Cisco Systems OL-7396-01 Network Router User Manual


  Open as PDF
of 934
 
12-12
ATM Switch Router Software Configuration Guide
OL-7396-01
Chapter 12 Using Access Control
Filtering IP Packets at the IP Interfaces
IP Access List Examples
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet;
that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify
a particular host.
Using access list 2, the ATM switch router software accepts one address on subnet 48 and rejects all
others on that subnet. The last line of the list shows that the software accepts addresses on all other
network 36.0.0.0 subnets.
Switch(config)# access-list 2 permit 36.48.0.3
Switch(config)# access-list 2 deny 36.48.0.0 0.0.255.255
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)# interface ethernet0
Switch(config-if)# ip access-group 2 in
Examples of Implicit Masks in IP Access Lists
IP access lists contain implicit masks. For example, if you omit the mask from an associated IP host
address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example
configuration:
Switch(config)# access-list 1 permit 0.0.0.0
Switch(config)# access-list 1 permit 131.108.0.0
Switch(config)# access-list 1 deny 0.0.0.0 255.255.255.255
For this example, the following masks are implied in the first two lines:
Switch(config)# access-list 1 permit 0.0.0.0 0.0.0.0
Switch(config)# access-list 1 permit 131.108.0.0 0.0.0.0
The last line in the configuration (using the deny keyword) can be omitted, because IP access lists
implicitly deny all other access, which is equivalent to finishing the access list with the following
command statement:
Switch(config)# access-list 1 deny 0.0.0.0 255.255.255.255
The following access list only allows access for those hosts on the three specified networks. It assumes
that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with
a source address that does not match the access list statements is rejected.
Switch(config)# access-list 1 permit 192.5.34.0 0.0.0.255
Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255
Switch(config)# access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the address mask that is all
zeros from the access-list global configuration command. Thus, the following two configuration
commands are identical in effect:
Switch(config)# access-list 2 permit 36.48.0.3
Switch(config)# access-list 2 permit 36.48.0.3 0.0.0.0
Examples of Configuring Extended IP Access Lists
In the following example, the first line permits any incoming Transmission Control Protocol (TCP)
connections with destination ports greater than 1023. The second line permits incoming TCP
connections to the simple mail transfer protocol (SMTP) port of host 128.88.1.2. The last line permits
incoming ICMP messages for error feedback.
 previous next