Defining access lists – ATL Telecom R1-SW Ethernet Switch User Manual
Page 217
Configuring Security
10-7
Defining Access Lists
The Corecess R1-SW24L2B provides basic traffic filtering capabilities with access control lists.
You can configure access lists at your system to control access to a network: access lists can
prevent certain traffic from entering or exiting a network.
To define access lists, enter the following command in Privileged mode:
Table 10-2 Defining access lists
Command
Task
configure terminal
1.
Enter the Global configuration mode.
access-list
<list-number>
{permit|deny} <source-ip>
[<wildcard>]
access-list
<list-number>
{permit|deny}
host
<host-addr>
access-list
<list-number>
{permit|deny} any
2. Configure an ACL with the IP addresses you want to allow or
deny to access the system.
y <list-number>
: Number of the standard access list (1 ~
99, 1300 ~ 1999)
y
permit
: Permits the frame whose source address matches
the condition.
y
deny
: Denies the frame whose source address matches the
condition.
y
dynamic
: Permits the frame whose source address
matches the condition dynamically.
y
<source-ip>
: The IP address of the source network or
host in hexadecimal form (xxx.xxx.xxx.xxx).
y
<wildcard>
: Wildcard bit to be applied to <source-
ip>
. The wildcard is a four-part value in dotted-decimal
notation (IP address format) consisting of ones and zeros.
Zeros in the mask mean the packet's source address must
match the <source-ip>. Ones mean any value matches.
y host
: Indicates only the specified IP address for which the
access actions are available.
y
any
: Configures the policy to match on all host addresses.
end
3. Return to the Privileged mode.
show access-list
4. Verify the defined access lists.
Note:
x The wildcard is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros.
Zeros in the mask mean the packet's source address must match the <source-ip>. Ones mean any value
matches. For example, the <source-ip> and <wild-card> values 209.157.22.26 0.0.0.255 mean that all
hosts in the Class C sub-net 209.157.22.x match the policy.
x The packets that do not match any entries in an access list are denied.