IPv4 Access Control Lists (ACLs)

Configuring and Assigning an IPv4 ACL

Options for Permit/Deny Policies

The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors.

Standard ACL: Uses only a packet's source IPv4 address as a crite­ rion for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.

Extended ACL: Offers the following criteria as options for permit­ ting or denying a packet:

source IPv4 address

destination IPv4 address

IPv4 protocol options:

Any IPv4 traffic

Any traffic of a specific IPv4 protocol type (0-255)

Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed

Any UDP traffic (only) or UDP traffic for a specific UDP port

Any ICMP traffic (only) or ICMP traffic of a specific type and code

Any IGMP traffic (only) or IGMP traffic of a specific type

Any of the above with specific precedence and/or ToS settings

For an extended ACL ID, use either a unique number in the range of 100­ 199 or a unique name string of up to 64 alphanumeric characters.

Carefully plan ACL applications before configuring specific ACLs. For more on this topic, refer to “Planning an ACL Application” on page 9-24.

ACL Configuration Structure

After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL. Also, it is helpful to understand the configuration structure when using later sections in this chapter.

The basic ACL structure includes four elements:

1.ACL identity and type: This identifies the ACL as standard or extended and shows the ACL name or number.

2.Optional remark entries.

9-35