|
. The following commands show an example of how to set logging on an extended IP
access-list statement.
Router(config)# access-list 102 permit tcp 10.4.6.0 0.0.0.255 any eq 80
Router(config)# access-list 102 deny ip any any log
Note that there is an implicit deny statement at the end of every access list on a Cisco
router. This implicit statement blocks all other packets not permitted by the rest of the
access-list. However, it does not log these packets. Thus, add the following statements
at the end of each extended IP access-list. These statements will guarantee that the
router will log the values for the source and destination ports for TCP and UDP traffic
being denied.
Router(config)# access-list 106 deny udp any range 0 65535 any range 0
65535 log
Router(config)# access-list 106 deny tcp any range 0 65535 any range 0
65535 log
Router(config)# access-list 106 deny ip any any log
. Below are two example access-lists that provide IP address spoof protection. The first
example is for inbound traffic to the protected network (e.g., 14.211.150.0).
Router(config)# access-list 100 deny ip 14.211.150.0 0.0.0.255 any log
Router(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
Next topic
Previous topic