PurposeCommand or Action
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be
specified as:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword any for 0.0.0.0 255.255.255.255 (any host).
•
The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified
as a number from 0 to 7 or by name: routine (0), priority (1),
immediate (2), flash (3), flash-override (4), critical (5), internet (6),
network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number
from 0 to 15 or a name: normal (0), max-reliability (2),
max-throughput (4), min-delay (8).
• log—Enter to create an informational logging message to be sent to the
console about the packet that matches the entry or log-input to include
the input interface in the log entry.
• time-range—Specify the time-range name.
• dscp—Enter to match packets with the DSCP value specified by a
number from 0 to 63, or use the question mark (?) to see a list of
available values.
If you enter a dscp value, you cannot enter tos or precedence. You
can enter both a tos and a precedence value with no dscp.
Note
Defines an extended TCP access list and the access conditions.
access-list access-list-number {deny | permit}
tcp source source-wildcard [operator port]
Step 3
The parameters are the same as those described for an extended IPv4 ACL,
with these exceptions:
destination destination-wildcard [operator
port] [established] [precedence precedence]
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
[tos tos] [fragments] [log [log-input] ]
[time-range time-range-name] [dscp dscp]
[flag]
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Example:
Switch(config)# access-list 101 permit
Enter the port number as a decimal number (from 0 to 65535) or the name
of a TCP port.
tcp any any eq 500
The other optional keywords have these meanings:
• established—Enter to match an established connection. This has the
same function as matching on the ack or rst flag.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29434-01 123
Configuring IPv4 ACLs
Creating a Numbered Extended ACL
To Next Page
Loading...
