Cisco Systems 3130 User Manual
34-13
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
or
access-list access-list-number
{deny | permit} protocol any any
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
{deny | permit} protocol any any
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
In access-list configuration mode, define an extended IP access list using an
abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
an abbreviation for a destination and destination wildcard of 0.0.0.0
255.255.255.255.
abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
an abbreviation for a destination and destination wildcard of 0.0.0.0
255.255.255.255.
You can use the any keyword in place of source and destination address and
wildcard.
wildcard.
or
access-list access-list-number
{deny | permit} protocol
host source host destination
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
{deny | permit} protocol
host source host destination
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
Define an extended IP access list by using an abbreviation for a source and a
source wildcard of source 0.0.0.0 and an abbreviation for a destination and
destination wildcard of destination 0.0.0.0.
source wildcard of source 0.0.0.0 and an abbreviation for a destination and
destination wildcard of destination 0.0.0.0.
You can use the host keyword in place of the source and destination wildcard
or mask.
or mask.
Step
2b
2b
access-list access-list-number
{deny | permit} tcp source
source-wildcard [operator port]
destination destination-wildcard
[operator port] [established]
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp] [flag]
{deny | permit} tcp source
source-wildcard [operator port]
destination destination-wildcard
[operator port] [established]
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp] [flag]
(Optional) Define an extended TCP access list and the access conditions.
Enter tcp for Transmission Control Protocol.
The parameters are the same as those described in Step 2a, with these
exceptions:
exceptions:
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
source source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services”
section in the “IP Addressing and Services” chapter of the Cisco IOS IP
Configuration Guide, Release 12.2. Use only TCP port numbers or names when
filtering TCP.
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services”
section in the “IP Addressing and Services” chapter of the Cisco IOS IP
Configuration Guide, Release 12.2. Use only TCP port numbers or names when
filtering TCP.
The other optional keywords have these meanings:
•
established—Enter to match an established connection. This has the same
function as matching on the ack or rst flag.
function as matching on the ack or rst flag.
•
flag—Enter one of these flags to match by the specified TCP header bits:
ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize),
or urg (urgent).
ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize),
or urg (urgent).
Step
2c
2c
access-list access-list-number
{deny | permit} udp
source source-wildcard [operator
port] destination
destination-wildcard [operator
port] [precedence precedence]
[tos tos] [fragments] [log]
[log-input] [time-range
time-range-name] [dscp dscp]
{deny | permit} udp
source source-wildcard [operator
port] destination
destination-wildcard [operator
port] [precedence precedence]
[tos tos] [fragments] [log]
[log-input] [time-range
time-range-name] [dscp dscp]
(Optional) Define an extended UDP access list and the access conditions.
Enter udp for the User Datagram Protocol.
The UDP parameters are the same as those described for TCP except that the
[operator [port]] port number or name must be a UDP port number or name, and
the flag and established parameters are not valid for UDP.
[operator [port]] port number or name must be a UDP port number or name, and
the flag and established parameters are not valid for UDP.
Command
Purpose