Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

access-list

0 views
Skip to first unread message

Mikael Velschow-Rasmussen

unread,
Nov 4, 1997, 3:00:00 AM11/4/97
to

Example

conf t
int e0
ip access-group 111 in
# defines that the filter looks at traffic the router receives on this
interface.
access-list 111 deny tcp host 195.41.3.3 host 192.168.5.200 eq telnet
# a nr. >= 100says it's an extended list (a list where you can setup
filters on port-nr.)
# permit/deny specifies whether you forward or block packets (theres an
implicit deny all at the end of each list)
# udp/tcp specifies the protocol
# host x.x.x.x (source) host y.y.y.y (destination)
(you can state any=all hosts or subnets : 192.168.2.0 255.255.255.0)
# eq(als) smtp says the filter here should deny telnet-packets from host
195.41.3.3 to host 192.168.5.200.

If you under configuring types ? after eq, you get a list of well-known
ports.

Hope this helps

Regards
Mikael Velschow-Rasmussen
m.vel...@debis.dk

laurence rabanal <laur...@perfecto.slu.edu.ph> wrote in article
<8786477...@news.Colorado.EDU>...
>
> hi there,
>
> would someone explain to me each field in the access-list entry?
> is it possible to deny services(telnet,mail etc) from a particular IP
> address within our domain? how?
>
> thank you & best regards
>
> == lao ==
>
>
>

laurence rabanal

unread,
Nov 4, 1997, 3:00:00 AM11/4/97
to

Syed Faraz Shamim

unread,
Nov 4, 1997, 3:00:00 AM11/4/97
to

access-list 101 deny tcp host x.x.x.x host y.y.y.y eq smtp
access-list 101 deny tcp host x.x.x.x host y.y.y.y eq telnet
access-list 101 permit ip any any

where x.x.x.x is source ip address & y.y.y.y is your destination
ip address

then you need apply this access-list inbound on a perticular
interface that you expect to receive traffic from. e.g.

int e0
ip access-group 101 in

Type ? after every parameter to see the decription of each field.

hope it helps

Faraz Shamim
s...@cisco.com


> From list-owner...@cisco.com Tue Nov 4 02:55:53 1997
> Date: Tue, 4 Nov 1997 17:27:16 +0800 (PST)
> From: laurence rabanal <laur...@perfecto.slu.edu.ph>
> To: ci...@spot.Colorado.EDU
> Subject: access-list
> MIME-Version: 1.0
> Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII>
> Content-Length: 230

Zaheer Aziz

unread,
Nov 4, 1997, 3:00:00 AM11/4/97
to

At 05:27 PM 11/4/97 +0800, laurence rabanal wrote:
>
> hi there,
Hi Lao,
http://www.cisco.com/warp/public/701/31.html
http://www.cisco.com/warp/public/701/30.html
30.html explains blocking telnet and snmp


you can find detail explaination on implementing access-list using Cisco IOS
in these docs.

Thanks
Zaheer

laurence rabanal

unread,
Nov 5, 1997, 3:00:00 AM11/5/97
to

hi again,

forgive me for my ignorance about these matters, can someone discuss
these questions of mine..

- when do I use IP access list ( 1 to 99 ) and IP extended ( 100 to
199)? how bout....
<1100-1199> Extended 48-bit MAC address access list
<200-299> Protocol type-code access list
<700-799> 48-bit MAC address access list

thanks and best regards

== lao ==
jr. sys.ad
slu-net


Barry Margolin

unread,
Nov 5, 1997, 3:00:00 AM11/5/97
to

In article <8787313...@news.Colorado.EDU>,

laurence rabanal <laur...@perfecto.slu.edu.ph> wrote:
> - when do I use IP access list ( 1 to 99 ) and IP extended ( 100 to
> 199)? how bout....

You use a regular access list when you just only to match on the source
address of a packet. You use an extended access list when you need to
match on the protocol, source address, destination address, source port, or
destination port.

When using access lists with a distribute-list statement, you use a regular
ACL if you just need to match the address portion of the route, and an
extended ACL if you need to match on the subnet mask part of the route
(this is only applicable to classless routing protocols, e.g. OSPF and
BGP4).

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Cambridge, MA
Support the anti-spam movement; see <http://www.cauce.org/>
Please don't send technical questions directly to me, post them to newsgroups.

Wade Williams

unread,
Nov 5, 1997, 3:00:00 AM11/5/97
to

At 05:30 PM 11/5/97 +0800, laurence rabanal wrote:
>
> hi again,
>
> forgive me for my ignorance about these matters, can someone discuss
> these questions of mine..
>
> - when do I use IP access list ( 1 to 99 ) and IP extended ( 100 to
> 199)? how bout....

Simple IP access lists don't include port designations. If you don't need
to go to the granularity of a port, use the simple access list. Otherwise,
use extended access lists.

> <1100-1199> Extended 48-bit MAC address access list
> <200-299> Protocol type-code access list
> <700-799> 48-bit MAC address access list

The 1100 access-list is used for MAC address filtering when doing
transparant bridging.

The other two are used for filtering when doing Source-Route Bridging.

Wade

---------------------------------------------------------------------------
Wade Williams "And the trees are all kept equal by
Systems Engineer hatchet, axe, and saw."
Cisco Systems, Inc. - N. Peart
Brentwood, TN
615-221-2918
wwil...@cisco.com
---------------------------------------------------------------------------

Neil Lovering

unread,
Nov 6, 1997, 3:00:00 AM11/6/97
to

Lao,

Simply use an IP extended access list. If you get into config mode, build
an access list with a number between 100 and 199. An example would be:

access-list 100 deny tcp host 1.1.1.1 host 2.2.2.2 eq telnet

Here, 1.1.1.1 would be denied telnet access to 2.2.2.2. Don't forget to
permit something, or else the list will deny all IP traffic by default.
Use the context-sensitive help (?) while you're building the command to see
the descriptions of each field also. You could replace the "host 1.1.1.1"
with the word "any" to deny any source to destination 2.2.2.2.

Neil

At 05:27 PM 11/4/97 +0800, laurence rabanal wrote:

> hi there,

0 new messages