This means, for example, that if you want to block traffic from 10.0.0.0/8 and permit all other traffic, you MUST specify the permit entry; if you don't permit traffic, the implict deny-all will prevent any IP traffic from traversing the interface where the ACL is applied. There are two types of ACL: standard ACL; extended ACL; STANDARD ACL:

permit ip any host 224.0.0.102. permit tcp any any eq domain. permit DHCP** permit tcp any any eq www. permit tcp any any eq ftp. permit tcp any any eq pop3 . permit tcp any any eq smtp. permit icmp any any echo-reply. permit ip x.x.x.x m.m.m.m x.x.x.x m.m.m.m (X times as necessary) Or, use denying ACEs to deny only what`s forbidden?

permit ospf any any. deny ip any any log!!! ip access-list extended OUTBOUND. permit icmp any any reflect RETURN timeout 300. permit udp any any reflect RETURN timeout 300. permit tcp host 3.3.3.3 host 1.1.1.1 eq telnet reflect RETURN timeout 30. deny ip any any log! Because when I traceroute from R3 loopback 0 to R1 loopback 0

The below is basically just nullifying the need for an ACL, if permit's all that you use there. Had the first statement been deny, you would need a permit ip any any, to permit every other traffic but the ICMP from 1.1.1.1 to 2.2.2.2. Remember, ACL is processed sequentially. access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2

ACL - Always Permit, Route map - Permit / Deny I would like to suggest the first option, as its easier that anyone can understand the setup easily, while configuring only ACL or ACL with route map. So, we can consider ACL are just as permit / deny statements, if the network segments matches. and Route map as matching statements.

I assume this is the reason why i didnt need to make the extra Permit rule for Rtr Ctrl DHCP going back to Rtr Charly, and if it wasnt part of the rip network i would need to make the second permit rule on the ACL as your BGP example ? I didn't get your DHCP point but for the BGP, yes you need another ACL permit statement. Regards, Deepak Kumar

I want to set up extended ACL to allow SSH access from R4 and deny other traffic. When the permit statement is ' permit ip host 10.0.12.2 any ', the SSH from R4 works, as indicated by '(2 matches)'. When the permit statement is ' permit ip host 10.0.12.2 host 10.0.12.1 ' , …

In chap 22 of Wendell Odom's book, the acl command for one particular address does not include the 0.0.0.0 wildcard at the end: access-list 1 permit 10.1.1.1 but in the lab for this chapter, the command for one particular address does include the "0.0.0.0" at the end:

Create a Numbered IP ACL 120. Permit any outside host to access DNS, SMTP, and FTP services on server PC-A, deny any outside host access to HTTPS services on PC-A, and permit PC-C to access R1 via SSH.(PC-A IP address is 192.168.1.3 & PC-C IP address is 192.168.3.3). Apply the access list to incoming traffic on interface S0/0/0.

If you want the other traffic to be policed, you have to add a permit statement to your ACL (haven't tried it, biut i think so) ... If I configure access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq TELNET I am telling the router to identify Telnet traffic to the Router and police the traffic according to what I have set in the policy-map.