ACL A%%LICATI!

N&
ACL Classification ACL Type Basic ACL Advanced ACL Layer 2 ACL Number Range 2000-2999 3000-3999 4000-4999 Basic ACL Configuration / Create ACL acl [ ipv6 ] [ name acl-name ] [ number acl-number ] [ match-order { auto | config } ] / Con!ig0re r0"es !or ACL rule [ rule-id ] { deny | permit } / Con!ig0re ACL ste# 12 3y de!a0"t4 step step Necessary Infromation to Define Rules of ACL L3 Information Defined in ACL Basic ACL IP +R, I+&P IPinIP -SPF TCP .DP IC&P
Layer ACL

"a3nario)co
#atc"ed $ ACL e5ists and t6ere is a r0"e to 76ic6 t6e #ac8et con!or s 1#er it or deny4 #ismatc"ed 9 ACL doesn:t e5ist; t6ere is no r0"e in t6e ACL or t6e #ac8et doesn:t con!or to any r0"es o! t6e ACL

L4 Priority % Frag ent !"ag $ ToS % SRC #ort % DST #ort % S$% !"ag ty#e % SRC &AC % DST &AC %

L L2 #rotoco" ty#e % 'LA% ID % (02)*# %

!t"er Ti e range $
'P% instance

SRC IP $

DST IP %

DSCP %

$

$

$

$

$

$

$

%

%

%

%

%

%

%

%

$

$

Advanced ACL

$ $ $ %

$ $ $ %

$ $ $ %

$ $ $ %

$ $ $ %

$ $ $ %

$ $ % %

$ $ % %

$ % % %

% % % $

% % % $

% % % $

% % % $

% % % $

$ $ $ $

$ $ $ %

ACL Applications

/ A##"y ACL to te"net user-interface vty first-ui-number [ last-ui-number ] acl acl-number { inbound | outbound } / A##"y ACL to FTP ftp [ ipv6 ] acl acl-number / A##"y ACL to TFTP tftp-server [ ipv6 ] acl acl-number / A##"y ACL to S%&P snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl acl-number ] / A##"y ACL to Ro0te Po"icy route-policy route-policy-name { permit | deny } node node if-match acl { acl-number | acl-name } / A##"y ACL to Tra!!ic Po"icy traffic classifier classifier-name [ operator { and | or } ] if-match [ ipv6 ] acl { acl-number | name acl-name } / A##"y ACL to %AT 1inter!ace vie74 nat outbound acl-number { address-group group-index [ no-pat ] | interface loopback interface-number }

/ A##"y ACL to Fi"ter Po"icy 1#rotoco" vie74 filter-policy { acl-number | acl-name acl-name } import filter-policy { acl-number | acl-name acl-name } export [ protocol [ process-id ] ] / A##"y ACL to &0"ticast Po"icy 1PI& vie74 pim [ vpn-instance vpn-instance-name ] source-policy { acl-number | acl-name acl-name } / A##"y ACL to CP. De!end Po"icy cpu-defend-policy policy-name [ global | slot slot-id ] blacklist blacklist-id acl acl-number / A##"y ACL to IPSec Po"icy ipsec policy policy-name seq-number isakmp or ipsec policytemplate template-name seq-number security acl { acl-number | name acl-name }

ACL a##"ied to Te"net; FTP; TFTP; S%&P ACL a##"ied to Ro0te Po"icy ACL a##"ied to Tra!!ic Po"icy ACL a##"ied to Fi"ter Po"icy ACL a##"ied to &0"ticast Po"icy ACL a##"ied to CP. De!end Po"icy ACL a##"ied to %AT ACL a##"ied to IPSec Po"icy

An implicit deny rule is t"e default action for ACLs