32-14
Catalyst 3750 Switch Software Configuration Guide
OL-8550-02
Chapter 32 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any
host in network 171.69.198.0 to any host in network 172.20.52.0 and to permit any others. (The eq
keyword after the destination address means to test for the TCP destination port number equaling
Telnet.)
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq
telnet
Switch(config)# access-list 102 permit tcp any any
Switch(config)# end
Switch# show access-lists
Extended IP access list 102
10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
20 permit tcp any any
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You cannot selectively add or remove access list entries from a numbered access list.
Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit
deny statement for all packets if it did not find a match before reaching the end.
Step 2d
access-list access-list-number
{deny | permit} icmp source
source-wildcard destination
destination-wildcard [icmp-type |
[[icmp-type icmp-code] |
[icmp-message]] [precedence
precedence] [tos tos] [fragments]
[log] [log-input] [time-range
time-range-name] [dscp dscp]
(Optional) Define an extended ICMP access list and the access conditions.
Enter icmp for Internet Control Message Protocol.
The ICMP parameters are the same as those described for most IP protocols in
Step 2a, with the addition of the ICMP message type and code parameters.
These optional keywords have these meanings:
• icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
• icmp-code—Enter to filter ICMP packets that are filtered by the ICMP
message code type, a number from 0 to 255.
• icmp-message—Enter to filter ICMP packets by the ICMP message type
name or the ICMP message type and code name. To see a list of ICMP
message type names and code names, use the ?, or see the “Configuring IP
Services” section of the Cisco IOS IP Configuration Guide, Release 12.2.
Step 2e
access-list access-list-number
{deny | permit} igmp source
source-wildcard destination
destination-wildcard [igmp-type]
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
(Optional) Define an extended IGMP access list and the access conditions.
Enter igmp for Internet Group Management Protocol.
The IGMP parameters are the same as those described for most IP protocols in
Step 2a, with this optional parameter.
igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter
the message name (dvmrp, host-query, host-report, pim, or trace).
Step 3
end Return to privileged EXEC mode.
Step 4
show access-lists [number | name] Verify the access list configuration.
Step 5
copy running-config
startup-config
(Optional) Save your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
