Information Technology Reference
In-Depth Information
The default is inbound if you do not use the
in
or
out
keyword.
In Example 10-1, an access list is applied on an interface to deny packets from IP address
192.168.10.100, to permit all other devices in subnet 192.168.10.0/24, and to deny all other
packets.
Example 10-1
Access List to Deny Host 192.168.10.100
access-list 99 deny host 192.168.10.100
access-list 99 permit 192.168.10.0 0.0.0.255
!
interface ethernet 0
ip access-group 99
!
The access list can be verified by using the
show access-list
command, as shown in
Example 10-2.
Example 10-2
The
show access-list
Command
router3#show access-list 99
Standard IP access list 99
deny 192.168.10.100
permit 192.168.10.0, wildcard bits 0.0.0.255
The limitation of standard lists is that the only criteria for denying or permitting packets is a
source IP address. For advance filtering, IP-extended access lists are necessary.
IP Extended Access List Configuration
Extended access lists allow filtering based on both source and destination address and some
protocol and port number specifications. The access list is configured by using the following
global commands:
access-list list {permit | deny} protocol source source-mask destination
destination-mask [operator operand] [established]
The argument
list
is an access list number from 100 to 199 or 2000 to 2699 in the expanded
range. The argument
protocol
can be
ip
,
tcp
,
udp
, or
icmp
. The argument
source
is the source
IP address. The
ip
and
icmp
values do not allow port distinctions. The source IP and mask can
be replaced with the keyword
any
if the source can be from any IP address; it replaces 0.0.0.0
255.255.255.255. The argument
destination
is the destination IP address. The source mask and
destination mask define the IP address range; they are inverse masks.
Table 10-3 shows all the protocols that can be selected for filtering.
Search WWH ::
Custom Search