Table of Contents
Advertisement
Chapter 98: Advanced Access Control Lists (ACLs)
Table 162. Creating a Permit ACL Followed by a Deny ACL Example
awplus> enable
awplus# configure terminal
awplus(config)# access-list 3015 permit ip
149.55.65.0/24 any
awplus(config)# access-list 3011 deny ip
any any
awplus(config)# interface port1.0.15
awplus(config_if)# access-group 3015
awplus(config_if)# access-group 3011
awplus(config_if)# end
awplus# show access-list
awplus# show interface port1.0.15 access-
group
1524
deny ACL for the denied traffic flow. This is illustrated in the example in
Table 162 on page 1524 in which port 15 is configured to forward only
ingress packets from the 149.55.65.0/24 subnet and to discard all other
traffic. The permit ACL, which has the ID number 3015, specifies the
packets from the permitted subnet, while the deny ACL, with the ID
number 3011, specifies all traffic.
Note
In the example, the permit ACL is added to the port before the deny
ACL. This is important because packets are compared against
the ACLs in the order in which the ACLs are added to the port. If the
deny ACL is added first, the port blocks all traffic, even the traffic
specified by the permit ACL.
Command
For another example of permit ACLs, see Table 163 on page 1525. In this
example, ports 21 and 22 forward traffic from three specified network
devices and discard all other ingress traffic. The allowed traffic is specified
with three permit ACLs.
Description
Enter the Privileged Executive mode
from the User Executive mode.
Enter the Global Configuration mode.
Create the permit ACL with the
ACCESS-LIST command.
Create the deny ACL.
Move to the Port Interface mode for
port 15.
Add the two ACLs to the port with the
ACCESS-GROUP command, being
sure to add the permit ACL first so
that ingress packets are compared
against it first.
Return to the Privileged Exec mode.
Confirm the configuration of the
ACLs.
Confirm that the ACLs have been
added to the port.
Hide quick links:
Advertisement
Table of Contents
