Specifications
Security Options 71
Chapter 5
physical port basis, MAC address ACLs and Ethertype ACLs are both
available. All ACL configuration is done through the CLI – because these
options are not often used, no GUI configuration is available.
ACLs are applied to interfaces using the ip access-group command. The
direction of traffic to which the ACL is applied must also be specified, using
either the keywords
in or out. For example:
interface FastEthernet 1/21
ip access-group IP-only in
Standard ACLs
A standard ACL permits or denies traffic based on the source IP address of
the packet. Standard ACLs can be either named or numbered, with valid
numbers in the range of 1 to 99 and 1300 to 1399. Standard ACLs use a
bitwise mask (sometimes inaccurately called an “inverse netmask”) to specify
which portion of the address should be matched.
Sample configuration:
ip access-list standard 1
permit 1.0.0.0 0.255.255.255
permit host 10.1.1.3
deny any
The example above permits any traffic from the subnet 1.0.0.0/8. It also
permits traffic from a host with IP address 10.1.1.3. All other traffic is denied.
Extended ACLs
Extended ACLS permit or deny traffic based on source or destination IP
address, source or destination port number, or IP protocol. Extended ACLs
can be named or numbered, with valid numbers in the range of 100 to 199 and
2000 to 2699. The command syntax follows standard Cisco IOS conventions,
and extensive context-sensitive help is available by pressing the ? key after
each keyword entry.
Sample configuration:
ip access-list extended 101
permit tcp any host 1.1.1.1 range 67 69