Access-list Cisco IOS
From Teknologisk videncenter
Cisco Access-list acl
Contents
Placement of Access-lists
- The general rule is to put the extended ACLs as close as possible to the source of the traffic denied.
- Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.
Standard IP access lists
Standard IP Access lists are access lists from 1 to 99. Standard access list only checks the source IP address. Example:
interface fastethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group 1 in ! access-list 1 permit 10.1.1.0 0.0.0.255
Extended IP access lists
Extended IP Access lists are access lists from 101 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP) Example:
interface Ethernet0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 101 in ! access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 101 permit ip any 10.1.1.0 0.0.0.255
IP named access lists
IP named access lists you can give standard and extended access lists names instead of numbers. Example:
interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group TELNET-IN in ! ip access-list extended TELNET-IN permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet