Access Control Lists (ACLs) for the Series 5300xl Switches
Configuring and Assigning an ACL
Configuring a Named ACL
You can use the “Named ACL” context to configure a standard or extended
ACL with an alphanumeric name instead of a number. Note that the command
structure for configuring a named ACL differs from that for a numbered ACL.
Syntax: ip access-list standard < name-str | 1-99 >
< deny | permit >
< any | host < src-ip-addr > | ip-addr / mask-length >
[log]
ip access-list extended < name-str | 100-199 >
< deny | permit > ip
< any | host < src-ip-addr > | ip-addr / mask-length >
< any | host < dest-ip-addr > | ip-addr / mask-length >
[log]
ip access-list extended < name-string >
< deny | permit > < tcp | udp >
< any | host < src-ip-addr > | ip-addr / mask-length >
[oper < src-port tcp/udp-id >]
< any | host < dest-ip-addr > | ip-addr / mask-length >
[oper < dest-port tcp/udp-id >]
[log]
These commands create an ACE in the named ACL list and:
•
•
•
•
Indicate the action (deny or permit) to take on a packet
if there is a match between a packet and the criteria in
the complete ACE.
Specify the packet protocol type (IP, TCP, or UDP) and (if
TCP or UDP) the comparison operator.
Specify the source and destination addressing options
required for a match.
Allow optional ACL logging where a packet has a match
with a deny ACE. The log option does not appear when
permit is the action.
If the ACL does not already exist, these commands create
the specified ACL and its first ACE. If the ACL already
exists, these commands add a new, explicit ACE to the end
of the ACL. For a match to occur, the packet must have the
source and destination IP addressing criteria specified by
this command, as well as any protocol-specific (TCP or UDP
port number) criteria specified by the command.
9-44
To Next Page
Loading...
