Hands-on Labs
489
gt Match only packets with a greater
port number
log Log matches against this entry
log-input Log matches against this entry,
including input interface
lt Match only packets with a lower port
number
neq Match only packets not on a given
port number
precedence Match packets with given precedence
value
psh Match on the PSH bit
range Match only packets in the range of
port numbers
rst Match on the RST bit
syn Match on the SYN bit
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
6.
At this point, you can add the eq telnet command. The log command
can also be used at the end of the command so that whenever the access-
list line is hit, a log will be generated on the console.
2501A(config)#access-list 110 deny tcp host
172.16.10.2 host 172.16.20.2 eq telnet log
7.
It is important to add this line next to create a permit statement.
2501A(config)#access-list 110 permit ip any 0.0.0.0
255.255.255.255
8.
You must create a permit statement; if you just add a deny statement,
nothing will be permitted at all. Please see the sections earlier in this
chapter for more detailed information on the permit command.
9.
Apply the access list to the Ethernet 0 on 2501A to stop the Telnet
traffic as soon as it hits the first router interface.
2501A(config)#int e0
2501A(config-if)#ip access-group 110 in
2501A(config-if)#^Z
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com