Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Configuring ACLs 223
The following provides an example of the steps that are required to configure and apply a
numbered standard ACL on a router:
Step 1 Use the access-list global configuration command to create an entry in a
standard IPv4 ACL.
RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Enter the global no access-list access-list-number command to remove the
entire ACL. The example statement matches any address that starts with
172.16.x.x. You can use the remark option to add a description to your
ACL.
Step 2 Use the interface configuration command to select an interface to which to
apply the ACL.
RouterX(config)# interface ethernet 1
After you enter the interface command, the command-line interface (CLI)
prompt changes from (config)# to (config-if)#.
Step 3 Use the ip access-group interface configuration command to activate the
existing ACL on an interface.
RouterX(config-if)# ip access-group 1 out
To remove an IP ACL from an interface, enter the no ip access-group
access-list-number command on the interface.
This step activates the standard IPv4 ACL 1 on the interface as an outbound
filter.
Example: Numbered Standard IPv4 ACL—Permit My Network Only
For the network shown in Figure 6-13, you want to create a list to prevent traffic that is not part of
the internal networks (172.16.0.0/16) from traveling out either of the Ethernet interfaces.
Figure 6-13 Standard ACL Permitting a Specific Network
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
224 Chapter 6: Managing Traffic with Access Control Lists
The configuration in Example 6-2 provides a solution for this example.
Table 6-2 describes the command syntax that is presented in Example 6-2.
This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and E1.
Traffic from networks other than 172.16.0.0 is blocked.
Example: Numbered Standard IPv4 ACL—Deny a Specific Host
For the network shown in Figure 6-14, you want to create a list to prevent traffic that originates
from host 172.16.4.13 from traveling out Ethernet interface E0.
Figure 6-14 Standard ACL Denying a Specific Host
Example 6-2 Access List Preventing All Non-172.16.0.0 Traffic
RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny all - not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 1 out
RouterX(config)# interface ethernet 1
RouterX(config-if)# ip access-group 1 out
Table 6-2 Numbered Standard IPv4 ACL Example Permitting a Specific Network
access-list Command
Parameters Description
1 ACL number that indicates that this ACL is a standard list
permit Indicates that traffic that matches the selected parameters is forwarded
172.16.0.0 IP address that is used with the wildcard mask to identify the source
network
0.0.255.255 Wildcard mask; 0s indicate positions that must match, and 1s indicate
“don’t care” positions
ip access-group 1 out Links the ACL to the interface as an outbound filter
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
Configuring ACLs 225
The configuration in Example 6-3 provides a solution for this example.
Table 6-3 describes the command syntax that is presented in Example 6-3.
This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all other
traffic to be forwarded on interface Ethernet 0. The 0.0.0.0 255.255.255.255 IP address and
wildcard mask combination permits traffic from any source. This combination can also be written
using the keyword any.
Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet
In Figure 6-15, the goal is to create a list to prevent traffic that originates from the subnet
172.16.4.0/24 from traveling out Ethernet interface E0.
Example 6-3 Access List Preventing Traffic Originating from a Specific Host
RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0
RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 1 out
Table 6-3 Numbered Standard IPv4 ACL Example Denying a Specific Host
access-list
Command
Parameters Description
1 ACL number that indicates that this ACL is a standard list.
deny Indicates that traffic that matches the selected parameters is not forwarded.
172.16.4.13 IP address of the source host.
0.0.0.0 A mask that requires the test to match all bits. (This is the default mask.)
permit Indicates that traffic that matches the selected parameters is forwarded.
0.0.0.0 IP address of the source host; all 0s indicate a placeholder.
255.255.255.255 Wildcard mask; 0s indicate positions that must match, and 1s indicate “don’t
care” positions.
All 1s in the mask indicate that all 32 bits are not checked in the source address.
In other words, any address will match.
226 Chapter 6: Managing Traffic with Access Control Lists
Figure 6-15 Standard ACL Denying a Specific Subnet
The configuration in Example 6-4 provides a solution for this example.
Table 6-4 describes the command syntax that is presented in Example 6-4.
Example 6-4 Access List Preventing Traffic Originating from a Specific Subnet
RouterX(config)# access-list 1 deny 172.16.4.0 0.0.0.255
RouterX(config)# access-list 1 permit any
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 1 out
Table 6-4 Numbered Standard IPv4 ACL Example Denying a Specific Subnet
access-list Command
Parameters Description
1 ACL number indicating that this ACL is a standard list.
deny Indicates that traffic that matches the selected parameters is not
forwarded.
172.16.4.0 IP address of the source subnet.
0.0.0.255 Wildcard mask; 0s indicate positions that must match, and 1s indicate
“don’t care” positions.
The mask with 0s in the first three octets indicates that those positions
must match; the 255 in the last octet indicates a “don’t care” condition.
permit Indicates that traffic that matches the selected parameters is forwarded.
Any Abbreviation for the IP address of the source. The abbreviation any
indicates a source address of 0.0.0.0 and a wildcard mask of
255.255.255.255; all source addresses will match.
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
Configuring ACLs 227
This ACL is designed to block traffic from a specific subnet, 172.16.4.0, and to allow all other
traffic to be forwarded out E0.
Controlling Access to the Router Using ACLs
To control traffic into and out of the router (not through the router), you will protect the router
virtual ports. A virtual port is called a vty. By default, there are five such virtual terminal lines,
numbered vty 0 through vty 4. When configured, Cisco IOS Software images can support more
than five vty ports.
Restricting vty access is primarily a technique for increasing network security and defining which
addresses are allowed Telnet access to the router EXEC process.
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a
higher-level protocol. Because you are filtering incoming or outgoing Telnet sessions by source
addresses and applying the filter using the access-class command to the vty lines, you can use
standard IP ACL statements to control vty access.
Example 6-5 demonstrates how to limit access to the Telnet process.
In this example, you permit any device on network 192.168.1.0 0.0.0.255 to establish a virtual
terminal (Telnet) session with the router. Of course, the user must know the appropriate passwords
to enter user mode and privileged mode.
Notice that identical restrictions have been set on every vty line (0 to 4) because you cannot control
on which vty line a user will connect. The implicit deny any statement still applies to the ACL
when it is used as an access class entry.
Configuring Numbered Extended IPv4 ACLs
For more precise traffic-filtering control, use extended IPv4 ACLs, numbered 100 to 199 and 2000
to 2699 or named, which check for the source and destination IPv4 address. In addition, at the end
of the extended ACL statement, you can specify the protocol and optional TCP or User Datagram
Protocol (UDP) application to filter more precisely. Figure 6-16 illustrates the IP header fields that
can be examined with an extended access list.
Example 6-5 Access List Preventing Telnet Activity
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 in
228 Chapter 6: Managing Traffic with Access Control Lists
Figure 6-16 Extended IPv4 Access Lists
To specify an application, you can configure either the port number or the name of a well-known
application. Table 6-5 shows an abbreviated list of some well-known port numbers of the various
TCP applications.
http://www.iani.org/assignments/port-numbers provides a more comprehensive list of well-known port numbers.
To configure numbered extended IPv4 ACLs on a Cisco router, create an extended IPv4 ACL and
activate that ACL on an interface. Use the access-list command to create an entry to express a
condition statement in a complex filter. The full command follows:
access-list access-list-number {permit | deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]
Table 6-5 Well-Known Port Numbers and IP Protocols
Well-Known Port Number (Decimal) IP Protocol
20 (TCP) FTP data
21 (TCP) FTP control
23 (TCP) Telnet
25 (TCP) Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP) Domain Name System (DNS)
69 (UDP) TFTP
80 (TCP) HTTP
Source
Address
Destination
Address
Protocol
Port
Number
Deny Permit
Frame
Header
(for Example,
HDLC)
Packet
(IP Header)
An Example from a TCP/IP Packet
Segment
(for Example,
TCP Header)
Data
Use ACL
Statements
100–199 or
2000–2699
to Test the
Packet
Configuring ACLs 229
Table 6-6 explains the syntax of the command.
1 GRE = generic routing encapsulation
2 IGRP = Interior Gateway Routing Protocol
The syntax of the access-list command that is presented here is representative of the TCP protocol form. Not all parameters
and options are given. For the complete syntax of all forms of the command, refer to the appropriate Cisco IOS Software
documentation available at Cisco.com.
Extended ACL with the established Parameter
In Example 6-6, the established parameter of the extended ACL allows responses to traffic that
originate from the mail host, 128.88.1.2, to return inbound on the serial 0 interface. A match occurs
if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs
to an existing connection. Without the established parameter in the ACL statement, the mail host
could only receive SMTP traffic but not send it.
Table 6-6 Command Parameters for a Numbered Extended ACL
access-list Command
Parameters Description
access-list-number Identifies the list using a number in the ranges of 100–199 or 2000–
2699.
permit | deny Indicates whether this entry allows or blocks the specified address.
protocol IP, TCP, UDP, ICMP, GRE1, or IGRP2.
source and destination Identifies source and destination IP addresses.
source-wildcard and
destination-wildcard
Wildcard mask; 0s indicate positions that must match, and 1s indicate
“don’t care” positions.
operator [port|app_name] The operator can be lt (less than), gt (greater than), eq (equal to), or neq
(not equal to). The port number referenced can be either the source port
or the destination port, depending on where in the ACL the port number
is configured. As an alternative to the port number, well-known
application names can be used, such as Telnet, FTP, and SMTP.
established For inbound TCP only. Allows TCP traffic to pass if the packet is a
response to an outbound-initiated session. This type of traffic has the
acknowledgement (ACK) bits set. (See the Extended ACL with the
Established Parameter example.)
log Sends a logging message to the console.
230 Chapter 6: Managing Traffic with Access Control Lists
The ip access-group command links an existing extended ACL to an interface. Only one ACL per
protocol, per direction, and per interface is allowed.
Table 6-7 defines the parameters of the ip access-group command.
The following list shows the steps that are required to configure and apply an extended ACL on a
router:
Step 1 Define an extended IPv4 ACL. Use the access-list global configuration
command.
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 21
Use the show access-lists command to display the contents of the ACL. In
the example, access-list 101 denies TCP traffic from source 172.16.4.0,
using the wildcard 0.0.0.255, to destination 172.16.3.0, using the wildcard
0.0.0.255 on port 21 (FTP control port) .
Step 2 Select a desired interface to be configured. Use the interface global
configuration command.
RouterX(config)# interface ethernet 0.
After the interface command is entered, the CLI prompt changes from
(config)# to (config-if)#.
Example 6-6 Access List Permitting Responses to an Originating Mail Host
access-list 102 permit tcp any host 128.88.1.2 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
interface serial 0
ip access-group 102 in
Table 6-7 ip access-group Command Parameters
ip access-group
Command
Parameters Description
access-list-number Indicates the number of the ACL that is to be linked to an interface
in | out Selects whether the ACL is applied as an input or output filter; out is the
default
Configuring ACLs 231
Step 3 Link the extended IPv4 ACL to an interface. Use the ip access-group
interface configuration command:
RouterX(config-if)# ip access-group 101 in
Use the show ip interfaces command to verify that an IP ACL is applied to
the interface.
Numbered Extended IP ACL: Deny FTP from Subnets
For the network in Figure 6-17, you want to create a list to prevent FTP traffic that originates from
the subnet 172.16.4.0/24, going to the 172.16.3.0/24 subnet, from traveling out Ethernet interface
E0.
Figure 6-17 Extended ACL Denying FTP from One Subnet to Another
The configuration in Example 6-7 provides a solution for this example.
Example 6-7 Access List Preventing FTP Traffic from Specific Subnets
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
RouterX(config)# access-list 101 permit ip any any
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 101 out
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
232 Chapter 6: Managing Traffic with Access Control Lists
Table 6-8 describes the command syntax presented in Example 6-7.
The deny statements deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0. The permit
statement allows all other IP traffic out interface E0.
Numbered Extended ACL: Deny Only Telnet from Subnet
For the network in Figure 6-18, you want to create a list to prevent Telnet traffic that originates
from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
Figure 6-18 Extended ACL Denying Telnet from a Given Subnet
Table 6-8 Numbered Extended IPv4 ACL Example Denying FTP Between Subnets
access-list
Command
Parameters Description
101 ACL number; indicates an extended IPv4 ACL
deny Indicates that traffic that matches the selected parameters is not forwarded
tcp Transport layer protocol
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but not the last
octet
172.16.3.0 0.0.0.255 Destination IP address and mask; the first three octets must match but not the
last octet
eq 21 Destination port; specifies the well-known port number for FTP control
eq 20 Destination port; specifies the well-known port number for FTP data
out Links ACL 101 to interface E0 as an output filter
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
Configuring ACLs 233
The configuration in Example 6-8 provides a solution for this example.
This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other IP
traffic from any other source to any destination is permitted out E0.
Table 6-9 describes the command syntax that is presented in the example.
Configuring Named ACLs
The named ACL feature allows you to identify standard and extended IP ACLs with an
alphanumeric string (name) instead of the current numeric representations.
Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco
IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named
Example 6-8 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config)# access-list 101 permit ip any any
(implicit deny all)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 101 out
Table 6-9 Numbered Extended IPv4 ACL Example Denying Telnet from a Subnet
access-list
Command
Parameters Description
101 ACL number; indicates an extended IPv4 ACL
deny Indicates that traffic that matches the selected parameters is not forwarded
tcp Transport layer protocol
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but not the last
octet
any Match any destination IP address
eq 23 or eq telnet Destination port or application; in this example, it specifies the well-known
port number for Telnet, which is 23
permit Indicates that traffic that matches the selected parameters is forwarded
ip Any IP protocol
any Keyword matching traffic from any source
any Keyword matching traffic to any destination
out Links ACL 101 to interface E0 as an output filter
234 Chapter 6: Managing Traffic with Access Control Lists
ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert
statements only at the bottom of the named ACL.
Because you can delete individual entries with named ACLs, you can modify your ACL without
having to delete and then reconfigure the entire ACL. Use named IP ACLs when you want to
intuitively identify ACLs.
Creating Named Standard IP ACLs
The following list shows the steps that are required to configure and apply a named standard IP
ACL on a router:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list standard global
configuration command.
RouterX(config)# ip access-list standard name
Define the list using a unique name. A descriptive name can be helpful
when examining the configuration of the router.
Step 2 Enter one of the following commands to establish test parameters:
RouterX(config-std-nacl)#[sequence-number] deny {source [source-wildcard]
| any}
RouterX(config-std-nacl)#[sequence-number] permit {source [sourcewildcard]
| any}
In access list configuration mode, specify one or more conditions permitted
or denied. This determines whether the packet is passed or dropped. You
can also use the sequence number to place the test parameter in a specific
location within the list.
Step 3 Exit from named access list configuration mode:
RouterX(config-std-nacl)#exit
RouterX(config)#
Step 4 Select a desired interface to be configured. Use the interface global
configuration command:
RouterX(config)# interface ethernet 0
After you enter the interface command, the CLI prompt changes from
(config)# to (config-if)#.
Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group
interface configuration command:
RouterX(config-if)# ip access-group 101 in
Use the show ip interface command to verify that an IP ACL is applied to
the interface.
Configuring ACLs 235
Creating Named Extended IP ACLs
The steps required to configure and apply a named extended IP ACL on a router are as follows:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list extended global
configuration command.
RouterX(config)# ip access-list extended name
Define the list using a unique name. A descriptive name can be helpful
when examining the configuration of the router.
Step 2 Enter the following command syntax to establish test parameters:
RouterX(config-ext-nacl)# [sequence-number] {deny | permit} protocol source
source-wildcard destination destination-wildcard [option]
In access list configuration mode, specify the conditions allowed or denied.
You can use the keyword any to abbreviate an address of 0.0.0.0 with a
wildcard mask of 255.255.255.255 for the source address, destination
address, or both. You can use the keyword host to abbreviate a wildcard
mask of 0.0.0.0 for the source address or destination address. Place the
keyword host in front of the address.
Step 3 Exit from named access list configuration mode:
RouterX(config-ext-nacl)#exit
RouterX(config)#
Step 4 Select a desired interface to be configured. Use the interface global
configuration command:
RouterX(config)# interface ethernet 0
After you enter the interface command, the CLI prompt changes from
(config)# to (config-if)#.
Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group
interface configuration command:
RouterX(config-if)# ip access-group 101 in
Use the show ip interfaces command to verify that an IP ACL is applied to
the interface.
236 Chapter 6: Managing Traffic with Access Control Lists
You can take advantage of the sequence numbers in a named access list to add specific entries
within an existing list. In Example 6-9, a new entry is added to a specified location within the
access list.
Using the number of a standard access list as the name, you can also use this feature to place an
entry in a specific location of a numbered access list. In Example 6-10, a new entry is added to a
specified access list.
Example 6-9 Confirming Added Entries to an Existing Access List
RouterX# show ip access-list
Standard IP access list MARKETING
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
RouterX(config)# ip access-list standard MARKETING
RouterX(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255
RouterX# show ip access-list
Standard IP access list MARKETING
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
15 permit 10.5.5.5, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
Example 6-10 Placing an Entry in a Numbered List Using the Name Function
RouterX# show ip access-list
Standard IP access list 1
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
RouterX(config)# ip access-list standard 1
RouterX(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255
RouterX(config-std-nacl)# end
RouterX# show ip access-list
Standard IP access list 1
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
15 permit 10.5.5.5, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
Configuring ACLs 237
Named Extended ACL: Deny a Single Host from a Given Subnet
For the network shown in Figure 6-19, you want to create a list named “troublemaker” to prevent
traffic that originates from the host 172.16.4.13 from traveling out Ethernet interface E0.
Figure 6-19 Named Extended ACL Denying a Single Host
The configuration in Example 6-11 provides a solution for this example.
Table 6-10 describes the command syntax that is presented in Example 6-11.
Example 6-11 Access List Preventing Traffic from a Specific Host
RouterX(config)#ip access-list standard troublemaker
RouterX(config-std-nacl)#deny host 172.16.4.13
RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255
RouterX(config-std-nacl)#interface e0
RouterX(config-if)#ip access-group troublemaker out
Table 6-10 Named Extended IPv4 ACL Example Denying a Single Host
access-list Command
Parameter Description
standard Indicates that the named ACL is a standard ACL
troublemaker Name of the ACL
deny Indicates that traffic that matches the selected parameters is not
forwarded
host 172.16.4.13 Source IP address; “host” indicates a wildcard mask of 0.0.0.0
permit Indicates that traffic that matches the selected parameters is forwarded
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but not the
last octet
ip access-group
troublemaker out
Links ACL “troublemaker” to interface E0 as an output filter
E1
S0
E0
Non-
172.16.0.0 172.16.4.0
172.16.4.13
172.16.3.0
238 Chapter 6: Managing Traffic with Access Control Lists
Named Extended ACL—Deny a Telnet from a Subnet
Using Figure 6-19 again, this time you want to create a list named “badgroup” to prevent Telnet
traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
The configuration in Example 6-12 provides a solution.
Table 6-11 describes the command syntax that is presented in the figure.
Adding Comments to Named or Numbered ACLs
Comments, also known as remarks, are ACL statements that are not processed. They are simple
descriptive statements you can use to better understand and troubleshoot either named or
numbered ACLs.
Example 6-12 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX(config)#ip access-list extended badgroup
RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config-ext-nacl)#permit ip any any
RouterX(config-ext-nacl)#interface e0
RouterX(config-if)#ip access-group badgroup out
Table 6-11 Named Extended IPv4 ACL Example Denying Telnet from a Subnet
access-list Command
Parameter Description
extended Indicates that the named ACL is an extended ACL.
badgroup Name of the ACL.
deny Indicates that traffic that matches the selected parameters is not
forwarded.
tcp Transport layer protocol.
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but not
the last octet.
any Match any destination IP address.
eq 23 or eq telnet Destination port or application name. In this example, it specifies the
well-known port number for Telnet, which is 23.
permit Indicates that traffic that matches the selected parameters is
forwarded.
ip Network layer protocol.
any Keyword matching traffic to any source and destination.
ip access-group badgroup out Links ACL “badgroup” to interface E0 as an output filter.
Troubleshooting ACLs 239
Each remark line is limited to 100 characters. The remark can go before or after a permit or deny
statement. You should be consistent about where you put the remark so it is clear which remark
describes which permit or deny statement. It would be confusing to have some remarks before the
associated permit or deny statements and some remarks after the associated statements.
To add a comment to a named IP ACL, use the command remark remark in access list
configuration mode. To add a comment to a numbered IP ACL, use the command access-list
access-list-number remark remark.
The following is an example of adding a comment to a numbered ACL:
access-list 101 remark Permitting_John to Telnet to Server
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
The following is an example of adding a comment to a named ACL:
ip access-list standard PREVENTION
remark Do not allow Jones subnet through
deny 171.69.0.0 0.0.255.255
Summary of Configuring ACLs
The following summarizes the key points that were discussed in this section:
■ Standard IPv4 ACLs allow you to filter based on source IP address.
■ Extended ACLs allow you to filter based on source IP address, destination IP address,
protocol, and port number.
■ Named ACLs allow you to delete individual statements from an ACL.
No comments:
Post a Comment