2-627
Catalyst 6500 Series Switch Command Reference—Release8.4
OL-6244-01
Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands set security acl ip
•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0
255.255.255.255.
•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
When you enter a destination IP address and the destination mask, use the form destination_ip_address
destination_mask. The destination mask is required.
•Use a 32-bit quantity in a four-part dotted-decimal format.
•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0
255.255.255.255.
•Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
The log keyword is an option of deny only. If you want to change an existing VACL configuration to
deny with log, you must first clear the VACL and then set it again.
The log keyword is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching
Engine II (PFC2) only.
Valid names for precedence are critical, f lash, flash-o v erride, i mmediate , intern et, net work , priority, and
routine.
Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.
Valid protocol keywords include icmp (1), ip, ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88),
gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed
in parentheses. Use the keyword ip to match any Internet Protocol.
ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.
Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address,
conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply,
general-parameter-problem, host-isolated, host-precedence-unreachable , host-red irect ,
host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, informa tion-r eply,
information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect,
net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, opt ion- missi ng,
packet-too-big, parameter-problem, port-unreachable, preceden ce- unr eac hab le, p rotoc ol- unrea c hab le,
reassembly-timeout, redirect, router-advertisement, router-solicitation , source -quenc h,
source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and
unreachable.
If the operator is positioned after the source and source-wildcard, it must match the source port. If the
operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen,
daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp,
pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.
UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc,
bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, net bios- ns, ntp , ri p, snm p,
snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.
The number listed with the protocol type is the layer protocol number (for example, udp | 17).
If no layer protocol number is entered, you can enter t he f ol lowing s yntax :
set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index]