Configuring Layer 3 IP Extended ACL

This section explains the steps to create Permit and Deny rules for IP and Layer 3 protocol types.

Parent topic: Configuring ACL

Configuring Permit Rule for Layer 3 Protocol Type

  1. To configure the IP Extended filter as Permit, execute the following commands.

    Type the following:

    • Enter the Global Configuration Mode.
    iS5comm# configure terminal
    • Create an IP Extended Filter and enter the IP Standard ACL Configuration Mode.
    iS5comm(config)# ip access-list extended 1001
    • Configure the action as 'permit' for the IP Extended Filter.
    iS5comm (config-ext-nacl)# permit ospf any any
    • Exit the IP Extended Configuration Mode.
    iS5comm(config-ext-nacl) # exit
  2. Configure a filter at the ingress direction. The filter is applied on the hardware when it is installed in Port 1.

    Type the following:

    • Enter the Global Configuration Mode, and then Interface Configuration Mode.
    iS5comm# configure terminal
    iS5comm (config)# interface gigabitethernet 0/1
    • Configure an ACL for the gigabitethernet 0/1 port on the ingress side.
    iS5comm(config-if)# ip access-group 1001 in
    • Exit the Interface Configuration Mode.
    iS5comm(config-if) # end
  3. View the configuration by executing the following command.

    Type the following:

    iS5comm# show  access-lists ip 1001
    Extended IP Access List 1001
    ----------------------------
    Filter Priority                  : 1
    Filter Protocol Type             : OSPF
    IP address Type                  : IPV4
    Source IP address                : 0.0.0.0
    Source IP address mask           : 0.0.0.0
    Source IP Prefix Length          : 0
    Destination IP address           : 0.0.0.0
    Destination IP address mask      : 0.0.0.0
    Destination IP Prefix Length     : 0
    Flow Identifier                  : 0
    In Port List                     : Gi0/1
    Out Port List                    : NIL
    Filter TOS                       : Invalid combination
    Filter DSCP                      : NIL
    Filter Action                    : Permit
    Redirect Port List               : NIL
    TrafficDistField                 : Unknown
    Sub Action                       : NONE
    Sub Action Id                    : 0
    Status                           : Active

Configuring Deny Rule for Layer 3 Protocol Type

  1. To configure the IP Extended filter as Deny, execute the following commands.

    Type the following:

    • Enter the Global Configuration Mode.
    iS5comm# configure terminal
    • Create an IP Extended Filter and enter the IP Standard ACL Configuration Mode.
    iS5comm(config)# ip access-list extended 1002
    • To filter the packets, configure the action for the IP Standard Filter as Deny.
    iS5comm (config-ext-nacl) # deny ospf any any
    • Exit the IP Extended Configuration Mode.
    iS5comm(config-ext-nacl) # exit
  2. Configure a filter for Port 1 at the ingress direction.

    Type the following:

    • Enter the Global Configuration Mode, and then Interface Configuration Mode.
    iS5comm# configure terminal
    iS5comm (confgi)# interface gigabitethernet 0/1
    • Configure an ACL for the gigabitethernet 0/1 port on the ingress side.
    iS5comm(config-if)# ip access-group 1002  in
    • Exit the Interface Configuration Mode.
    iS5comm(config-if) # end
  3. View the configuration by executing the following command.

    Type the following:

    iS5comm# show access-lists ip 1002
    Extended IP Access List 1002
    ----------------------------
    Filter Priority                  : 1
    Filter Protocol Type             : OSPF
    IP address Type                  : IPV4
    Source IP address                : 0.0.0.0
    Source IP address mask           : 0.0.0.0
    Source IP Prefix Length          : 0
    Destination IP address           : 0.0.0.0
    Destination IP address mask      : 0.0.0.0
    Destination IP Prefix Length     : 0
    Flow Identifier                  : 0
    In Port List                     : Gi0/1
    Out Port List                    : NIL
    Filter TOS                       : Invalid combination
    Filter DSCP                      : NIL
    Filter Action                    : Deny
    Redirect Port List               : NIL
    TrafficDistField                 : Unknown
    Sub Action                       : NONE
    Sub Action Id                    : 0
    Status                           : Active