556
Configuring Network Security with ACLs
How to Configure Network Security with ACLs
Command Purpose
1. configure terminal Enters global configuration mode.
2. a access-list access-list-number
{deny | permit} protocol source
source-wildcard destination
destination-wildcard
[precedence precedence] [tos
tos] [fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
Note: If you enter a dscp value,
you cannot enter tos or
precedence. You can enter both
a tos and a precedence value
with no dscp.
Defines an extended IPv4 access list and the access conditions.
access-list-number—Specifies a decimal number from 100 to 199 or 2000 to
2699.
deny or permit—Specifies whether to deny or permit the packet if conditions are
matched.
protocol—Specifies the name or number of an IP protocol: ahp, eigrp, esp, gre,
icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp
, or an integer in
the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the keyword ip.
Note: This step includes options for most IP protocols. For additional specific
parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e.
source—The number of the network or host from which the packet is sent.
source-wildcard—Applies wildcard bits to the source.
destination—The network or host number to which the packet is sent.
destination-wildcard—Applies wildcard bits to the destination.
source, source-wildcard, destination, and destination-wildcard can be
specified as:
The 32-bit quantity in dotted-decimal format.
The keyword any for 0.0.0.0 255.255.255.255 (any host).
The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
precedence—Matches packets with a precedence level specified as a
number from 0 to 7 or by name: routine (0), priority (1), immediate (2),
flash (3), flash-override (4), critical (5), internet (6), network (7).
fragments—Checks noninitial fragments.
tos—Matches by type of service level, specified by a number from 0 to 15
or a name: normal (0), max-reliability (2), max-throughput (4), min-delay
(8).
log—Creates an informational logging message to be sent to the console
about the packet that matches the entry or log-input
to include the input
interface in the log entry.
time-range—For an explanation of this keyword, see Using Time Ranges
with ACLs, page 559.
dscp—Matches packets with the DSCP value specified by a number from 0
to 63, or use the question mark (?) to see a list of available values.
To Next Page
Loading...
Need help?
General
