Configuring ACL ACL Configurations
Configuration Guide
525
Step 3 access-list extended
acl-id
rule
rule-id
{deny | permit} [ [sip source-ip] smask
source-ip-mask
] [
[dip
destination-ip
] dmask
destination-ip-mask
] [s-port
s-port
] [d-port
d-port
] [protocol
protocol
]
Add a rule to the ACL.
acl-id:
The ID number of the ACL you have created.
rule-id:
Specify the rule ID, which ranges from 0 to 1999. It should not be the same as any
existing Extend-IP ACL IDs
deny | permit
:
Specify the operation to be performed with the packets that match the rule.
Deny means to discard; permit means to forward. By default, it is permit.
source-ip:
Enter the source IP address.
source-ip-mask:
Enter the mask of the source IP address. This is required if a source IP address
is entered.
destination-ip:
Enter the destination IP address.
destination-ip-mask:
Enter the mask of the destination IP address. This is required if a
destination IP address is entered.
s-port:
Enter the TCP/UDP source port if TCP/UDP protocol is selected.
d-port:
Enter the TCP/UDP destination port if TCP/UDP protocol is selected.
protocol:
Specify a protocol type.
Step 4 show access-list [
access-list-num
]
(Optional) View the current ACL configuration.
access-list-num
: The ID number of the ACL.
Step 5 end
Return to privileged EXEC mode.
Step 6 copy running-config startup-config
Save the settings in the configuration file.
The following example shows how to create Extend-IP ACL 1700 and configure Rule7 to
deny Telnet packets with source IP192.168.2.100:
Switch#configure
Switch(config)#access-list create 1700
Switch(config)#access-list extended 1700 Rule 7 deny sip 192.168.2.100 smask
255.255.255.255 protocol 6 d-port 23
Switch(config)#show access-list 1700
Extended IP access list 1700
Rule 7 deny sip 192.168.2.100 smask 255.255.255.255 protocol 6 d-port 23
Switch(config)#end
Switch#copy running-config startup-config
To Next Page
Loading...
