6.3b,c Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

This article is deprecated. New version is here.

Extended ACLs can match for source and destination IP address as well as port numbers.

The key is to use the implicit block at the end of the ACL as a way to both reduce the complexity of the list but also keep it in the front of your mind (you will forget it otherwise).

6.3 lab

The setup is the same as 6.3a. I used the following commands to achieve the goal:

interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address
 ip access-group 100 out
interface FastEthernet0/1.101
 encapsulation dot1Q 101
 ip address
 ip access-group 199 in
interface FastEthernet1/0
 ip address
 duplex auto
 speed auto
access-list 100 permit ip host
access-list 100 permit ip host
access-list 199 permit ip host

Instead of using a deny command to block VPC5 I instead only commited a single permit for the traffic that was to be permitted on that link (the block is implied).

Named ACLs allow you to add or delete individual entries without having to retype all the rules again. I rewrote the rules as follows:
ip access-list extended lan_access
permit ip host
ip access-list extended server_access
permit ip host
permit ip host

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s