Cisco Systems OL-6244-01

2-631

Catalyst 6500 Series Switch Command Reference—Release8.4

OL-6244-01

Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands set security acl ipx

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by

entering the set security acl capture- po rts co mmand .

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the d ash character (-), the unde rscore

character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), netbios (20), rip (1), sap (4), and spx (5).

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network

cable segments. When you specify the src_net or dest_net, use the following guidelines:

•It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all

networks.

•You do not need to specify leading zeros in the network number. For example, for the network

number 000000AA, you can enter AA.

The dest_node is a 48-bit value represented by a dotted triplet of 4-digit hexadecimal numbers

(xxxx.xxxx.xxxx).

The dest_net_mask. is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask.

The mask must be immediately followed by a period, which must in tu rn be i mme diat el y fol lowed by

the destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers

(xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when

dest_node is specified.

The dest_net_mask. is an eight-digit hexadecimal number that uniquely identifies the network cable

segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all

networks. You do not need to specify leading zeros in the network number. For example, for the network

number 000000AA, you can enter AA. Following are dest_net_mask. examples:

•123A

•123A.1.2.3

•123A.1.2.3 ffff.ffff.ffff

•1.2.3.4 ffff. ffff.ffff.ffff

Use the show security acl command to display the list.

Examples This example shows how to block traffic from a specified source IPX address:

Console> (enable) set security acl ipx IPXACL1 deny 1.a

IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)

This example shows how to deny traffic from hosts in specific subnet (10.1.2.0/8):

Console> (enable) set security acl ipx SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.1.100

IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)