Orbit-Computer Solutions.Com

Computer Training & CCNA Networking Solutions
Chika Nwokeoma, EzineArticles.com Basic Author
 
 
 
 
Add to Favorite

Applying Extended ACLs on Interfaces

Lets look at how to configure an extended access list to enable users on a network to browse both insecure and secure websites. First consider whether the traffic you want to filter is going in or out. Trying to access websites on the Internet is traffic going out. Receiving e-mails from the Internet is traffic coming in.
 
Applying ACL on an Interface
 
From the example in the figure below, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast Ethernet port, Fa0/0. The Internet traffic coming in is going in the S0/0/0 interface, but is going out the Fa0/0 interface to reach PC1. The example applies the ACL to the serial interface in both directions.
 
configuring extended ACL on an interface
 
Configuration example:
 
Router1#config t
Router1#(config)#interface s0/0/0
Router1#(config)#ip access-group 101 out
Router1#(config)#ip access-group 102 in
Router1#(config)#end
 
  
 
 
 

                          Configuring Extended ACL to deny FTP from subnets

 This is an example of denying FTP (File Transfer Protocol) traffic from subnet 192.168.2.0 going to subnet 192.168.3.0, but permitting all other traffic. Note the use of wildcard masks. Remember that FTP requires ports 20 and 21; therefore you need to specify both eq 20 and eq 21 to deny FTP.

 configuring Extended ACLs to deny FTP
 
 
Configuration example:
 
Router1#config t
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 21
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 20
Router1#(config)#access-list 103 permit ip any any
Router1#(config)#interface fa0/1
Router1#(config-if)#ip access-group 101 in
 
With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.

 

Configuring Extended ACL to deny TELNET from subnets

This example denies Telnet traffic from 192.168.3.0, but allows all other IP traffic from any other source to any destination inbound on Fa0/1. Note the use of the any keywords, meaning from anywhere going to anywhere.
 
Extended ACLs to deny Telnet
 
Configuration example:
 
Router1#config t
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 any eq 23
Router1#(config)#access-list 103 permit ip any any
Router1#(config)#interface fa0/1
Router1#(config)#ip access-group 103 in
Router1#(config)#end
 
 
Join Forum Discussion
 
 
 
 
 
 

 

Access Control Lists Explained (ACLs)

Access List Configuration Example

Complex ACLs

Creating Standard ACLs

How to Configure Switchport ACLs

Numbering and Naming ACLs

Reflective ACLs

Time Base ACLs

Troubleshooting ACLs Errors
 
Custom Search
 
 
 
 
 
 Resources
 

        

  
 
(c) Copywrite 2012. Orbit-Computer-Solutions.Com. All rights reserved.   Web Links  Privacy Policy   
 
The information provided on this website is for informational purposes only. Orbit-computer-solutions.com makes no warranties, either expressed or implied,
 with respect to any information contained on this website.
Orbit -computer-solutions.com reserves the right to change this policy at any time without prior notice.
Cisco and All related product mentioned in any portion of this website are the registered trademarks of Cisco.com their respective owners.
Microsoft Windows and All related products mentioned in any portion of this website are registered trademark of Microsoft Corporation.