62-44
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring Object Group ACLs
Applying an IPv4 OG ACL to an Interface
An object group ACL can be used to control traffic on the interface it is applied to. To apply an object
group ACL to an interface, perform the following task:
Step 3
remark remark
Example:
Switch(config-ext-nacl)# remark my-ogacl-policy
is to provide the marketing network access to
the server
(Optional) Adds a comment about the configured access
list entry.
A remark can precede or follow an access list entry.
In this example, the remark reminds the network
administrator that the subsequent entry denies the
Marketing network access to the interface.
Step 4
permit protocol source [source-wildcard] destination
[destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log |
log-input] [time-range time-range-name]
[fragments]
Example:
Switch(config-ext-nacl)# permit object-group
my-service-object-group object-group
my-network-object-group any
Permits any packet that matches all conditions specified in
the statement.
Every access list needs at least one permit statement.
Optionally use the object-group
service-object-group-name keyword and argument as a
substitute for the protocol.
Optionally use the object-group
source-network-object-group-name keyword and argument
as a substitute for the source source-wildcard.
Optionally use the object-group
destination-network-object-group-name keyword and
argument as a substitute for the destination
destination-wildcard.
If source-wildcard or destination-wildcard is omitted, a
wildcard mask of 0.0.0.0 is assumed, which matches on all
bits of the source or destination address, respectively.
Optionally use the any keyword as a substitute for the
source source-wildcard or destination destination-wildcard
to specify the address and wildcard of 0.0.0.0
255.255.255.255.
Use the log-input keyword to include input interface,
source MAC address, or virtual circuit in the logging
output.
Step 5
Repeat the steps to specify the fields and values on
which you want to base your access list.
Remember that all sources not specifically permitted are
denied by an implicit deny statement at the end of the
access list.
Step 6
end
Example:
Device(config-ext-nacl)# end
Exits extended access-list configuration mode and returns
to privileged EXEC mode.
Command or Action Purpose
To Next Page
Loading...
