Foundation Summary 495
Table 7-14 provides the complete list of items that can be matched with an IP extended access
list.
Table 7-15 provides several example access-list statements.
Table 7-14
IP Standard and Extended Access Lists--Matching
Type of
Access List
What Can Be Matched
IP Standard
Source IP address
Portions of the source IP address, using a wildcard mask
IP Extended
Source IP address
Portions of the source IP address, using a wildcard mask
Destination IP address
Portions of the destination IP address, using a wildcard mask
Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others)
Source port
Destination port
Established--matches all TCP flows except the first flow
IP TOS
IP precedence
Table 7-15
Sample access-list Commands and Logic Explanations
Access List Statement
Explanation of What Matches
ip access-list 101 deny tcp any host 10.1.1.1 eq
23
Packet with any source address; destination must
be 10.1.1.1, with a TCP header, with destination
port 23.
ip access-list 101 deny tcp any host 10.1.1.1 eq
telnet
Same function as last example; telnet keyword
used instead of port 23.
ip access-list 101 deny udp 1.0.0.0
0.255.255.255 lt 1023 any
Packet with source in network 1.0.0.0 to any
destination, using UDP with source port less than
1023.
ip access-list 101 deny udp 1.0.0.0
0.255.255.255 lt 1023 44.1.2.3 0.0.255.255
Packet with source in network 1.0.0.0 to
destinations beginning 44.1, using UDP with
source port less than 1023.
ip access-list 101 deny ip 33.1.2.0 0.0.0.255
44.1.2.3 0.0.255.255
Packet with source in 33.1.2.0/24 to destinations
beginning 44.1.
ip access-list 101 deny icmp 33.1.2.0 0.0.0.255
44.1.2.3 0.0.255.255 echo
Packet with source in 33.1.2.0/24 to destinations
beginning 44.1, which are ICMP Echo Requests
and Replies.
ch07.fm Page 495 Monday, March 20, 2000 5:14 PM