IBM 12.1(22)EA6 User Manual
22-12
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 22 Configuring Network Security with ACLs
Configuring ACLs
Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.
You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any
host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword
after the destination address means to test for the TCP destination port number equaling Telnet.)
host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword
after the destination address means to test for the TCP destination port number equaling Telnet.)
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq
telnet
Switch(config)# access-list 102 permit tcp any any
Switch(config)# end
Switch# show access-lists
Extended IP access list 102
deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
permit tcp any any
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.
list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.
Note
When creating an ACL, remember that, by default, the end of the access list contains an implicit deny
statement for all packets if the access list does not find a match before reaching the end. With standard
access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is
assumed to be the mask.
statement for all packets if the access list does not find a match before reaching the end. With standard
access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is
assumed to be the mask.
After creating an ACL, you must apply it to a line or interface, as described in the
Creating Named Standard and Extended ACLs
You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named
ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify
your access list with a name rather than a number, the mode and command syntax are slightly different.
However, not all commands that use IP access lists accept a named ACL.
ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify
your access list with a name rather than a number, the mode and command syntax are slightly different.
However, not all commands that use IP access lists accept a named ACL.
Note
The name you give to a standard ACL or extended ACL can also be a number in the supported range of
access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP
ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can
delete individual entries from a named list.
access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP
ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can
delete individual entries from a named list.
Consider these guidelines and limitations before configuring named ACLs:
•
A standard ACL and an extended ACL cannot have the same name.
•
Numbered ACLs are also available, as described in the