Access Control Lists

Scenario
This compares the configuration of an extended ACL designed to only permit SSH and HTTP access to particular servers on an internal network. Logging is also applied to the final deny statement. The ACL is applied inbound on R1’s outside interface.

IOS Config

hostname R1
!
ip access-list extended RESTRICT
 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq www
 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.2 eq 22
 deny ip any any log
!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 ip access-group RESTRICT in
!

XR Config

hostname R1
!
ipv4 access-list RESTRICT
 10 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq http
 20 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.2 eq ssh
 100 deny ipv4 any any log
!
interface GigabitEthernet0/0/0/0
 ipv4 address 172.16.1.1 255.255.255.0
 ipv4 access-group RESTRICT ingress
!

Back to top