In 60 Days – ICND2Configuring Access

Lists

Standard IP ACLs• Source network or• Source host IP

Source: 172.16.1.1Destination:

192.168.1.1 Port 80

Router(config)#access-list 1 permit host 172.16.1.1Router(config)#access-list 1 permit host 192.168.1.1Router(config)#access-list 1 permit 10.1.0.0 0.0.255.255[Deny All]

Extended ACLs• Source/destination address• Source/destination port• Protocols• Services (e.g. ICMP)

SyntaxAccess list 100 permit/deny service from to port

access-list 101 deny tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq telnet

access-list 100 permit tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq ftp

access-list 100 permit icmp any any

access-list 100 permit tcp host 172.16.1.1 host 172.20.1.1 eq smtpaccess-list 100 permit tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq ftpaccess-list 100 permit tcp host 192.168.1.1 host 172.30.1.1 eq www

access-list 101 deny icmp any 172.20.0.0 0.0.255.255access-list 101 deny tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq telnet

access-list 102 permit tcp any host 172.30.1.1 eq ftp established

Named ACL• Slightly different syntax• Can edit (add/remove lines)

Router(config)#ip access-list extended BlockWEBRouter(config-ext-nacl)#deny tcp any any eq 80

Applying ACLs• Apply to ports or interfacesRouter(config)#int fast 0/0Router(config-if)#ip access-group 101 in------Router(config)#line vty 0 15Router(config-line)#access-class 101------Router(config)#int fast 0/0Router(config-if)#ip access-group BlockWEB in

End