ACL Configuration Overview
Fixed Switch Configuration Guide 24-3
Creating ACL Rules
ACL rules define the basis upon which a hit will take place for the ACL. Rules in an ACL are
order-dependent. A packet is either forwarded (a permit rule) or not forwarded (a deny rule)
according to the first rule that is matched. The matching criteria available is determined based
upon whether the ACL is a standard or extended IPv4 ACL, an IPv6 ACL, or a MAC ACL. As
soon as a rule is matched, processing of the access list stops. There is an implicit “deny all” rule at
the end of every ACL. If all rules are missed, the packet is not forwarded.
IPv4 Rules
For a standard ACL, a source IPv4 address and an optional wildcard are specified for the rule. For
an extended ACL a source and destination IP address and wildcard are specified for the rule. In
the case of an IPv4 address, source and destination wildcards provide an inverted mask (specifies
the don’t care bits as 1s). 0.0.0.0 specifies an exact match. An any option is available, which is short
hand for 0.0.0.0 255.255.255.255.
For an extended IPv4 ACL, the following protocols can be specified in a rule:
• A specific or all IPv4 protocols
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• Internet Control Message Protocol (ICMP)
TCP and UDP rules can match specific source and destination ports.
Extended ACLs can optionally be set to match a Diffserv codepoint (DSCP), IP precedence, or IP
Type of Service (ToS) value.
IPv4 permit rules also allow you to specify the queue to which a packet matching the permit rule
will be assigned. Valid values for queue-id are from 0 to 5.
IPv4 Rule Examples
This example shows how to create IPv4 standard access list 1 with three entries that allow access
to only those hosts on the three specified networks. The wildcard bits apply to the host portions of
the network addresses. Any host with a source address that does not match the access list entries
will be rejected:
C5(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255
C5(su)->router(Config)#access-list 1 permit 128.88.0.0 0.0.255.255
C5(su)->router(Config)#access-list 1 permit 36.0.0.0 0.255.255.255
This example shows how to define IPv4 extended access list 145 to deny ICMP transmissions from
any source and for any destination:
C5(su)->router(Config)#access-list 145 deny ICMP any any
This example appends to access list 145 a permit statement that allows the host with IP address
88.255.255.254 to perform SSH remote logins to any destination on TCP port 22.
C5(su)->router(Config)#access-list 145 permit tcp host 88.255.255.254 any eq 22
This example appends to access list 145 a permit statement that allows SNMP control traffic (from
UDP port 161) to be sent from IP addresses within the range defined by 88.255.128.0 0.0.127.255
to any destination.
C5(su)->router(Config)#access-list 145 permit udp 88.255.128.0 0.0.127.255 eq 161
any
To Next Page
Loading...
Need help?
General