Basic:
•Standard IP ACLs
Only on source IP addresses
•Extended IP ACLsCan filter on:
Source IP address
Destination IP address
Protocol (TCP, UDP)
Port Numbers (Telnet – 23, http – 80, etc.)
Standard
and extended access lists apply to packets traveling through a router
ACLs
do not
block packets that originate within the router
An
outbound Telnet extended access list does not prevent router initiated Telnet
sessions, by default
Where to be applied
The
Standard ACLs to be applied on the interface closest to the destination of the traffic and
Extended ACLs on the interface closest to the source.
What if Applied
Once a packet is denied by an ACL,
the router sends an ICMP “Destination Unreachable” message,
with the code value set to “Administratively Prohibited” to the source of the packet.
Example :
All hosts - 0.0.0.0 255.255.255.255
Host Option:
The
host
option substitutes for the 0.0.0.0 wildcard mask.
The
host keyword precedes the IP address
Example:
RouterB(config)#access-list 10 permit 192.168.1.100 0.0.0.0
OR
RouterB(config)#access-list 10 permit host 192.168.1.100
172.16.10.100 0.0.0.0 replaced by host 172.16.10.100
192.168.1.100 0.0.0.0 replaced by host 192.168.1.100
Example:
No comments:
Post a Comment