Information Technology Reference
In-Depth Information
In Example 10-3, the router interface is configured outbound to allow Telnet connections to
192.168.1.1 from any source port above 1024, to allow pings, and to deny all other packets.
A deny statement does not need to be configured because any access list ends with an implicit
deny all.
Example 10-3
Access List to Permit Telnet and Pings
access-list 100 permit tcp any gt 1024 host 192.168.1.1 eq telnet log
access-list 100 permit icmp any any echo log
access-list 100 permit icmp any any echo-reply log
!
interface ethernet 0
ip access-group 100 out
!
The access list is verified with the
show access-list
command, as shown in Example 10-4.
Example 10-4
show access-list 100
Command
router3#show access-list 100
Extended IP access list 100
permit tcp any gt 1024 host 192.168.1.1 eq telnet log
permit icmp any any echo log
permit icmp any any echo-reply log
IP Named Access List Configuration
Named access lists
can be configured to identify a standard or extended access list with a name
instead of a number. All functions of IP standard and extended access lists remain the same
when using named access lists. Named access lists reduce the confusion of identifying access
lists and permit the editing of the access list instead of having to re-create the list when changes
are necessary.
Example 10-5 configures the router to perform the same functions as Example 10-3, but uses
named access lists. The
ip access-group
name
{
in
|
out
} command is used on the interface. The
named list in Example 10-5 is CCIE. The IP extended named access list is created with the
ip
access-list extended
name
command. The name must match the name configured with the
ip
access-group
command.
The named access list in Example 10-5 configures the router to allow Telnet connections to
192.168.1.1 from any source port above 1024, to allow pings, and to deny all other packets
outbound on Ethernet 0.
Search WWH ::
Custom Search