Access control lists (ACLs) perform packet filtering to control the
movement of packets through a network. Packet filtering provides security by
limiting the access of traffic into a network, restricting user and device
access to a network, and preventing traffic from leaving a network. IP access
lists reduce the chance of spoofing and denial-of-service attacks, and allow
dynamic, temporary user-access through a firewall.
IP access lists can also be used for purposes other than security, such
as to control bandwidth, restrict the content of routing updates, redistribute
routes, trigger dial-on-demand (DDR) calls, limit debug output, and identify or
classify traffic for quality of service (QoS) features.
An access list is a sequential list that consists of at least one
permit statement and possibly one or more
deny statements. In the case of IP access
lists, these statements can apply to IP addresses, upper-layer IP protocols, or
other fields in IP packets.
Access lists are identified and referenced by a name or a number. Access
lists act as packet filters, filtering packets based on the criteria defined in
each access list.
After you configure an access list, for the access list to take effect,
you must either apply the access list to an interface (by using the
ip
access-group command), a vty (by using the
access-class
command), or reference the access list by any command
that accepts an access list. Multiple commands can reference the same access
list.
In the following configuration, an IP access list named branchoffices is
configured on Ten Gigabit Ethernet interface 4/1/0 and applied to incoming
packets. Networks other than the ones specified by the source address and mask
pair cannot access Ten Gigabit Ethernet interface 4/1/0. The destinations for
packets coming from sources on network 172.16.7.0 are unrestricted. The
destination for packets coming from sources on network 172.16.2.0 must be
172.31.5.4.
ip access-list extended branchoffices
10 permit 172.16.7.0 0.0.0.3 any
20 permit 172.16.2.0 0.0.0.255 host 172.31.5.4
!
interface tengigabitethernet 4/1/0
ip access-group branchoffices in