PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Specifies the IP access list by name and enters named access
list configuration mode.
ip access-list extended access-list-name
Example:
Device(config)# ip access-list extended kmd1
Step 3
Specifies a permit statement in named IP access list mode.
[sequence-number] permit tcp source source-wildcard
[operator [port]] destination destination-wildcard
Step 4
•
This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
order of statements you need.
[operator [port]] [established|{match-any | match-all}
{+ | -} flag-name] [precedence precedence] [tos tos]
[log] [time-range time-range-name] [fragments]
Example:
Device(config-ext-nacl)# permit tcp any any
match-any +rst
•
Use the TCP command syntax of the permitcommand.
•
Any packet with the RST TCP header flag set will be
matched and allowed to pass the named access list kmd1
in Step 3.
(Optional) Specifies a deny statement in named IP access list
mode.
[sequence-number] deny tcp source source-wildcard
[operator [port]] destination destination-wildcard
Step 5
[operator [port]] [established|{match-any | match-all}
•
This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
order of statements you need.
{+ | -} flag-name] [precedence precedence] [tos tos]
[log] [time-range time-range-name] [fragments]
Example:
Device(config-ext-nacl)# deny tcp any any
match-all -ack -fin
•
Use the TCP command syntax of the denycommand.
•
Any packet that does not have the ACK flag set, and also
does not have the FIN flag set, will not be allowed to pass
the named access list kmd1 in Step 3.
•
See the deny(IP) command for additional command syntax
to permit upper-layer protocols (ICMP, IGMP, TCP, and
UDP).
Allows you to revise the access list.Repeat Step 4 or Step 5 as necessary, adding statements
by sequence number where you planned. Use the no
sequence-numbercommand to delete an entry.
Step 6
(Optional) Exits the configuration mode and returns to
privileged EXEC mode.
end
Example:
Device(config-ext-nacl)# end
Step 7
(Optional) Displays the contents of the IP access list.
show ip access-lists access-list-name
Step 8
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1241
How to Configure ACL Support for Filtering IP Options
To Next Page
Loading...
Need help?
General
