Cisco Catalyst ACL Introduction: RACL, VACL, PACL
Blueprint
Foundation
RACL
Configuration
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
name sales
exit
!
interface Vlan 128
ip address 10.0.128.1 255.255.255.0
no shutdown
ip access-group 102 out
exit
!
interface FastEthernet 1/0/4
no switchport
ip address 10.0.129.1 255.255.255.0
ip access-group 101 in
exit
!
interface FastEthernet 1/0/5
switchport mode access
switchport access vlan 128
exit
!
access-list 101 permit tcp any any eq www
access-list 102 permit tcp any host 10.0.128.254 eq www
!
end
Verification
Console Log
SW1>enable
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip rou
SW1(config)#ip routi
SW1(config)#ip routing
SW1(config)#vt
SW1(config)#vtp mo
SW1(config)#vtp mode tra
SW1(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW1(config)#vla
SW1(config)#vlan 128
SW1(config-vlan)#na
SW1(config-vlan)#name sales
SW1(config-vlan)#exit
SW1(config)#int vlan 128
SW1(config-if)#ip
*Mar 1 01:06:00.052: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to down
SW1(config-if)#ip add
SW1(config-if)#ip address 10.0.128.1 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#int f1/0/4
SW1(config-if)#no swi
SW1(config-if)#no switchport
SW1(config-if)#
*Mar 1 01:06:23.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
SW1(config-if)#
*Mar 1 01:06:25.637: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
SW1(config-if)#
*Mar 1 01:06:26.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW1(config-if)#ip add
SW1(config-if)#ip address 10.0.129.1 255.255.255.0
SW1(config-if)#int f1/0/5
SW1(config-if)#swi
SW1(config-if)#switchport mo
SW1(config-if)#switchport mode ac
SW1(config-if)#switchport mode access
SW1(config-if)#swi
SW1(config-if)#switchport ac
SW1(config-if)#switchport access vl
SW1(config-if)#switchport access vlan 128
SW1(config-if)#
*Mar 1 01:08:31.432: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to up
SW1(config-if)#
*Mar 1 01:09:06.656: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to down
*Mar 1 01:09:07.654: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/5, changed state to down
SW1(config-if)#
*Mar 1 01:09:08.653: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed state to down
SW1(config-if)#
*Mar 1 01:09:13.996: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed state to up
*Mar 1 01:09:15.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/5, changed state to up
SW1(config-if)#
*Mar 1 01:09:42.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to up
SW1(config-if)#exit
SW1(config)#acc
SW1(config)#access-101 per
SW1(config)#access-101 pertc
SW1(config)#access-li
SW1(config)#access-list per
SW1(config)#access-list perm
SW1(config)#access-list 101 per
SW1(config)#access-list 101 permit tc
SW1(config)#access-list 101 permit tcp an
SW1(config)#access-list 101 permit tcp any an
SW1(config)#access-list 101 permit tcp any any e
SW1(config)#access-list 101 permit tcp any any eq
SW1(config)#access-list 101 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
SW1(config)#access-list 101 permit tcp any any eq www
SW1(config)#access-list 101 permit tcp any any eq www
SW1(config)#acce
SW1(config)#access-li
SW1(config)#access-list 102 permi
SW1(config)#access-list 102 permit tcp an
SW1(config)#access-list 102 permit tcp any hos
SW1(config)#access-list 102 permit tcp any host 10.0.128.254
SW1(config)#int f1/0/4
SW1(config-if)#ip acc
SW1(config-if)#ip acce
SW1(config-if)#ip access-group 101 in
SW1(config-if)#int vlan 128
SW1(config-if)#ip acce
SW1(config-if)#ip access-group 102 out
SW1(config-if)#acce
SW1(config-if)#exit
SW1(config)#acc
SW1(config)#access-li
SW1(config)#access-list 10
SW1(config)#access-list 101 per
SW1(config)#access-list 101 permit t
SW1(config)#access-list 101 permit tcp a
SW1(config)#access-list 101 permit tcp any a
SW1(config)#access-list 101 permit tcp any any eq
SW1(config)#access-list 101 permit tcp any any eq 61727
SW1(config)#acc
SW1(config)#access-li
SW1(config)#access-list 102 per
SW1(config)#access-list 102 permit tc
SW1(config)#access-list 102 permit tcp a
SW1(config)#access-list 102 permit tcp any hos
SW1(config)#acce
SW1(config)#access-li
SW1(config)#access-list 101 permi
SW1(config)#access-list 101 permit ic
SW1(config)#access-list 101 permit icmp any
SW1(config)#access-list 101 permit icmp any an
SW1(config)#access-list 101 permit icmp any any
SW1(config)#acc
SW1(config)#access-li
SW1(config)#access-list 102 permi
SW1(config)#access-list 102 permit icm
SW1(config)#access-list 102 permit icmp an
SW1(config)#access-list 102 permit icmp any ho
SW1(config)#access-list 102 permit icmp any host 10.0.128.254
SW1(config)#do sh ip access-lists
Extended IP access list 101
10 permit tcp any any eq www
20 permit tcp any any eq 61727
30 permit icmp any any (22 matches)
Extended IP access list 102
10 permit tcp any host 10.0.128.254
20 permit icmp any host 10.0.128.254
SW1(config)#^Z
SW1#
*Mar 1 02:07:06.595: %SYS-5-CONFIG_I: Configured from console by console
SW1#
VACL
Base Configuration
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
name sales
exit
!
interface Vlan 128
ip address 10.0.128.1 255.255.255.0
no shutdown
exit
!
interface FastEthernet 1/0/1
switchport mode access
switchport access vlan 128
exit
!
interface FastEthernet 1/0/4
no switchport
ip address 10.0.129.1 255.255.255.0
exit
!
interface FastEthernet 1/0/5
switchport mode access
switchport access vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.101 255.255.255.0
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
privilege level 15
password kotone
login
exit
!
end
Configuration
configure terminal
!
ip access-list extended A-TCP
permit tcp host 10.0.128.101 host 10.0.128.254
permit tcp host 10.0.129.192 host 10.0.128.254
exit
!
ip access-list extended A-IP
permit ip any any
exit
!
vlan access-map V-MAP 10
match ip address A-TCP
action drop
exit
!
vlan access-map V-MAP 20
match ip address A-IP
action forward
exit
!
vlan filter V-MAP vlan-list 128
!
end
above configuration equivalent following configuration.
configure terminal
!
ip access-list extended A-TCP
permit tcp host 10.0.128.101 host 10.0.128.254
permit tcp host 10.0.129.192 host 10.0.128.254
exit
!
vlan access-map V-MAP 10
match ip address A-TCP
action drop
exit
!
vlan access-map V-MAP 20
action forward
exit
!
vlan filter V-MAP vlan-list 128
!
end
Verification
Console Log
SW1>enable
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routin
SW1(config)#ip routing
SW1(config)#vtp mo
SW1(config)#vtp mode tran
SW1(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
SW1(config)#do sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
128 sales active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
7 enet 100007 1500 - - - - - 0 0
8 enet 100008 1500 - - - - - 0 0
9 enet 100009 1500 - - - - - 0 0
SW1(config)#vlan 128
SW1(config-vlan)#nam
SW1(config-vlan)#name sales
SW1(config-vlan)#exit
SW1(config)#int vlan 128
SW1(config-if)#ip add
*Mar 1 00:24:13.133: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to down
SW1(config-if)#ip add
SW1(config-if)#ip address 10.0.128.1 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#int f1/0/1
SW1(config-if)#swi
SW1(config-if)#switchport mo
SW1(config-if)#switchport mode a
SW1(config-if)#switchport mode access
SW1(config-if)#swi
SW1(config-if)#switchport ac
SW1(config-if)#switchport access vl
SW1(config-if)#switchport access vlan 12
SW1(config-if)#switchport access vlan 128
SW1(config-if)#int f1/0/5
SW1(config-if)#sw
SW1(config-if)#switchport mo
SW1(config-if)#switchport mode ac
SW1(config-if)#switchport mode access
SW1(config-if)#swi
SW1(config-if)#switchport ac
SW1(config-if)#switchport access vl
SW1(config-if)#switchport access vlan 128
SW1(config-if)#int f1/0/4
SW1(config-if)#no
*Mar 1 00:25:19.688: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to up
SW1(config-if)#no swi
SW1(config-if)#no switchport
SW1(config-if)#ip
*Mar 1 00:25:38.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
SW1(config-if)#ip addre
SW1(config-if)#ip address
*Mar 1 00:25:40.391: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:25:41.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW1(config-if)#ip address swi
SW1(config-if)#ip address 10.0.129.1 255.255.255.0
SW1(config-if)#exit
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit tc
SW1(config-ext-nacl)#permit tcp hos
SW1(config-ext-nacl)#permit tcp host 10.1.128.101 hos
SW1(config-ext-nacl)#permit tcp host 10.1.128.101 host 10.1.128.254
SW1(config-ext-nacl)#per
SW1(config-ext-nacl)#permit tc
SW1(config-ext-nacl)#permit tcp ho
SW1(config-ext-nacl)#permit tcp host 10.1.129.192 ho
SW1(config-ext-nacl)#permit tcp host 10.1.129.192 host 10.1.128.254
SW1(config-ext-nacl)#exit
SW1(config)#vla
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map V-MAP 10
SW1(config-access-map)#ma
SW1(config-access-map)#match ip add
SW1(config-access-map)#match ip address A-TCP
SW1(config-access-map)#ac
SW1(config-access-map)#action dr
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vla
SW1(config)#vlan acce
SW1(config)#vlan access-ma
SW1(config)#vlan access-map V-MAP 20
SW1(config-access-map)#ma
SW1(config-access-map)#match A-IP
^
% Invalid input detected at '^' marker.
SW1(config-access-map)#ma
SW1(config-access-map)#match ip add
SW1(config-access-map)#match ip address A-IP
SW1(config-access-map)#ac
SW1(config-access-map)#action for
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#ip acc
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-IP
SW1(config-ext-nacl)#per
SW1(config-ext-nacl)#permit ip
SW1(config-ext-nacl)#permit ip an
SW1(config-ext-nacl)#permit ip any a
SW1(config-ext-nacl)#permit ip any any
SW1(config-ext-nacl)#exit
SW1(config)#vlan fil
SW1(config)#vlan filter V-MAP vla
SW1(config)#vlan filter V-MAP vlan-list 128
SW1(config)#^Z
SW1#sh vla
SW1#sh vlan
*Mar 1 01:13:20.017: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh vlan acc
SW1#sh vlan access-m
SW1#sh vlan access-map
Vlan access-map "V-MAP" 10
Match clauses:
ip address: A-TCP
Action:
drop
Vlan access-map "V-MAP" 20
Match clauses:
ip address: A-IP
Action:
forward
SW1#sh ip acce
SW1#sh ip access-lists
Extended IP access list A-IP
10 permit ip any any
Extended IP access list A-TCP
10 permit tcp host 10.1.128.101 host 10.1.128.254
20 permit tcp host 10.1.129.192 host 10.1.128.254
SW1#sh vlan
SW1#sh vlan fi
SW1#sh vlan filter
VLAN Map V-MAP is filtering VLANs:
128
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip acce
SW1(config)#ip access-list ex
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#no per
SW1(config-ext-nacl)#no permit tc
SW1(config-ext-nacl)#exit
SW1(config)#no ip acc
SW1(config)#no ip acce
SW1(config)#no ip access-list exte
SW1(config)#no ip access-list extended A-TCP
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit tcp hos
SW1(config-ext-nacl)#permit tcp host 10.0.128.101 hos
SW1(config-ext-nacl)#permit tcp host 10.0.128.101 host 10.0.128.254
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit tcp
SW1(config-ext-nacl)#permit tcp ho
SW1(config-ext-nacl)#permit tcp host 10.0.129.192 ho
SW1(config-ext-nacl)#permit tcp host 10.0.129.192 host 10.0.128.254
SW1(config-ext-nacl)#^Z
SW1#
*Mar 1 01:20:01.823: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip access-lists
Extended IP access list A-IP
10 permit ip any any
Extended IP access list A-TCP
10 permit tcp host 10.0.128.101 host 10.0.128.254
20 permit tcp host 10.0.129.192 host 10.0.128.254
SW1#sh ip acc
SW1#sh ip acce
SW1#sh ip access-lists
Extended IP access list A-IP
10 permit ip any any
Extended IP access list A-TCP
10 permit tcp host 10.0.128.101 host 10.0.128.254
20 permit tcp host 10.0.129.192 host 10.0.128.254
SW1#sh vla
SW1#sh vlan fil
SW1#sh vlan filter
VLAN Map V-MAP is filtering VLANs:
128
SW1#sh vl
SW1#sh vlan acc
SW1#sh vlan access-ma
SW1#sh vlan access-map
Vlan access-map "V-MAP" 10
Match clauses:
ip address: A-TCP
Action:
drop
Vlan access-map "V-MAP" 20
Match clauses:
ip address: A-IP
Action:
forward
SW1#
Console Log
SW1>enable
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#!
SW1(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
SW1(config)#!
SW1(config)#vlan 128
SW1(config-vlan)# name sales
SW1(config-vlan)#exit
SW1(config)#!
SW1(config)#interface Vlan 128
SW1(config-if)# ip address 10.0.128.1 255.255.255.0
SW1(config-if)# no shutdown
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 128
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/4
SW1(config-if)# no switchport
SW1(config-if)# ip address 10.0.129.1 255.255.255.0
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/5
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 128
SW1(config-if)#exit
SW1(config)#!
SW1(config)#
*Mar 1 00:09:33.931: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to down
*Mar 1 00:09:34.116: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
SW1(config)#
*Mar 1 00:09:36.137: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 00:09:37.144: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW1(config)#
*Mar 1 00:10:04.097: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to up
SW1(config)#ip acc
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#per
SW1(config-ext-nacl)#permit tc
SW1(config-ext-nacl)#permit tcp hos
SW1(config-ext-nacl)#permit tcp host 10.0.128.101 host
SW1(config-ext-nacl)#permit tcp host 10.0.128.101 host 10.0.128.254
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit tc
SW1(config-ext-nacl)#permit tcp hos
SW1(config-ext-nacl)#permit tcp host 10.0.129.192 hos
SW1(config-ext-nacl)#permit tcp host 10.0.129.192 host 10.0.128.254
SW1(config-ext-nacl)#exit
SW1(config)#vla
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map V-MAP 10
SW1(config-access-map)#mat
SW1(config-access-map)#match ip add
SW1(config-access-map)#match ip address A-TCP
SW1(config-access-map)#ac
SW1(config-access-map)#action dr
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vla
SW1(config)#vlan fi
SW1(config)#vlan filter V-MAP vla
SW1(config)#vlan filter V-MAP vlan-list 128
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map V-MA
SW1(config)#vlan access-map V-MAP 20
SW1(config-access-map)#ac
SW1(config-access-map)#action for
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#^Z
SW1#
*Mar 1 00:16:43.621: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh vlan fil
SW1#sh vlan filter
VLAN Map V-MAP is filtering VLANs:
128
SW1#sh vlan-ma
SW1#sh vlan acc
SW1#sh vlan access-ma
SW1#sh vlan access-map
Vlan access-map "V-MAP" 10
Match clauses:
ip address: A-TCP
Action:
drop
Vlan access-map "V-MAP" 20
Match clauses:
Action:
forward
SW1#sh ip acce
SW1#sh ip access-lists
Extended IP access list A-TCP
10 permit tcp host 10.0.128.101 host 10.0.128.254
20 permit tcp host 10.0.129.192 host 10.0.128.254
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int vla
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map V-MAP 20
SW1(config-access-map)#ma
SW1(config-access-map)#match a
SW1(config-access-map)#match an
SW1(config-access-map)#match ?
ip IP based match
mac MAC based match
SW1(config-access-map)#match any
^
% Invalid input detected at '^' marker.
SW1(config-access-map)#^Z
SW1#
*Mar 1 00:17:50.277: %SYS-5-CONFIG_I: Configured from console by console
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#per
SW1(config-ext-nacl)#permit icmp host 10.0.128.101 host 10.0.128.254
SW1(config-ext-nacl)#do sh ip access-list
Extended IP access list A-TCP
10 permit tcp host 10.0.128.101 host 10.0.128.254
20 permit tcp host 10.0.129.192 host 10.0.128.254
30 permit icmp host 10.0.128.101 host 10.0.128.254
SW1(config-ext-nacl)#^Z
SW1#sh
*Mar 1 00:22:45.984: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh
PACL
Base Configuration
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
name sales
exit
!
interface Vlan 128
ip address 10.0.128.1 255.255.255.0
no shutdown
exit
!
interface FastEthernet 1/0/1
switchport mode access
switchport access vlan 128
exit
!
interface FastEthernet 1/0/4
no switchport
ip address 10.0.129.1 255.255.255.0
exit
!
interface FastEthernet 1/0/5
switchport mode access
switchport access vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.101 255.255.255.0
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
privilege level 15
password kotone
login
exit
!
end
Configuration
configure terminal
!
ip access-list extended A-TCP1
deny tcp host 10.0.129.192 host 10.0.128.101
permit ip any any
exit
!
ip access-list extended A-TCP2
deny tcp host 10.0.128.101 host 10.0.128.254
permit ip any any
exit
!
interface FastEthernet 1/0/4
ip access-group A-TCP1 in
exit
!
interface FastEthernet 1/0/1
ip access-group A-TCP2 in
exit
!
end
Verification
Console Log
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#!
SW1(config)#ip routing
SW1(config)#!
SW1(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
SW1(config)#!
SW1(config)#vlan 128
SW1(config-vlan)# name sales
SW1(config-vlan)#exit
SW1(config)#!
SW1(config)#interface Vlan 128
SW1(config-if)# ip address 10.0.128.1 255.255.255.0
SW1(config-if)# no shutdown
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 128
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/4
SW1(config-if)# no switchport
SW1(config-if)# ip address 10.0.129.1 255.255.255.0
SW1(config-if)#exit
SW1(config)#!
SW1(config)#interface FastEthernet 1/0/5
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 128
SW1(config-if)#exit
SW1(config)#!
SW1(config)#end
SW1#
*Mar 1 20:57:36.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to down
*Mar 1 20:57:36.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
*Mar 1 20:57:37.582: %SYS-5-CONFIG_I: Configured from console by console
SW1#
*Mar 1 20:57:38.873: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to up
*Mar 1 20:57:39.880: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW1#
*Mar 1 20:58:06.833: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan128, changed state to up
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip acc
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP
SW1(config-ext-nacl)#exit
SW1(config)#no ip acce
SW1(config)#no ip access-list exte
SW1(config)#no ip access-list extended A-TCP
SW1(config)#ip acce
SW1(config)#ip access-list ex
SW1(config)#ip access-list extended A-TCP1
SW1(config-ext-nacl)#de
SW1(config-ext-nacl)#den
SW1(config-ext-nacl)#deny tcp host 10.0.129.192 hos
SW1(config-ext-nacl)#deny tcp host 10.0.129.192 host 10.0.128.101
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit ip an
SW1(config-ext-nacl)#permit ip any an
SW1(config-ext-nacl)#permit ip any any
SW1(config-ext-nacl)#exit\
^
% Invalid input detected at '^' marker.
SW1(config-ext-nacl)#exit
SW1(config)#ip acc
SW1(config)#ip acce
SW1(config)#ip access-list exte
SW1(config)#ip access-list extended A-TCP2
SW1(config-ext-nacl)#den
SW1(config-ext-nacl)#deny tcp
SW1(config-ext-nacl)#deny tcp ho
SW1(config-ext-nacl)#deny tcp host 10.0.128.101 hos
SW1(config-ext-nacl)#deny tcp host 10.0.128.101 host 10.0.128.254
SW1(config-ext-nacl)#permi
SW1(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
SW1(config-ext-nacl)#permit ip an
SW1(config-ext-nacl)#permit ip any an
SW1(config-ext-nacl)#permit ip any any
SW1(config-ext-nacl)#exit
SW1(config)#int f1/0/4
SW1(config-if)#ip acce
SW1(config-if)#ip access-group A-TCP1 in
SW1(config-if)#no ip access-group A-TCP1 in
SW1(config-if)#ip access-group A-TCP1 in
SW1(config-if)#int f1/0/1
SW1(config-if)#ip acc
SW1(config-if)#ip access-group A-TCP2
% Incomplete command.
SW1(config-if)#ip access-group A-TCP2 in
SW1(config-if)#
References
