PurposeCommand or Action
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched.
destination destination-wildcard [precedence
precedence] [tos tos] [fragments] [log
[log-input] [time-range time-range-name]
[dscp dscp]
For protocol, enter the name or number of an P protocol: ahp, eigrp, esp, gre,
icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer
Example:
Switch(config)# access-list 101 permit
in the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the keyword ip.
This step includes options for most IP protocols. For additional
specific parameters for TCP, UDP, ICMP, and IGMP, see the
following steps.
Note
The source is the number of the network or host from which the packet is sent.
ip host 10.1.1.2 any precedence 0 tos
0 log
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified
as:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword any for 0.0.0.0 255.255.255.255 (any host).
•
The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified
as a number from 0 to 7 or by name: routine (0), priority (1), immediate
(2), flash (3), flash-override (4), critical (5), internet (6), network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number from
0 to 15 or a name: normal (0), max-reliability (2), max-throughput
(4), min-delay (8).
• log—Enter to create an informational logging message to be sent to the
console about the packet that matches the entry or log-input to include
the input interface in the log entry.
• time-range—Specify the time-range name.
• dscp—Enter to match packets with the DSCP value specified by a
number from 0 to 63, or use the question mark (?) to see a list of available
values.
If you enter a dscp value, you cannot enter tos or precedence. You
can enter both a tos and a precedence value with no dscp.
Note
Defines an extended TCP access list and the access conditions.
access-list access-list-number {deny | permit}
tcp source source-wildcard [operator port]
Step 3
The parameters are the same as those described for an extended IPv4 ACL,
with these exceptions:
destination destination-wildcard [operator
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1186
How to Configure ACLs
To Next Page
Loading...
Need help?
General
