Cisco Systems 2960 Manual De Usuario
31-20
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Configuring IPv4 ACLs
To determine the specialized hardware resources, enter the show platform layer4 acl map privileged
EXEC command. If the switch does not have available resources, the output shows that index 0 to
index 15 are not available.
EXEC command. If the switch does not have available resources, the output shows that index 0 to
index 15 are not available.
For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug
Toolkit.
Toolkit.
For example, if you apply this ACL to an interface:
permit tcp
source source-wildcard
destination destination-wildcard
range 5 60
permit tcp
source source-wildcard
destination destination-wildcard
range 15 160
permit tcp
source source-wildcard
destination destination-wildcard
range 115 1660
permit tcp
source source-wildcard
destination destination-wildcard
And if this message appears:
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The flag-related operators are not available. To avoid this issue,
•
Move the fourth ACE before the first ACE by using ip access-list resequence global configuration
command:
command:
permit tcp
source source-wildcard
destination destination-wildcard
permit tcp
source source-wildcard
destination destination-wildcard
range 5 60
permit tcp
source source-wildcard
destination destination-wildcard
range 15 160
permit tcp
source source-wildcard
destination destination-wildcard
range 115 1660
or
Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for
example, rename ACL 79 to ACL 1).
example, rename ACL 79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available
mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the
TCAM.
mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the
TCAM.
IPv4 ACL Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about
compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring
IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration
Guide, Release 12.2.
compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring
IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration
Guide, Release 12.2.
This example uses a standard ACL to allow a port access to a specific Internet host with the address
172.20.128.64.
172.20.128.64.
Switch(config)# access-list 6 permit 172.20.128.64 0.0.0
Switch(config)# end
Switch# show access-lists
Standard IP access list 6
10 permit 172.20.128.64 wildcard bits 0.0.0.0
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 6 in
This example uses an extended ACL to deny to a port traffic coming from port 80 (HTTP). It permits all
other types of traffic.
other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80
Switch(config)# access-list 106 permit ip any any
Switch(config)# end
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 106 in