The example shown in Figure 1 denies FTP traffic from subnet 192.168.11.0 that is going to subnet 192.168.10.0, but permits all other traffic. Note the use of wildcard masks and the explicit deny any statement. Remember that FTP uses TCP ports 20 and 21; therefore the ACL requires both port name keywords ftp and ftp-data or eq 20 and eq 21 to deny FTP.

If using port numbers instead of port names, the commands would be written as:

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 20

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 21

To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement is added. Without at least one permit statement in an ACL, all traffic on the interface where that ACL was applied would be dropped. The ACL should be applied inbound on the G0/1 interface so that traffic from the 192.168.11.0/24 LAN is filtered as it enters the router interface.

The example shown in Figure 2, denies Telnet traffic from any source to the 192.168.11.0/24 LAN, but allows all other IP traffic. Because traffic destined for the 192.168.11.0/24 LAN is outbound on interface G0/1, the ACL would be applied to G0/1 using the out keyword. Note the use of the any keywords in the permit statement. This permit statement is added to ensure that no other traffic is blocked.

Note: The examples in Figures 1 and 2 both use the permit ip any any statement at the end of the ACL. For greater security the permit 192.168.11.0 0.0.0.255 any command may be used.