Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

471

472

473

474

475

476

477

478

479

480

26-11

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Configuring IP ACLs

Use the no access-list access-list-number global configuration command to delete the entire access list.

You cannot delete individual ACEs from numbered access lists.

This example shows how to create and display an extended access list to deny Telnet access from any

host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword

after the destination address means to test for the TCP destination port number equaling Telnet.)

Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq

telnet

Switch(config)# access-list 102 permit tcp any any

Switch(config)# end

Switch# show access-lists

Extended IP access list 102

deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet

permit tcp any any

After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the

list. You cannot selectively add or remove access list entries from a numbered access list.

Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit

deny statement for all packets if it did not find a match before reaching the end.

After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IP

ACL to a Terminal Line” section on page 26-16), to interfaces (see the “Applying an IP ACL to an

Interface” section on page 26-16), or to VLANs (see the “Configuring VLAN Maps” section on

page 26-22).

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named

ACLs to configure more IP access lists in a router than if you were to use numbered access lists. If you

identify your access list with a name rather than a number, the mode and command syntax are slightly

different. However, not all commands that use IP access lists accept a named access list.

Note The name you give to a standard or extended ACL can also be a number in the supported range of access

list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL

can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete

individual entries from a named list.

Step

access-list access-list-number

{deny | permit} igmp source

source-wildcard destination

destination-wildcard [igmp-type]

[precedence precedence] [tos tos]

[fragments] [time-range

time-range-name] [dscp dscp]

(Optional) Define an extended IGMP access list and the access conditions.

Enter igmp for Internet Group Management Protocol.

The IGMP parameters are the same as those described for most IP protocols in

Step 2a, with the addition of this optional parameter.

igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter

the message name (dvmrp, host-query, host-report, pim, or trace).

Step 3

show access-lists [number | name] Verify the access list configuration.

Step 4

copy running-config

startup-config

(Optional) Save your entries in the configuration file.

Command Purpose