gateway Routing Protocol [EIGRP] in routers.
Click the following link to know where to place a Standard Access Control List [ACL]. In this lab, the router near to the destination network is Router03, and we have to configure Standard Access Control List [ACL] in Router03.
How to create Standard Access Control List [ACL] using "access-list" IOS command
To create a Standard Access Control List [ACL], to deny all the IP addresses from 172.16.0.0/16 network, from accessing the servers at 172.20.0.0/16 network, we use the "access-list" IOS command from the global configuration mode of Router03 [which is close to the destination], as shown below.
Router03>enable
Router03#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router03[config]#access-list 5 deny 172.16.0.0 0.0.255.255
Router03[config]#access-list 5 permit any
Router03[config]#exit
Router03#
Remember, there is an implicit "deny any" at the end of every Access Control Lists [ACL]. If there is no "access-list 5 permit any" statement at the end, above Standard Access Control Lists [ACL] may filter out all traffic to the destination network. The "access-list 5 permit any" permits any other traffic, if there is no matching deny in previous statements. Above Standard Access Control Lists [ACL] effectively allow all the traffic to the destination network except 172.16.0.0/16 network.
If you want to remove the Access Control List [ACL], use the "no" form of the command. You cannot delete a specific entry in an Access Control List [ACL]. You can only delete the entire Access Control List [ACL], as shown below.
Router03[config]#no access-list 5
How to configure Standard Access Control Lists [ACL] to an interface using "access-group" command
The "access-group" command can be used to apply the access list to an interface. The syntax for "access-group" IOS command is given below.
Router[config]# interface interface_no
Router01[config-if]#ip access-group
The "in/out" keyword of the command is used to specify the direction in which the traffic is filtered.
The "in" keyword is used to specify that the traffic should be filtered when it arrive the router via an interface. Following diagram explains the "in" keyword. Here the traffic will be filtered as it arrives the router.
The "out" keyword is used to specify that the traffic should be filtered as it leaves the router via an interface. Following diagram explains the "out" keyword. Here the traffic will be filtered as it leaves the router.
The Standard Access Control Lists must be applied close to the destination network. Here the interface close to the destination is fa0/0 in Router03. Following IOS commands apply the Standard Access Control List [Access Control List No. 5] to the interface fa0/0 [Router03] in "out" direction.
Router03>enable
Router03#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router03[config]#interface fa0/0
Router03[config-if]#ip access-group 5 out
Router03[config-if]#exit
Router03[config]#exit
Router03#
If you want to remove the Access Control List [ACL] from the above interface, use the "no" form of the command as shown below.
Router01[config-if]#no ip access-group 5 out
Related Tutorials
• Standard Access Control Lists [ACLs]
• Where should a Standard Access Control List [ACL] be placed
• Access Control List [ACL] - Wildcard Masks
• How to create and configure Standard Access Control Lists [ACLs]
• Extended Access Control Lists [ACLs]
• Where should an Extended Access Control List [ACL] be placed
• Extended Access Control List [ACL] - Operators
• Extended Access Control List [ACL] - TCP and UDP port numbers and names
• Extended Access Control List [ACL]- established Keyword
• How to create and configure Extended Access Control Lists [ACLs]
• How to create and configure Access Control Lists [ACLs] for vty lines [telnet and ssh]
• Named Access Control Lists [ACLs]
• How to create and configure Standard Named Access Control Lists [ACLs]
• How to create and configure Extended Named Access Control List [ACL]
• How to edit a Named Access Control List [ACL] on router