Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

471

472

473

474

475

476

477

478

479

480

26-12

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Configuring IP ACLs

Consider these guidelines and limitations before configuring named ACLs:

• Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and

route filters on interfaces can use a name. VLAN maps also accept a name.

• A standard ACL and an extended ACL cannot have the same name.

• Numbered ACLs are also available, as described in the “Creating Standard and Extended IP ACLs”

section on page 26-6.

• You can use standard and extended ACLs (named or numbered) in VLAN maps.

Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names:

To remove a named standard ACL, use the no ip access-list standard name global configuration

command.

Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

ip access-list standard name Define a standard IP access list using a name, and enter access-list

configuration mode.

Note The name can be a number from 1 to 99.

Step 3

deny {source [source-wildcard] | host source |

any}

permit {source [source-wildcard] | host source

| any}

In access-list configuration mode, specify one or more conditions

denied or permitted to determine if the packet is forwarded or

dropped.

• host source—A source and source wildcard of source 0.0.0.0.

• any—A source and source wildcard of 0.0.0.0

255.255.255.255.

Step 4

end Return to privileged EXEC mode.

Step 5

show access-lists [number | name] Show the access list configuration.

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

ip access-list extended name Define an extended IP access list using a name and enter

access-list configuration mode.

Note The name can be a number from 100 to 199.

Step 3

{deny | permit} protocol {source

[source-wildcard] | host source | any}

{destination [destination-wildcard] | host

destination | any} [precedence precedence]

[tos tos] [established] [time-range

time-range-name]

In access-list configuration mode, specify the conditions allowed

or denied.

See the “Creating a Numbered Extended ACL” section on

page 26-8 for definitions of protocols and other keywords.

• host source—A source and source wildcard of source 0.0.0.0.

• host destination—A destination and destination wildcard of

destination 0.0.0.0.

• any—A source and source wildcard or destination and

destination wildcard of 0.0.0.0 255.255.255.255.