Cisco Systems DOC-7814982

25-12

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 25 Con figuring Ne two rk Sec urity with ACLs

Configuring ACLs

Beginning in privileged EXEC mode, follow these steps to create an extended ACL:

Command Purpose

Step 1 config ure terminal Enter g l obal c onfigura tion m od e.

Step 2 access-list access-list-number

{deny | permit | remark} protoc ol

{source source-wildcard | host

source | any} [operator port]

{destination destination-wildcard |

host destination | any} [operator

port] [dscp dscp-value]

[time-range time-range-name]

Define an extended IP access list and the access conditions.

The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.

Enter deny or permit to specify whether to deny or permit the packet if

conditions are matched.

For protocol, ente r t h e name or numb er of an IP p r otocol: I P, TCP, or U DP. To

match any Int ernet protoc ol (inclu ding TCP and UD P), use the keyword ip.

The source is the number of the network or host from which the packet is sent.

The source-wildcard applies wildcard bits to the source.

The destination is the network or host number to which the packet is sent.

Define a destination or source port.

•The operator can be only eq (equal).

•If operator is after source so urce-wildca rd, conditions match when the

source po rt m atche s the defined port .

•If operator is after destinati on destinati on-wildca rd, conditions match

when the desti nat ion p ort mat ches the defined p ort.

•The port is a decimal number or name of a TCP or UDP port. The number

can be fr om 0 to 65535.

•Use TCP port names only for TCP traffic.

•Use UDP port names only for UDP traffic.

The destination-wildcard applies wildcard bits to the destination.

Source, source-wildcard, destination, an d destination-wildcard can be

specified in three ways:

•The 32-bit quantity in dotted-decimal format.

•The keyword any as an abbreviation for source and source-wildcard

of 0.0.0. 0 255.25 5.255.25 5 or any source host.

•The keyword host, followed by the 32-bit quantity in dotted-decimal

format , a s a n a bbr eviation for a sin gle host wi th source and

source-wildcard of source 0.0.0.0.

dscp—Enter to match packets with any of the supported 13 DSCP values

(0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56 ), or use the question ma rk

(?) to see a list of available values.

The time-range keyword is opt iona l. For an expl ana tio n of thi s keyword, see

the “Applying Time Ranges to ACLs” section on page 2 5-15.

Step 3 show access-lists [numb er | name] Verify the access list configuration.

Step 4 copy running-config

startup-config (Optio nal) Save your e ntr ies in the con figurati on file.