Cisco Systems DOC-7814982 Creating Named Standard and Extended ACLs

25-13

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 25 Configuring Network Securi t y w it h ACLs Configuring ACLs

Use the no a ccess-lis t access-list-number global conf igurat ion comman d to delete the entire access list.

You ca nno t de le te i ndividual ACEs from n umb er ed acc ess l ist s.

This example shows how to create and display an extended access list to deny Telnet access from any

host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword

after the destination address means to test for the TCP destination port number equaling Telnet.)

Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq

telnet

Switch(config)# access-list 102 permit tcp any any

Switch(config)# end

Switch# show access-lists

Extended IP access list 102

deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet

permit tcp any any

After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the

list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.

Note When creating an ACL, rememb er that, by default, the end of the access list contains an implicit deny

statement for all packets if the access list does not find a ma tch before reaching the end. With standard

access lists, if you omit the mask fr om an associa ted IP host addre ss ACL specification, 0. 0.0.0 is

assumed to b e the mask .

After creating an ACL, you must apply it to a line or interface, as described in the “Applying ACLs to

Ter mina l L ines or Physic a l In terfa ces ” section on page 25-20.

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named

ACLs to conf igure more IP acc ess lists on a swi tch than if you use n umbered acc ess lists. I f you ident ify

your access list with a na me rath er than a number, the mode and com ma nd s yn ta x ar e sl igh t l y differ en t.

However, not all commands that use IP access lists accept a named ACL.

Note The name you give to a standar d ACL or extended ACL can also be a number in the supported range of

access list numb ers. Th at is, t he nam e of a standar d IP ACL can be 1 to 99; the na m e of an extende d IP

ACL ca n be 10 0 t o 19 9. Th e ad vantage of usin g n am ed ACLs instead of nu mb ered l is ts i s th at y ou c an

delete individual entries from a named list.

Consider these gui delines a nd limitat ions befo re configuring na med ACL s:

•A standa rd ACL and an extend ed ACL can not have the sa me name .

•Numbered ACLs are also available, as described in the “Creating Standard and Extended IP ACLs”

section on page 2 5-7.