62-14
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Command Purpose
Step 1
configure terminal
Example
Switch# configure terminal
Blocks all traffic to or from the configured unicast MAC
address in the specified VLAN.
To clear MAC address-based blocking, use the no form of
this command without the drop keyword.
Step 2
ip access-list extended access-list-name
Example
Switch(config)# ip access-list extended kmd1
Switch(config-ext-nacl)#
Specifies the IP access list by name and enters named access
list configuration mode.
Step 3
[sequence-number] permit tcp source
source-wildcard [operator [port]] destination
destination-wildcard [operator [port]]
[established|{match-any | match-all} {+ | -}
flag-name] [precedence precedence] [tos tos] [log]
[time-range time-range-name] [fragments]
Example (IPv4-specific)
Switch(config-ext-nacl)# permit tcp host
1.1.1.1 host 2.2.2.2 established
Example (IPv6-specific)
Switch(config-ext-nacl)# permit tcp host
2001:2:25:1::1 host 2001:2:25:1::10
established
Specifies a permit statement in named IP access list mode.
This access list happens to use a permit statement first, but a
deny statement could appear first, depending on the order of
statements you need.
Use the TCP command syntax of the permit command.
Match-all is not supported. Match-any is supported only
when used in the following combinations of positive flags:
"rst and ack" (must be combined), "sync and fin and rst"
(must be combined), "psh" and "urg"
Step 4
[sequence-number] deny tcp source
source-wildcard [operator [port]] destination
destination-wildcard [operator [port]]
[established|{match-any | match-all} {+ | -}
flag-name] [precedence precedence] [tos tos] [log]
[time-range time-range-name] [fragments]
Example (IPv4-specific)
Switch(config-ext-nacl)# deny tcp host
3.3.3.3 host 4.4.4.4 fin rst syn
Example (IPv6-specific)
Switch(config-ext-nacl)# deny tcp host
2001:2:25:1::2 host 2001:2:25:1::20 fin rst
syn
(Optional) Specifies a deny statement in named IP access list
mode.
This access list happens to use a permit statement first, but a
deny statement could appear first, depending on the order of
statements you need.
Use the TCP command syntax of the deny command.
See the deny (IP) command for additional command syntax
to permit upper-layer protocols (ICMP, IGMP, TCP, and
UDP).
Match-all is not supported. Match-any is supported only
when used in the following combinations of positive flags:
"rst and ack" (must be combined), "sync and fin and rst"
(must be combined), "psh" and "urg".
Step 5
Repeat Step 3 or Step 4 as necessary, adding
statements by sequence number where you planned.
Use the no sequence-number command to delete an
entry.
Allows you to revise the access list.
To Next Page
Loading...
Need help?
General
