6.3b,c Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

This article is deprecated. New version is here.

Extended ACLs can match for source and destination IP address as well as port numbers.

The key is to use the implicit block at the end of the ACL as a way to both reduce the complexity of the list but also keep it in the front of your mind (you will forget it otherwise).

6.3 lab

The setup is the same as 6.3a. I used the following commands to achieve the goal:

interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.0.0.100 255.255.255.0
 ip access-group 100 out
!
interface FastEthernet0/1.101
 encapsulation dot1Q 101
 ip address 10.0.1.100 255.255.255.0
 ip access-group 199 in
!
interface FastEthernet1/0
 ip address 1.1.1.100 255.255.255.0
 duplex auto
 speed auto
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
access-list 199 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
 

Instead of using a deny command to block VPC5 I instead only commited a single permit for the traffic that was to be permitted on that link (the block is implied).
6.3b

Named ACLs allow you to add or delete individual entries without having to retype all the rules again. I rewrote the rules as follows:
ip access-list extended lan_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
ip access-list extended server_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s