Alcatel-Lucent omnistack 6300 Guía Del Usuario
IP standard access-list OUT:
deny host 2.0.0.3
IP ingress mask ACL:
mask host any
mask 255.255.255.0 any
IP egress mask ACL:
mask host any
Console#
deny host 2.0.0.3
IP ingress mask ACL:
mask host any
mask 255.255.255.0 any
IP egress mask ACL:
mask host any
Console#
5.2 IP extended ACL
Console(config)# access-list ip extended ACL_IN
Console(config-ext-acl)# deny tcp any any
Console(config-ext-acl)# permit tcp 2.0.0.0 255.255.0.0 2.0.0.0 255.255.0.0 precedence 1 source-port 1984
1984 destination-port 80
Console(config-ext-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)# mask protocol 255.255.0.0 255.255.0.0 precedence source-port 65535
destination-port 65535
Console(config-ip-mask-acl)# mask protocol any any
Console(config-ip-mask-acl)#exit
Console(config)# access-list ip extended ACL_OUT
Console(config-ext-acl)# deny tcp 2.0.0.0 255.255.0.0 any control-flag 2 2
Console(config-ext-acl)# exit
Console(config)# access-list ip mask-precedence out
Console(config-ip-mask-acl)#mask protocol 255.255.0.0 any control-flag 2
Console(config-ip-mask-acl)#exit
Console(config)# interface ethernet 1/3
Console(config-if)# ip access-group ACL_IN in
Console(config-if)# ip access-group ACL_OUT out
Console(config-if)# exit
You can verify the precedence order with the show command.
ACL_IN has 2 rules
Console(config-ext-acl)# deny tcp any any
Console(config-ext-acl)# permit tcp 2.0.0.0 255.255.0.0 2.0.0.0 255.255.0.0 precedence 1 source-port 1984
1984 destination-port 80
Console(config-ext-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)# mask protocol 255.255.0.0 255.255.0.0 precedence source-port 65535
destination-port 65535
Console(config-ip-mask-acl)# mask protocol any any
Console(config-ip-mask-acl)#exit
Console(config)# access-list ip extended ACL_OUT
Console(config-ext-acl)# deny tcp 2.0.0.0 255.255.0.0 any control-flag 2 2
Console(config-ext-acl)# exit
Console(config)# access-list ip mask-precedence out
Console(config-ip-mask-acl)#mask protocol 255.255.0.0 any control-flag 2
Console(config-ip-mask-acl)#exit
Console(config)# interface ethernet 1/3
Console(config-if)# ip access-group ACL_IN in
Console(config-if)# ip access-group ACL_OUT out
Console(config-if)# exit
You can verify the precedence order with the show command.
ACL_IN has 2 rules
♦ Deny all TCP packets
♦ Accept all TCP packets from subnet 2.0.0.0/16 with IP precedence 1, source TCP port between 1984-2047
and destination port 80. Any numbers between 1984-2047 give 1984 when using mask 1984
ACL_OUT has one rule
♦ Deny all SYN packets coming from subnet 2.0.0.0/16. On the TCP header, SYN flag set bit number 6 in the
Control Flag byte. Therefore, using 2 with mask 2 will match any Control Flag byte with SYN set.
Because of the mask order, ACL_IN first analyses the permit rule, then the deny rule.
Incoming TCP packet 2.0.0.2:2000 precedence 1 -> 2.0.0.8:80 will be accepted even it match the first rule “deny
tcp any any”
Console#show access-list
IP extended access-list ACL_IN:
permit tcp 2.0.0.0 255.255.0.0 2.0.0.0 255.255.0.0 precedence 1 source-port 1984 1984 destination-port
80
deny tcp any any
…
Incoming TCP packet 2.0.0.2:2000 precedence 1 -> 2.0.0.8:80 will be accepted even it match the first rule “deny
tcp any any”
Console#show access-list
IP extended access-list ACL_IN:
permit tcp 2.0.0.0 255.255.0.0 2.0.0.0 255.255.0.0 precedence 1 source-port 1984 1984 destination-port
80
deny tcp any any
…
5.3 Mac ACL
Console(config)# access-list ip standard IPIN
Console(config-std-acl)# deny host 2.0.0.1
Console(config-std-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)# mask host
Console(config-ip-mask-acl)# exit
Console(config)# access-list mac MACIN
Console(config-std-acl)# deny host 2.0.0.1
Console(config-std-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)# mask host
Console(config-ip-mask-acl)# exit
Console(config)# access-list mac MACIN