IBM 12.1(22)EA6 User Manual
22-11
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 22 Configuring Network Security with ACLs
Configuring ACLs
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
access-list access-list-number
{deny | permit | remark} protocol
{source source-wildcard | host
{deny | permit | remark} protocol
{source source-wildcard | host
source
| any} [operator port]
{destination destination-wildcard |
host
host
destination | any} [operator
port] [dscp dscp-value]
[time-range time-range-name]
[time-range time-range-name]
Define an extended IP access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched.
conditions are matched.
For protocol, enter the name or number of an IP protocol: IP, TCP, or UDP. To
match any Internet protocol (including TCP and UDP), use the keyword ip.
match any Internet protocol (including TCP and UDP), use the keyword ip.
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
Define a destination or source port.
•
The operator can be only eq (equal).
•
If operator is after source source-wildcard, conditions match when the
source port matches the defined port.
source port matches the defined port.
•
If operator is after destination destination-wildcard, conditions match
when the destination port matches the defined port.
when the destination port matches the defined port.
•
The port is a decimal number or name of a TCP or UDP port. The number
can be from 0 to 65535.
can be from 0 to 65535.
•
Use TCP port names only for TCP traffic.
•
Use UDP port names only for UDP traffic.
The destination-wildcard applies wildcard bits to the destination.
access-list access-list-number
{deny | permit | remark} protocol
{source source-wildcard | host
{deny | permit | remark} protocol
{source source-wildcard | host
source
| any} [operator port]
{destination destination-wildcard |
host
host
destination | any} [operator
port] [dscp dscp-value]
[time-range time-range-name]
[time-range time-range-name]
(continued)
Source, source-wildcard, destination, and destination-wildcard can be
specified in three ways:
specified in three ways:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword any as an abbreviation for source and source-wildcard
of 0.0.0.0 255.255.255.255 or any source host.
of 0.0.0.0 255.255.255.255 or any source host.
•
The keyword host, followed by the 32-bit quantity in dotted-decimal
format, as an abbreviation for a single host with source and
source-wildcard of source 0.0.0.0.
format, as an abbreviation for a single host with source and
source-wildcard of source 0.0.0.0.
dscp—Enter to match packets with any of the supported 13 DSCP values
(0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56), or use the question mark
(?) to see a list of available values.
(0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56), or use the question mark
(?) to see a list of available values.
The time-range keyword is optional. For an explanation of this keyword, see
the
the
.
Step 3
show access-lists [number | name]
Verify the access list configuration.
Step 4
copy running-config
startup-config
startup-config
(Optional) Save your entries in the configuration file.