•
Organize your access list so that more specific references in a network or subnet appear before more
general ones.
•
Use the statement
permit any any
if you want to allow all other packets not already denied. Using the
statement
permit any any
in effect avoids denying all other packets with the implicit deny statement at
the end of an access list. Do not make your first access list entry
permit any any
because all traffic will
get through; no packets will reach the subsequent testing. In fact, once you specify
permit any any
, all
traffic not already denied will get through.
•
Although all access lists end with an implicit
deny
statement, we recommend use of an explicit
deny
statement (for example,
deny ip any any
). On most platforms, you can display the count of packets
denied by issuing the
show access-list
command, thus finding out more information about who your
access list is disallowing. Only packets denied by explicit
deny
statements are counted, which is why
the explicit
deny
statement will yield more complete data for you.
•
While you are creating an access list or after it is created, you might want to delete an entry.
•
You cannot delete an entry from a numbered access list; trying to do so will delete the entire access
list. If you need to delete an entry, you need to delete the entire access list and start over.
•
You can delete an entry from a named access list. Use the
no permit
or
no deny
command to delete
the appropriate entry.
•
In order to make the purpose of individual statements more scannable and easily understood at a glance,
you can write a helpful remark before or after any statement by using the
remark
command.
•
If you want to deny access to a particular host or network and find out if someone from that network or
host is attempting to gain access, include the
log
keyword with the corresponding
deny
statement so
that the packets denied from that source are logged for you.
•
This hint applies to the placement of your access list. When trying to save resources, remember that an
inbound access list applies the filter conditions before the routing table lookup. An outbound access list
applies the filter conditions after the routing table lookup.
IP Packet Fields You Can Filter to Control Access
You can use an extended access list to filter on any of the following fields in an IP packet. Source address
and destination address are the two most frequently specified fields on which to base an access list:
•
Source address--Specifies a source address to control packets coming from certain networking devices
or hosts.
•
Destination address--Specifies a destination address to control packets being sent to certain networking
devices or hosts.
•
Protocol--Specifies an IP protocol indicated by the keyword
eigrp
,
gre
,
icmp
,
igmp
,
ip
,
ipinip
,
nos
,
ospf
,
tcp
, or
udp
, or indicated by an integer in the range from 0 to 255 (representing an Internet protocol).
If you specify a transport layer protocol (
icmp
,
igmp
,
tcp
, or
udp
), the command has a specific syntax.
•
Ports and non-contiguous ports--Specifies TCP or UDP ports by a port name or port number. The
port numbers can be noncontiguous port numbers. Port numbers can be useful to filter Telnet traffic
or HTTP traffic, for example.
•
TCP flags--Specifies that packets match any flag or all flags set in TCP packets. Filtering on specific
TCP flags can help prevent false synchronization packets.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1165
Information About Access Control Lists
Summary of Contents for Catalyst 2960 Series
Page 96: ......
Page 196: ......
Page 250: ......
Page 292: ......
Page 488: ......
Page 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Page 590: ......
Page 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Page 620: ......
Page 750: ......
Page 1604: ......
Page 1740: ......
Page 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Page 2106: ......
Page 2118: ......
Page 2164: ......