37-12
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 37 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2a
access-list access-list-number
{deny | permit} pr
otocol
source source-wildcard
destination destination-wildcard
[pr
ecedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
Note If you enter a dscp value,
you cannot enter tos or
precedence. You can enter
both a tos and a
precedence value with no
dscp.
Define an extended IPv4 access list a
nd the access conditions.
The ac
cess-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to sp
ecify whether to deny or permit the packet if
conditions are matched.
For p
rotocol, enter the name or number of an IP protocol: ahp, eigrp, esp, gre,
icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in
the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the keyword ip.
Note This step includes options for most IP protocols. For additional specific
parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e.
The sour
ce is the number of the network or host from which the packet is sent.
The so
urce-wildcard applies wildcard bits to the source.
The de
stination is the network or host number to which the packet is sent.
The de
stination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and
destination-wildcard can be specified
as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any host).
• The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified as a
number from 0 to 7 or by name: routine (0), priority (1), immediate (2),
flash (3), flash-override (4), critical (5), internet (6), network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number from 0
to 15 or a name: normal (0), max-reliability (2), max-throughput (4),
min-delay (8).
• log—Enter to create an informational logging message to be sent to the
console about the packet that matches the entry or log-input to include the
input interface in the log entry.
• time-range—For an explanation of this keyword, see the “Using Time
Ranges with ACLs” section on page 37-17.
• dscp—Enter to match packets with the DSCP value specified by a number
from 0 to 63, or use the question mark (?) to see a list of available values.
To Next Page
Loading...
Need help?
General
