Filtering IP Traffic 467
A statement is considered to match if all options in the statement match. If one option does not
match, the statement is skipped, and the next entry in the list is examined. Table 7-6 provides
several example access list statements.
IP Extended
Source IP address
Portions of the source IP address, using a wildcard mask
Destination IP address
Portions of the destination IP address, using a wildcard mask
Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others)
Source port
Destination port
Established--matches all TCP flows except first flow
IP TOS
IP precedence
Table 7-6
Sample access-list Commands and Logic Explanations
Access List Statement
Explanation of What Matches
access-list 101 deny tcp any host 10.1.1.1 eq 23
Packet with any source address; destination must
be 10.1.1.1, with a TCP header, with destination
port 23.
access-list 101 deny tcp any host 10.1.1.1 eq
telnet
Same function as last example; telnet keyword is
used instead of port 23.
access-list 101 deny udp 1.0.0.0 0.255.255.255
lt 1023 any
Packet with source in network 1.0.0.0 to any
destination, using UDP with source port less than
1023.
access-list 101 deny udp 1.0.0.0 0.255.255.255
lt 1023 44.1.2.3 0.0.255.255
Packet with source in network 1.0.0.0 to
destinations beginning 44.1, using UDP with
source port less than 1023.
access-list 101 deny ip 33.1.2.0 0.0.0.255
44.1.2.3 0.0.255.255
Packet with source in 33.1.2.0/24 to destinations
beginning 44.1.
access-list 101 deny icmp 33.1.2.0 0.0.0.255
44.1.2.3 0.0.255.255 echo
Packet with source in 33.1.2.0/24 to destinations
beginning 44.1, which are ICMP Echo Requests
and Replies.
Table 7-5
IP Standard and Extended Access Lists--Matching (Continued)
Type of Access List
What Can Be Matched
ch07.fm Page 467 Monday, March 20, 2000 5:14 PM