Standard ACL Syntax
Legacy syntax:
access-list <number> {permit | deny} <source> [log]
Sample:
router(config)#access-list 10 permit ip 192.168.10.2 255.255.255.0
Modern syntax:
ip access-list standard {<number> | number}
[<sequence>] {permit | deny} <source> [log]
Sample:
router(config)#ip access-list standard 10
permit ip 192.168.10.2 255.255.255.0
Extended ACL Syntax
Legacy syntax:
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<option>]
Sample:
router(config)#access-list 100 permit ip 192.168.10.3 255.255.255.0
Modern Syntax:
ip access-list extended {<number> | <number>}
[<secquence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<option>]
Sample:
router(config)#ip access-list extended 100
permit ip 192.168.10.3 255.255.255.0
| ACL Numbers | |
|---|---|
| 1-99 | IP Standard |
| 1300-1999 | |
| 100-199 | IP extended |
| 2000-2699 | |
| 200-299 | Protocol |
| 300-399 | DECnet |
| 400-499 | XNS |
| 500-599 | Extended XNS |
| 600-699 | Apple Talk |
| 700-799 | Ethernet MAC |
| 800-899 | IPX standard |
| 900-999 | IPX extended |
| 1000-1099 | IPX SAP |
| 1100-1199 | MAC extended |
| 1200-1299 | IPX summary |
| Actions | |
| permit | Allow matched packets |
| deny | Deny matched packets |
| remark | Record a configuration comment |
| evaluate | Evaluate a reflexive ACL |
| Souce/Destination Definitions | |
| any | Any address |
| host <address> | A single address |
| <network>< mask> | Any address matched by the wildcard mask |
| IP Options | |
| dscp |
Match the specified IP DSCP |
| fragments | Check non-initial fragments |
| option | Match the especified IP option |
| precedence {0-7} | Match the specified IP precedence |
| ttl |
Match the specified IP time to live (TTL) |
| TCP/UDP Port Definitions | |
| eq |
Equal to |
| neq |
Not equal to |
| gt |
Greater than |
| range |
|
| TCP Options | |
| ack | Match ACK flag |
| fin | Match FIN flag |
| psh | Match PSH flag |
| rt | Match RST flag |
| syn | Match SYN flag |
| urg | Match URG flag |
| established | Match packets in an established session |
| Logging Options | |
| log | Log ACL entry matches |
| log-input | Log matches including ingress interface and source MAC address |
| Miscellaneous Options | |
| reflect <name> |
Create reflexive ACL entry |
Applying ACLs to Restrict Traffic:
interface Fastethernet0/0
ip access-group {<number> | <name>} {in | out}
Troubleshooting:
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
0 Comments:
Post a Comment