34-14

Chapter 34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

	Command	Purpose

Step	access-listaccess-list-number	(Optional) Define an extended ICMP access list and the access conditions.
2d	{deny permit} icmp source	Enter icmp for Internet Control Message Protocol.
	source-wildcard destination	Enter icmp for Internet Control Message Protocol.
	source-wildcard destination	The ICMP parameters are the same as those described for most IP protocols in
	destination-wildcard [icmp-type
	[[icmp-type icmp-code]	Step 2a, with the addition of the ICMP message type and code parameters.
	[icmp-message]] [precedence	These optional keywords have these meanings:
	precedence] [tos tos] [fragments]	• icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
	[log] [log-input][time-range
	[log] [log-input][time-range	• icmp-code—Enter to filter ICMP packets that are filtered by the ICMP
	time-range-name] [dscp dscp]
	time-range-name] [dscp dscp]	message code type, a number from 0 to 255.
		message code type, a number from 0 to 255.
		• icmp-message—Enter to filter ICMP packets by the ICMP message type
		name or the ICMP message type and code name. To see a list of ICMP
		message type names and code names, use the ?, or see the “Configuring IP
		Services” section of the Cisco IOS IP Configuration Guide, Release 12.2.

Step	access-listaccess-list-number	(Optional) Define an extended IGMP access list and the access conditions.
2e	{deny permit} igmp source	Enter igmp for Internet Group Management Protocol.
	source-wildcard destination	Enter igmp for Internet Group Management Protocol.
	source-wildcard destination	The IGMP parameters are the same as those described for most IP protocols in
	destination-wildcard [igmp-type]
	[precedence precedence] [tos tos]	Step 2a, with this optional parameter.
	[fragments] [log] [log-input]	igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter
	[time-rangetime-range-name]
	[time-rangetime-range-name]	the message name (dvmrp, host-query,host-report,pim, or trace).
	[dscp dscp]
	[dscp dscp]
Step 3
Step 3	end	Return to privileged EXEC mode.
Step 4
Step 4	show access-lists [number name]	Verify the access list configuration.
Step 5
Step 5	copy running-config	(Optional) Save your entries in the configuration file.
	startup-config

Use the no access-listaccess-list-numberglobal configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists.

This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and to permit any others. (The eq keyword after the destination address means to test for the TCP destination port number equaling Telnet.)

Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq

telnet

Switch(config)# access-list 102 permit tcp any any

Switch(config)# end

Switch# show access-lists

Extended IP access list 102

10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet

20 permit tcp any any

After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list entries from a numbered access list.

Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end.

	Catalyst 3750-E and 3560-E Switch Software Configuration Guide
34-14	OL-9775-02

Cisco Systems 3750E manual 34-14

Models: 3750E

Command

Step

{deny permit} icmp source

[log] [log-input][time-range

{deny permit} igmp source

[fragments] [log] [log-input]

end

Return to privileged EXEC mode.

(Optional) Save your entries in the configuration file.

startup-config

Switch# show access-lists