30-9
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 30 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2a
access-list
access-list-number
{
deny
|
permit
}
protocol
source source-wildcard
destination destination-wildcard
[
precedence
precedence
] [
tos
tos
]
[
fragments
] [
time-range
time-range-name
] [
dscp
dscp
]
Note
If you enter a
dscp
value,
you cannot enter
tos
or
precedence
. You can enter
both a
tos
and a
precedence
value with no
dscp
.
Define an extended IPv4 access list and the access conditions.
The
access-list-number
is a decimal number from 100 to 199 or 2000 to 2699.
Enter
deny
or
permit
to specify whether to deny or permit the packet if
conditions are matched.
For
protocol
, enter the name or number of an IP protocol:
ahp
,
eigrp
,
esp
,
gre
,
icmp
,
igmp
,
igrp
,
ip
,
ipinip
,
nos
,
ospf
,
pcp
,
pim
,
tcp
, or
udp
, or an integer in
the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the keyword
ip
.
Note
This step includes options for most IP protocols. For additional specific
parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e.
The
source
is the number of the network or host from which the packet is sent.
The
source-wildcard
applies wildcard bits to the source.
The
destination
is the network or host number to which the packet is sent.
The
destination-wildcard
applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified
as:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword
any
for 0.0.0.0 255.255.255.255 (any host).
•
The keyword
host
for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
•
precedence
—Enter to match packets with a precedence level specified as a
number from 0 to 7 or by name:
routine
(
0
),
priority
(
1
),
immediate
(
2
),
flash
(
3
),
flash-override
(
4
),
critical
(
5
),
internet
(6),
network
(
7
).
•
fragments
—Enter to check non-initial fragments.
•
tos
—Enter to match by type of service level, specified by a number from 0
to 15 or a name:
normal
(
0
),
max-reliability
(
2
),
max-throughput
(
4
),
min-delay
(
8
).
•
time-range
—For an explanation of this keyword, see the
Ranges with ACLs” section on page 30-14
•
dscp
—Enter
to match packets with the DSCP value specified by a number
from 0 to 63, or use the question mark (?) to see a list of available values.
or
access-list
access-list-number
{
deny | permit
}
protocol
any any
[
precedence
precedence
] [
tos
tos
]
[
fragments
] [
time-range
time-range-name
] [
dscp
dscp
]
In access-list configuration mode, define an extended IP access list using an
abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
an abbreviation for a destination and destination wildcard of 0.0.0.0
255.255.255.255.
You can use the
any
keyword in place of source and destination address and
wildcard.