IPv4 ACL Configuration
#configure terminal | Enter configure mode. |
(config)#ip access-list T1 | Create an IP access list named T1. |
(config-ip-acl)#deny any host 1.1.1.1 any | Create an access rule to deny IP packets with source address 1.1.1.1. |
(config-ip-acl)#permit any host 1.1.1.1/24 any | Create an access rule to permit IP packets with source address 1.1.1.1. |
(config-ip-acl)#exit | Exit access list mode. |
(config)#interface xe10 | Enter interface mode. |
(config-if)#no switchport | Configure the interface as Layer 3. |
(config-if)#ip address 1.1.1.3/24 | Assign an IP address. |
(config-if)#ip access-group T1 in | Apply access group T1 for inbound traffic to the interface. |
(config-if)#end | Exit interface and configure mode. |
Validation
Use the commands below to verify the match count. When inbound IP packets reach interface xe10 with source address 1.1.1.1, then the match count for access rule 10 increases equal to the number of packets sent.
#show ip access-lists T1
IP access list T1
10 deny any host 1.1.1.1 any [match=200]
20 permit any 1.1.1.1/24 any
default deny-all
When inbound IP packets reach interface xe10 with a source address in the range from 1.1.1.1 to 1.1.1.254, then the match count for access rule 20 increases equal to the number of packets sent.
#show ip access-lists T1
IP access list T1
10 deny any host 1.1.1.1 any
20 permit any 1.1.1.1/24 any [match=2000]
default deny-all
Note: Use the command clear ip access-list counters to clear the statistics of all ACLs or clear ip access-list <access-list name> counters to clear statistics of a particular ACL.
Last modified date: 08/28/2023