Chapter 75: Advanced Access Control Lists (ACLs)
1246
deny ACL for the denied traffic flow. This is illustrated in the example in
Table 125 in which port 15 is configured to forward only ingress packets
from the 149.55.65.0/24 subnet and to discard all other traffic. The permit
ACL, which has the ID number 3015, specifies the packets from the
permitted subnet, while the deny ACL, with the ID number 3011, specifies
all traffic.
In the example, the permit ACL is added to the port before the deny
ACL. This is important because packets are compared against
the ACLs in the order in which the ACLs are added to the port. If the
deny ACL is added first, the port blocks all traffic, even the traffic
specified by the permit ACL.
For another example of permit ACLs, see Table 126 on page 1247. In this
example, ports 21 and 22 forward traffic from three specified network
devices and discard all other ingress traffic. The allowed traffic is specified
with three permit ACLs.
Table 125. Creating a Permit ACL Followed by a Deny ACL Example
Command Description
awplus> enable Enter the Privileged Executive mode
from the User Executive mode.
awplus# configure terminal Enter the Global Configuration mode.
awplus(config)# access-list 3015 permit ip
149.55.65.0/24 any
Create the permit ACL with the
ACCESS-LIST command.
awplus(config)# access-list 3011 deny ip
any any
Create the deny ACL.
awplus(config)# interface port1.0.15 Move to the Port Interface mode for
port 15.
awplus(config_if)# access-group 3015
awplus(config_if)# access-group 3011
Add the two ACLs to the port with the
ACCESS-GROUP command, being
sure to add the permit ACL first so
that ingress packets are compared
against it first.
awplus(config_if)# end Return to the Privileged Exec mode.
awplus# show access-list Confirm the configuration of the
ACLs.
awplus# show interface port1.0.15 access-
group
Confirm that the ACLs have been
added to the port.
To Next Page
Loading...
Need help?
General
