12-9
Catalyst 2950 Desktop Switch Software Configuration Guide
78-11380-03
Chapter 12 Configuring Network Security with ACLs
Configuring ACLs
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the ask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be
the mask.
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
deny 171.69.198.102
permit any
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use an extended ACL source
and destination addresses for matching operations and optional protocol type information for finer
granularity of control. Some protocols also have specific parameters and keywords that apply to that
protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold): Internet Protocol (ip),
Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
• TCP
• UDP
Table 12-3 lists the possible filtering parameters for ACEs for each protocol type.
Table 12-3 Filtering Parameter ACEs Supported by Different IP Protocols
Filtering Parameter
1
TCP UDP
Layer 3 Parameters:
IP ToS byte
2
––
Differentiated Services Code Point (DSCP) ––
IP source address X X
IP destination address X X
Fragments ––
TCP or UDP X X
Layer 4 Parameters
Source port operator X X
Source port X X
Destination port operator X X
Destination port X X
TCP flag ––
To Next Page
Loading...
Need help?
General
