6.3b,c Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

This article is deprecated. New version is here.
Extended ACLs can match for source and destination IP address as well as port numbers.
The key is to use the implicit block at the end of the ACL as a way to both reduce the complexity of the list but also keep it in the front of your mind (you will forget it otherwise).
6.3 lab
The setup is the same as 6.3a. I used the following commands to achieve the goal:
[code]interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 10.0.0.100 255.255.255.0
ip access-group 100 out
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.0.1.100 255.255.255.0
ip access-group 199 in
!
interface FastEthernet1/0
ip address 1.1.1.100 255.255.255.0
duplex auto
speed auto
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
access-list 199 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
[/code]
Instead of using a deny command to block VPC5 I instead only commited a single permit for the traffic that was to be permitted on that link (the block is implied).
6.3b
Named ACLs allow you to add or delete individual entries without having to retype all the rules again. I rewrote the rules as follows:
ip access-list extended lan_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
ip access-list extended server_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
!

Leave a comment

Your email address will not be published. Required fields are marked *