KB.15.15

1. Permit Telnet traffic from 10.10.10.44 to 10.10.20.78, deny all other IPv4

traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and

permit all other IPv4 traffic from any source to any destination. (See "A" in

“An extended ACL” (page 271), below.)

2. Permit FTP traffic from 10.10.20.100 (on VLAN 20) to 10.10.30.55 (on VLAN

30). Deny FTP traffic from other hosts on network10.10.20.0 to any destination,

but permit all other IPv4 traffic.

Figure 184 An extended ACL

Figure 185 Configuration commands for extended ACLs

Configuring numbered, extended ACLs

This section describes the commands for performing the following in a numbered, extended ACL:

• Creating the ACL by entering the first ACE in the list.

• Appending a new ACE to the end of an existing ACL.

Creating or adding to an extended, numbered ACL

This command is an alternative to using ip access-list extended name-str and does

not use the nacl context.

Syntax:

access-list< 100-199 > < deny | permit > < ip |

ip-protocol | ip-protocol-nbr>

< any | host < SA> | SA/mask-length | SA < mask> >

If the ACL does not already exist, this command creates the specified ACL and its

first ACE. If the ACL already exists, the new ACE is appended to the end of the

configured list of explicit ACEs. In the default configuration, the ACEs in an ACL

will automatically be assigned consecutive sequence numbers in increments of 10

and can be renumbered with resequence see “Resequencing the ACEs in an

ACL” (page 290).

Configuring 271