Access Lists
473
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
Once you choose the access list type, you must choose a Network layer
protocol field entry. It is important to understand that if you want to filter
the network by Application layer, you must choose an entry here that allows
you to go up through the OSI model. For example, to filter by Telnet or
FTP, you must choose TCP here. If you were to choose IP, you would never
leave the Network layer, and you would not be allowed to filter by upper-
layer applications.
RouterA(config)#access-list 110 deny ?
<0-255> An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Once you choose to go up to the Application layer through TCP, you will
be prompted for the source IP address of the host or network. You can
choose the any command to allow any source address.
RouterA(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address is chosen.
RouterA(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com