PurposeCommand or Action
Source, source-wildcard, destination, and destination-wildcard can be specified
as:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword any for 0.0.0.0 255.255.255.255 (any host).
•
The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified
as a number from 0 to 7 or by name: routine (0), priority (1), immediate
(2), flash (3), flash-override (4), critical (5), internet (6), network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number from
0 to 15 or a name: normal (0), max-reliability (2), max-throughput
(4), min-delay (8).
• log—Enter to create an informational logging message to be sent to the
console about the packet that matches the entry or log-input to include
the input interface in the log entry.
• time-range—Specify the time-range name.
• dscp—Enter to match packets with the DSCP value specified by a
number from 0 to 63, or use the question mark (?) to see a list of available
values.
If you enter a dscp value, you cannot enter tos or precedence. You
can enter both a tos and a precedence value with no dscp.
Note
Defines an extended TCP access list and the access conditions.
access-list access-list-number {deny | permit}
tcp source source-wildcard [operator port]
Step 3
The parameters are the same as those described for an extended IPv4 ACL,
with these exceptions:
destination destination-wildcard [operator
port] [established] [precedence precedence]
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
[tos tos] [fragments] [log [log-input]
[time-range time-range-name] [dscp dscp]
[flag]
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Example:
Switch(config)# access-list 101 permit
Enter the port number as a decimal number (from 0 to 65535) or the name of
a TCP port. Use only TCP port numbers or names when filtering TCP.
tcp any any eq 500
The other optional keywords have these meanings:
• established—Enter to match an established connection. This has the
same function as matching on the ack or rst flag.
• flag—Enter one of these flags to match by the specified TCP header
bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn
(synchronize), or urg (urgent).
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
158 OL-29048-01
Configuring IPv4 ACLs
Creating a Numbered Extended ACL
To Next Page
Loading...
Need help?
General