Professional Documents
Culture Documents
Example:
Lab-X#config t Lab-X(config)#Access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq www Lab-X(config)#Access-list 101 deny tcp any any eq ftp Lab-X(config)#Access-list 101 permit ip any any Lab-X(config)#interface Fastethernet 0/0 Lab-X(config-if)#ip access-group 101 out
The access list-number range for IP extended access lists is 100 to 199.
The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is important to specify the protocol or you could end up inadvertently filtering more than you want to.
If you want to block network 192.168.5.0 from being able to surf the Web while still allowing other services such as FTP, use this code:
Lab-X#config t Lab-X(config)#access-list 106 deny tcp 195.168.5.0 0.0.0.255 any eq www Lab-X(config)#access-list 106 permit ip any any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 106 in
Example:
Lab-X(config)#ip access-list extended BlockInternet
ACL Placement
Standard ACLs must be placed close to the destination. Extended ACLs should be placed close to the source.
Verifying ACLs
Lab-X#show ip interface Ethernet0 is up, line protocol is up Internet address is 192.168.5.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 50 Inbound access list is 70 Proxy ARP is enabled
The show ip interface command will tell whether an inbound or outbound access list has been applied to an interface. Rows 9 and 10 above contain the information. The rest of the lines do not pertain to ACLs, so they have been omitted.
The show access-lists command will display all access lists on the router but does not show whether or where they are applied. Another command, show ip access-lists, would include only IP access lists. Both commands enable you to specify an ACL number or name after the command to display just that ACL.
One way to see your access lists and how they are applied is to use the show run command to see the active configuration. The above lines show the output of a show run command with some of the unrelated lines removed.