HSNRSM(config)# access−list 100 deny tcp any any eq 20
HSNRSM(config)# access−list 100 deny tcp any any eq 21
Because the access list has an implied “deny all” at the end, you need to apply a rule that any other
traffic can pass through. The ip indicates that all IP protocols are being identified:
3.
HSNRSM(config)# access−list 100 permit ip any any
You do not want to apply the access list to an outbound interface, because then the FTP packets would span
the switch fabric and use up bandwidth and processing power. You want to apply the access list immediately
to the inbound interface to the company’s Distribution layer switch.
To apply the access lists to an interface, follow these steps:
Access the interface to be configured. In this case, from Global Configuration mode, use the
following command:
interface fastethernet0/0
1.
Apply the access list to the interface to block access to inbound packets using the following
command:
2.
ip access−group 100 in
Unless the packets for FTP are coming from the advertising company, no one else will be able to access your
FTP server.
Related solutions:
Found on page:
Opening a Session on an Internal Route Processor
381
Entering Configuration Mode on an RSM
381
Creating an Extended Access List
Creating an extended access list is very similar to creating a standard access list, but the options are more
complex and can become quite lengthy. We suggest writing out your extended access list beforehand and then
implementing it. Here’s the syntax an Extended Access List can require for configuration:
access−list access−list−number {deny|permit} {protocol type}
source−address source−wildcard destination−address
destination−wildcard [protocol specific options|operator] [log]
Let’s step through creating an extended access list that can be applied to an interface and deny any host on
network 172.16.10.0 from going to any host on network 172.15.10.0. It will also deny ports 80, 23, 21, and
20. This will effectively disallow any access to World Wide Web services, Telnet, and FTP. Let’s look at all
the options:
For an extended access list we must identify an access list number between 100 and 199:
CoriolisRSM1(config)#access−list 199 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
1.
We must then choose who to deny. We are using TCP instead of IP so we can just identify the ports
we want to deny. The first IP address identifies the network. The 0.0.0 identifies that the first three
octets must be the same and the .255 identifies all the hosts in the last octet:
CoriolisRSM1(config)#access−list 199 deny tcp 172.16.10.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
2.
264