Table of Contents
Advertisement
Chapter 2
Cisco 1710 Security Router Configuration
Access Lists
78-12696-01
Access lists are configured as standard or extended. A standard access list either
permits or denies passage of packets from a designated source. An extended
access list allows designation of both the destination and the source, and it allows
designation of individual protocols to be permitted or denied passage. An access
list is a series of commands with a common tag to bind them together. The tag is
either a number or a name.
Standard numbered access list commands take the following form:
access-list {1-99} {permit|deny} source-addr [source-mask]
Extended numbered access list commands take the following form:
access-list {100-199} {permit|deny} protocol source-addr [source-mask]
destination-addr [destination-mask]
Named access list commands take the form:
ip access-list {standard|extended} name
A standard named access list command must be followed by subcommands in this
form:
deny {source|source-wildcard|any}
An extended named access list command must be followed by a subcommand in
this form:
{permit|deny} protocol {source-addr[source-mask]|any} {destination-addr
[destination-mask]|any}
A sequence of access list commands bound together with a common name or
number is referred to as an access group. An access group is enabled for an
interface during interface configuration with the command
ip access-group number|name [in|out]
where in|out refers to the direction of travel of the packets being filtered.
When a sequence of access list commands is used, three things must be kept in
mind:
The order of commands in the sequence is important. A packet will be
•
operated on by the first command. If there is no match (neither a permit nor
a deny occurs), the next command operates on the packet, and so on.
Cisco 1710 Security Router Software Configuration Guide
Configuring Firewalls
2-13
- Quick Links:
- Using Commands
Hide quick links:
Advertisement
Table of Contents
