C
HAPTER
26
| Access Control Lists
IPv4 ACLs
– 956 –
EXAMPLE
This example accepts any incoming packets if the source address is within
subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule
(10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 &
255.255.255.0), the packet passes through.
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#
This allows TCP packets from class C addresses 192.168.1.0 to any
destination address when set for destination TCP port 80 (i.e., HTTP).
Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port
80
Console(config-ext-acl)#
This permits all TCP packets from class C addresses 192.168.1.0 with the
TCP control code set to “SYN.”
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-
flag 2 2
Console(config-ext-acl)#
RELATED COMMANDS
access-list ip (952)
Time Range (762)
ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the
port.
SYNTAX
ip access-group acl-name {in | out}
[time-range time-range-name] [counter]
no ip access-group acl-name in
acl-name – Name of the ACL. (Maximum length: 16 characters)
in – Indicates that this list applies to ingress packets.
out – Indicates that this list applies to egress packets.
time-range-name - Name of the time range.
(Range: 1-30 characters)
counter – Enables counter for ACL statistics.
DEFAULT SETTING
None
To Next Page
Loading...
