Chapter 6
Configuring the MWR 1941-DC in a Cell Site DCN
Implicit Masks in Access Lists Examples
IP access lists contain implicit masks. For instance, if you omit the mask from an associated IP host
address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example
configuration:
access-list 1 permit 0.0.0.0
access-list 1 permit 131.108.0.0
access-list 1 deny 0.0.0.0 255.255.255.255
For this example, the following masks are implied in the first two lines:
access-list 1 permit 0.0.0.0 0.0.0.0
access-list 1 permit 131.108.0.0 0.0.0.0
The last line in the configuration (using the deny keyword) can be left off, because IP access lists
implicitly deny all other access. Leaving off the last line in the configuration is equivalent to finishing
the access list with the following command statement:
access-list 1 deny 0.0.0.0 255.255.255.255
The following access list only allows access for those hosts on the three specified networks. It assumes
that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with
a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0
access-list 1 permit 128.88.0.0
access-list 1 permit 36.0.0.0
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the address mask that is all
0s from the access-list global configuration command. Thus, the following two configuration commands
are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3
Extended Access List Examples
In the following example, the first line permits any incoming TCP connections with destination ports
greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer
Protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error
feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
interface ethernet 0
ip access-group 102 in
For another example of using an extended access list, suppose you have a network connected to the
Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the
Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet
except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same two port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The
fact that the secure system behind the router always will be accepting mail connections on port 25 is what
makes possible separate control of incoming and outgoing services. The access list can be configured on
either the outbound or inbound interface.
OL-11503-01
0.0.0.255
0.0.255.255
0.255.255.255
0.0.0.0
Cisco MWR 1941-DC Mobile Wireless Edge Router Software Configuration Guide
Filtering IP Packets Using Access Lists
6-61