Users Guide
730 Access Control Lists
Allow FTP Traffic Only to an FTP Server
This ACL limits traffic from a router to a directly connected FTP server
(172.16.0.5) on gi1/0/11. Notice that this is an “out” or egress ACL. Traffic to
the router from the FTP server is not affected by this rule. Traffic from the
router to the FTP server is limited to ICMP and packets destined to the FTP
ports. There is no need to add permit rules for all the protocols the router can
send to the host (e.g., ARP, ICMP, LLDP, etc.), as internally generated packets
are not limited by ACLs. Routing must be enabled to process ARPs or they
must be allowed by an explicit rule. We allow ICMP from remote hosts so
that the FTP server can receive ICMP feedback from clients utilizing the FTP
service. A better implementation would narrow the scope of the ICMP to
eliminate ICMP messages not required for the FTP service, e.g., echo, echo-
reply, redirect, timestamp, etc.
console#config
console(config)#ip access-list allow-ftp-server
console(config-ip-acl)#permit tcp any host 172.16.0.5 eq ftp-data
flag established
console(config-ip-acl)#permit tcp any host 172.16.0.5 eq ftp
console(config-ip-acl)#permit icmp any any
console(config-ip-acl)#exit
console(config)#interface gi1/0/11
console(config-if-gi1/0/11)#ip access-group allow-ftp-server out
console(config-if-gi1/0/11)#exit
Block Incoming Pings
This ingress ACL blocks incoming pings (ICMP echo requests) on interface
Gi1/0/1 directed to hosts reachable from other ports on the switch.
console#config
console(config)#ip access-list no-ping
console(config-ip-acl)#deny icmp any any icmp-message echo
console(config-ip-acl)#2147483647 permit every
console(config-ip-acl)#exit
console(config)#interface gi1/0/1
console(config-if-gi1/0/1)#ip access-group no-ping in
console(config-if-gi1/0/1)#exit