Cisco Access Control List (ACL)

Standard ACL

Numbered ACL:

R1(config)#access-list 1 remark “inbound fa0/0”
R1(config)#access-list 1 deny host 192.168.1.0
R1(config)#access-list 1 deny 10.0.0.0 0.0.0.255
R1(config)#access-list 1 permit any
R1(config)#interface fa0/0
R1(config-if)#ip access-group 1 in

Named ACL:

R1(config)#ip access-list standard OUT_FA1/0
R1(config-std-nacl)#deny 192.168.1.1
R1(config-std-nacl)#deny 10.0.0.0 0.0.0.255
R1(config)#interface fa1/0
R1(config-if)#ip access-group OUT_FA1/0 out

Extended ACL

Numbered ACL:

R1(config)#access-list 100 permit ip host 192.168.1.10 any
R1(config)#access-list 100 permit eigrp 10.0.0.1 0.0.0.255 any
R1(config)#access-list 100 permit tcp 10.0.0.1 0.0.0.255 any eq 443
R1(config)#access-list 100 permit tcp any 10.0.0.1 0.0.0.255 established     //very useful

Named ACL:

R1(config)#ip access-list extended IN_FA0/1
R1(config-ext-nacl)#permit ip host 192.168.1.10 any
R1(config-ext-nacl)#permit eigrp 10.0.0.1 0.0.0.255 any
R1(config-ext-nacl)#permit tcp 10.0.0.1 0.0.0.255 any eq 25

IPv6 ACL

-Named only
-Similar to Extended

R1(config)#ipv6 access-list IN_FA0/1
R1(config-ipv6-acl)#deny ipv6 2002:db8:cafe:30::/64 any
R1(config-ipv6-acl)#permit ipv6 any any
R1(config)#interface fa0/1
R1(config)#ipv6 traffic-filter IN_FA0/1 in

Control VTY access with ACL

R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input ssh
R1(config-line)#access-class 10 in
R1(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s