SUMMARY STEPS
1.
configure terminal
2.
access-list access-list-number {deny | permit} protocol source source-wildcard destination
destination-wildcard [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range
time-range-name] [dscp dscp]
3.
access-list access-list-number {deny | permit} tcp source source-wildcard [operator port] destination
destination-wildcard [operator port] [established] [precedence precedence] [tos tos] [fragments] [log
[log-input] [time-range time-range-name] [dscp dscp] [flag]
4.
access-list access-list-number {deny | permit} udp source source-wildcard [operator port] destination
destination-wildcard [operator port] [precedence precedence] [tos tos] [fragments] [log [log-input]
[time-range time-range-name] [dscp dscp]
5.
access-list access-list-number {deny | permit} icmp source source-wildcard destination
destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence]
[tos tos] [fragments] [time-range time-range-name] [dscp dscp]
6.
access-list access-list-number {deny | permit} igmp source source-wildcard destination
destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [log [log-input]
[time-range time-range-name] [dscp dscp]
7.
end
DETAILED STEPS
PurposeCommand or Action
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 1
Defines an extended IPv4 access list and the access conditions.
access-list access-list-number {deny |
permit} protocol source source-wildcard
Step 2
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
destination destination-wildcard [precedence
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched.
precedence] [tos tos] [fragments] [log
[log-input] [time-range time-range-name]
[dscp dscp]
For protocol, enter the name or number of an P protocol: ahp, eigrp, esp, gre,
icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer
Example:
Switch(config)# access-list 101 permit
in the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the keyword ip.
This step includes options for most IP protocols. For additional
specific parameters for TCP, UDP, ICMP, and IGMP, see the
following steps.
Note
The source is the number of the network or host from which the packet is sent.
ip host 10.1.1.2 any precedence 0 tos
0 log
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 157
Configuring IPv4 ACLs
Creating a Numbered Extended ACL
To Next Page
Loading...
Need help?
General