PurposeCommand or Action
port] [established] [precedence precedence]
[tos tos] [fragments] [log [log-input]
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
[time-range time-range-name] [dscp dscp]
[flag]
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Example:
Switch(config)# access-list 101 permit
Enter the port number as a decimal number (from 0 to 65535) or the name of
a TCP port. Use only TCP port numbers or names when filtering TCP.
tcp any any eq 500
The other optional keywords have these meanings:
• established—Enter to match an established connection. This has the
same function as matching on the ack or rst flag.
• flag—Enter one of these flags to match by the specified TCP header
bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn
(synchronize), or urg (urgent).
(Optional) Defines an extended UDP access list and the access conditions.
access-list access-list-number {deny |
permit} udp source source-wildcard
Step 4
The UDP parameters are the same as those described for TCP except that the
[operator [port]] port number or name must be a UDP port number or name,
and the flag and established keywords are not valid for UDP.
[operator port] destination
destination-wildcard [operator port]
[precedence precedence] [tos tos]
[fragments] [log [log-input] [time-range
time-range-name] [dscp dscp]
Example:
Switch(config)# access-list 101 permit
udp any any eq 100
Defines an extended ICMP access list and the access conditions.
access-list access-list-number {deny |
permit} icmp source source-wildcard
Step 5
The ICMP parameters are the same as those described for most IP protocols
in an extended IPv4 ACL, with the addition of the ICMP message type and
code parameters. These optional keywords have these meanings:
destination destination-wildcard [icmp-type |
[[icmp-type icmp-code] | [icmp-message]]
[precedence precedence] [tos tos]
• icmp-type—Enter to filter by ICMP message type, a number from 0
to 255.
[fragments] [time-range time-range-name]
[dscp dscp]
Example:
Switch(config)# access-list 101 permit
• icmp-code—Enter to filter ICMP packets that are filtered by the ICMP
message code type, a number from 0 to 255.
• icmp-message—Enter to filter ICMP packets by the ICMP message type
name or the ICMP message type and code name.
icmp any any 200
(Optional) Defines an extended IGMP access list and the access conditions.
access-list access-list-number {deny |
permit} igmp source source-wildcard
Step 6
The IGMP parameters are the same as those described for most IP protocols
in an extended IPv4 ACL, with this optional parameter.
destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos]
igmp-type—To match IGMP message type, enter a number from 0 to 15, or
enter the message name: dvmrp, host-query, host-report, pim, or trace.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1187
How to Configure ACLs
To Next Page
Loading...
Need help?
General
