Specifications
26-10
Catalyst 2970 Switch Software Configuration Guide
78-15462-03
Chapter 26 Configuring Network Security with ACLs
Configuring IP ACLs
or access-list access-list-number
{deny | permit} protocol
host source host destination
[precedence precedence] [tos tos]
[fragments] [time-range
time-range-name] [dscp dscp]
Define an extended IP access list using an abbreviation for a source and source
wildcard of source 0.0.0.0 and an abbreviation for a destination and destination
wildcard of destination 0.0.0.0.
You can use the host keyword in place of source and destination wildcard
or mask.
Step
2b
access-list access-list-number
{deny | permit} tcp source
source-wildcard [operator port]
destination destination-wildcard
[operator port] [established]
[precedence precedence] [tos tos]
[fragments] [time-range
time-range-name] [dscp dscp]
[flag]
(Optional) Define an extended TCP access list and the access conditions.
Enter tcp for Transmission Control Protocol.
The parameters are the same as those described in Step 2a with these exceptions:
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a
TCP port. To see TCP port names, use the ? or refer to “Configuring IP
Services” section of Cisco IOS IP and IP Routing Command Reference for IOS
Release 12.1. Use only TCP port numbers or names when filtering TCP.
The additional optional keywords have these meanings:
• established—Enter to match an established connection. This has the same
function as matching on the ack or rst flag.
• flag—Enter one of these flags to match by the specified TCP header bits:
ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize),
or urg (urgent).
Step
2c
access-list access-list-number
{deny | permit} udp
source source-wildcard [operator
port] destination
destination-wildcard [operator
port] [precedence precedence]
[tos tos] [fragments] [time-range
time-range-name] [dscp dscp]
(Optional) Define an extended UDP access list and the access conditions.
Enter udp for the User Datagram Protocol.
The UDP parameters are the same as those described for TCP except that
[operator [port]] port number or name must be a UDP port number or name, and
the flag and established parameters are not valid for UDP.
Step
2d
access-list access-list-number
{deny | permit} icmp source
source-wildcard destination
destination-wildcard [icmp-type |
[[icmp-type icmp-code] |
[icmp-message]] [precedence
precedence] [tos tos] [fragments]
[time-range time-range-name]
[dscp dscp]
(Optional) Define an extended ICMP access list and the access conditions.
Enter icmp for Internet Control Message Protocol.
The ICMP parameters are the same as those described for most IP protocols in
Step 2a, with the addition of the ICMP message type and code parameters.
These optional keywords have these meanings:
• icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
• icmp-code—Enter to filter ICMP packets that are filtered by ICMP message
type by the ICMP message code, a number from 0 to 255.
• icmp-message—Enter to filter ICMP packets by ICMP message type name
or ICMP message type and code name. To see a list of ICMP message type
names and ICMP message type and code names, use the ? or refer to the
“Configuring IP Services” section of Cisco IOS IP and IP Routing
Command Reference for IOS Release 12.1.
Command Purpose