IPv4 Access Control Lists (ACLs)
IPv4 Static ACL Operation
1. Permit inbound IPv4 traffic from IP address 10.11.11.42.
2. Deny only the inbound Telnet traffic from address 10.11.11.101.
3. Permit only inbound Telnet traffic from IP address 10.11.11.33.
4. Deny all other inbound IPv4 traffic.
The following ACL model , when assigned to inbound filtering on an interface,
supports the above case:
ip access-list extended "Test-02"
10 permit ip 10.11.11.42 0.0.0.0 0.0.0.0 255.255.255.255
20 deny tcp 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255 eq 23
30 permit ip 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255
40 permit tcp 10.11.11.33 0.0.0.0 0.0.0.0 255.255.255.255 eq 23
< Implicit Deny >
4
1
2
3
5
exit
1. Permits IPv4 traffic from source address 10.11.11.42. Packets
4. Permits Telnet traffic from source address 10.11.11.33. Packets
matching this criterion are permitted and will not be compared
matching this criterion are permitted and are not compared to
to any later ACE in the list. IPv4 packets not matching this
any later criteria in the list. Packets not matching this criterion
criterion will be compared to the next entry in the list.
are compared to the next entry in the list.
2. Denies Telnet traffic from source address 10.11.11.101. Packets
5. This entry does not appear in an actual ACL, but is implicit as
matching this criterion are dropped and are not compared to
the last entry in every ACL. Any IPv4 packets that do not match
later criteria in the list. Packets not matching this criterion are
any of the criteria in the ACL’s preceding entries will be denied
compared to the next entry in the list.
(dropped).
3. Permits IPv4 traffic from source address 10.11.11.101. Any
packets matching this criterion will be permitted and will not be
compared to any later criteria in the list. Because this entry
comes after the entry blocking Telnet traffic from this same
address, there will not be any Telnet packets to compare with
this entry; they have already been dropped as a result of
matching the preceding entry.
Figure 9-4. Example of How an ACL Filters Packets
It is important to remember that all IPv4 ACLs configurable on the switch
include an implicit deny ip any. That is, IPv4 packets that the ACL does not
explicitly permit or deny will be implicitly denied, and therefore dropped
instead of forwarded on the interface. If you want to preempt the implicit deny
so that IPv4 packets not explicitly denied by other ACEs in the ACL will be
permitted, insert an explicit “permit any” as the last ACE in the ACL. Doing so
permits any packet not explicitly denied by earlier entries.
9-23
To Next Page
Loading...
Need help?
General