IPv4 Access Control Lists (ACLs)
Configuring and Assigning an ACL
• IP-addr / mask-length — Performs the specified action on
any IP packet having a source address within the range
defined by either
< src-ip-addr / cidr-mask-bits >
or
< src-ip-addr < mask >>
Use this criterion to filter packets received from either a
subnet or a group of contiguous IP addresses. The mask
can be in either dotted-decimal format or CIDR format
with the number of significant bits. Refer to “Using CIDR
Notation To Enter the ACL Mask” on page 9-39.
The mask is applied to the IP address in the ACL to define
which bits in a packet’s source IP address must exactly
match the IP address configured in the ACL and which
bits need not match. Note that specifying a group of
contiguous IP addresses may require more than one
ACE. For more on how masks operate in ACLs, refer to
“How an ACE Uses a Mask To Screen Packets for Matches”
on page 9-26.
[log]
Optionally generates an ACL log message if:
• The action is deny.
• There is a match.
• ACL logging is enabled on the switch. (Refer to
“Enable ACL “Deny” Logging” on page 9-68.)
(Use the debug command to direct ACL logging output to
the current console session and/or to a Syslog server. Note
that you must also use the logging < ip-addr > command to
specify the IP addresses of Syslog servers to which you want
log messages sent. See also “Enable ACL “Deny” Logging”
on page 9-68.)
Syntax: interface < port-list > ip access-group < name-str | 1-99 > in
Assigns an ACL, designated by an ACL ID (
ASCII-STR or 1-99),
to an interface (list of one or more ports and/or one or more
static trunks).
9-42
To Next Page
Loading...
