Users Guide
Access Control Lists 759
console(config-ip-acl)#permit tcp 10.1.1.0 0.0.0.255 eq ?
<0-65535> Enter the Layer 4 port number in the range 0 to 65535.
<portkey> Enter a keyword { domain | echo | ftp | ftp-data |
http | smtp | snmp | telnet | tftp | www | bgp |
pop2 | pop3 | ntp | rip | time | who }.
To bind an access-list to an interface, use the access-group command. The in
parameter specifies that the ACL is applied to ingress packets. The out
parameter specifies that the ACL is applied to egress packets not generated by
the switch/router. If no in/out parameter is specified, the access list default is
to apply the ACL to ingress packets.
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#ip access-group Host10-1-1-23 in
Multiple access lists can be configured on an interface. The processing order
is determined by the last parameter on the access-group command where the
lowest sequence number is processed first, followed by the next higher
sequence number, etc.
In this example, access list Host10-1-1-23 is processed first, followed by Host-
1-1-21:
console(config)#ip access-list Host10-1-1-21
console(config-ip-acl)#exit
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#ip access-group Host10-1-1-23 in 2
console(config-if-Gi1/0/1)#ip access-group Host10-1-1-21 in 1