Filter
Top Products
249
d-port 32
9.2.2.9 permit | deny(standard)
Command: {deny | permit} {{<sIpAddr> <sMask>} | any | {host <sIpAddr>}}
no {deny | permit} {{<sIpAddr> <sMask>} | any | {host <sIpAddr>}}
Function: Create a standard name-based IP access rule; the “no” form command deletes
the name-based standard IP access rule
Parameter: Parameter: <sIpAddr> is the source IP address in dot decimal format;
<sMask > is the mask complement for source IP in dot decimal format.
Command Mode: named-based standard IP ACL configuration mode
Default: No IP address is configured by default.
Example: Allow packets from 10.1.1.0/24 and deny packets from 10.1.1.0/16.
Switch(Config)# access-list ip standard ipFlow
Switch(Config-Std-Nacl-ipFlow)# permit 10.1.1.0 0.0.0.255
Switch(Config-Std-Nacl-ipFlow)# deny 10.1.1.0 0.0.255.255
9.3 ACL Example
Scenario 1:
The user has the following configuration requirement: port 1/10 of the switch connecting to
10.0.0.0/24 segment, ftp is not desired for the user to use.
Configuration description:
1. Create a proper ACL
2. Configuring packet filtering function
3. Bind the ACL to the port
The configuration steps are listed below:
Switch(Config)#access list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
Switch(Config)#firewall enable
Switch(Config)#firewall default permit
Switch(Config)#interface ethernet 1/10
Switch(Config-Ethernet1/10)#ip access-group 110 in
Switch(Config-Ethernet1/10)#exit
Switch(Config)#exit
Configuration result.: