2. Standard Access Lists
Access-list # permit source wildcard
Access-list # deny source wildcard
**wildcard is optional
Access-list # remark note to self
Access-list 1 permit 192.168.0.1 0.0.0.255
(match everything except the last octet)
Can use “any” keyword
List number range from 1-99, & 1300-1999
TIP: locate as close to destination as possible
3. Extended IP access lists
Access-list 101 permit tcp 192.168.10.0
0.0.0.255 gt 1023 host 10.10.0.1 eq 80
Access-list 102 deny udp host 192.168.10.99
eq 1024 10.10.0.0 0.0.255.255 eq dns
Access-list 103 tcp any host 10.10.0.1 eq
telnet
Access-list permit ip any any
List number range from 100-199, & 2000-2699
TIP: locate as close to source as possible
4. Named extended access lists
Ip access-list extended Test
Router(config-ext-nacl)#
Permit tcp host 10.1.1.2 eq www any
Deny ip host 10.1.2.5 10.1.2.0.0.0.0.255
Permit ip any any
Can delete specific lines in the list
ip access-list extended Test
No deny ip host 10.1.2.5 10.1.2.0 0.0.0.255
5. commands
Show ip access-lists
Interface ethernet 0
Ip access-group 1 out (applies this access
list to the interface for outgoing data)
Ip access-group Test out (used for named
access lists)
Line con 0
Ip access-class 1 in (restrict incoming
connections to those in the access list)
6. commands
Show ip access-lists
Interface ethernet 0
Ip access-group 1 out (applies this access
list to the interface for outgoing data)
Ip access-group Test out (used for named
access lists)
Line con 0
Ip access-class 1 in (restrict incoming
connections to those in the access list)