Configuration Guide Configuring ACL
For example:
access-list 1 permit host 192.168.4.12
This ACL permits only packets sent from the source host 192.168.4.12, and denies packets sent from all other hosts. This is
because the following statement exists at the end of this ACL: access-list 1 deny any.
If the ACL contains only the following statement:
access-list 1 deny host 192.168.4.12
Packets sent from any host will be denied when passing through this port.
When defining an ACL, you must consider the routing update packets. As the implicit "deny all traffic" statement exists
at the end of an ACL, all routing update packets may be blocked.
 Input Sequence of Rule Statements
Every new rule is added to the end of an ACL and in front of the default rule statement. The input sequence of statements in
an ACL is very important. It determines the priority of each statement in the ACL. When determining whether to forward or
block packets, a device compares packets with rule statements based on the sequence that rule statements are created.
After locating a matched rule statement, the device does not check any other rule statement.
If a rule statement is created and denies all traffic, all subsequent statements will not be checked.
For example:
access-list 101 deny ip any any
access-list 101 permittcp 192.168.12.0 0.0.0.255 eqtelnetany
The first rule statement denies all IP packets. Therefore, Telnet packets from the host on the network 192.168.12.0/24 will be
denied. After the device finds that packets match the first rule statement, it does not check the subsequent rule statements
any more.
Related Configuration
 Configuring an IP ACL
By default, no IP ACL is configured on a device.
Run the ip access-list { standard | extended } {acl-name | acl-id} command in global configuration mode to create a
standard or an extended IP ACL and enter standard or extended IP ACL mode.
 Adding ACEs to an IP ACL
By default, a newly created IP ACL contains an implicit ACE that denies all IPv4 packets. This ACE is hidden from users, but
takes effect when the ACL is applied to an interface. That is, all IPv4 packets will be discarded. Therefore, if you want the
device to receive or send some specific IPv4 packets, add some ACEs to the ACL.
For a standard IP ACL, add ACEs as follows:
To Next Page
Loading...
Need help?
General
