476
Chapter 9
Managing Traffic with Access Lists
You need to keep in mind that the next line is an implicit deny any by
default. If you apply this access list to an interface, you might as well just
shut the interface down, since by default there is an implicit deny all at
the end of every access list. You must follow up the access list with the
following command:
RouterA(config)#access-list 110 permit ip any any
Remember, the 0.0.0.0 255.255.255.255 is the same command as
any
, so the command could look like this:
RouterA(config)#access-list 110 permit ip 0.0.0.0
255.255.255.255 0.0.0.0 255.255.255.255
Once the access list is created, you need to apply it to an interface. It is the
same command as the IP standard list:
RouterA(config-if)#ip access-group 110 in
or
RouterA(config-if)#ip access-group 110 out
Extended IP Access List Example
Using Figure 9.1 from the IP standard access list example again, let's use the
same network and deny access to a server on the finance-department LAN
for both Telnet and FTP services on server 172.16.10.5. All other services on
the LAN are acceptable for the sales and marketing departments to access.
The following access list should be created:
Acme#config t
Acme(config)#access-list 110 deny tcp any host
172.16.10.5 eq 21
Acme(config)#access-list 110 deny tcp any host
172.16.10.5 eq 23
Acme(config)#access-list 110 permit ip any any
The access-list 110 tells the router you are creating an extended IP
Access list. The tcp is the protocol field in the Network layer header. If the
list doesn't say tcp here, you cannot filter by port numbers 21 and 23 as
shown in the example. (These are FTP and Telnet, and they both use TCP for
connection-oriented services.) The any command is the source, which means
any IP address, and the host is the destination IP address.
It is important to understand why the deny commands were placed first
in the list. If you had configured the permits first and the deny commands
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com