Step 1 |
configure
terminal
Switch# configure terminal
|
Enters global configuration mode.
|
Step 2 |
access-list
access-list-number
{deny |
permit}
protocol
source
source-wildcard
destination
destination-wildcard [precedence
precedence] [tos tos] [fragments]
[time-range
time-range-name] [dscp
dscp]
Switch(config)# access-list 101 permit ip host 10.1.1.2 any precedence 0 tos 0 log
|
Defines an
extended IPv4 access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or
2000 to 2699.
Enter
deny or
permit to specify whether to deny or permit the
packet if conditions are matched.
For
protocol , enter the name or number of an P
protocol:
ahp ,
eigrp ,
esp ,
gre ,
icmp ,
igmp ,
igrp ,
ip ,
ipinip ,
nos ,
ospf ,
pcp ,
pim ,
tcp , or
udp , or an integer in the range 0 to 255
representing an IP protocol number. To match any Internet protocol (including
ICMP, TCP, and UDP), use the keyword
ip .
Note
|
This step
includes options for most IP protocols. For additional specific parameters for
TCP, UDP, ICMP, and IGMP, see the following steps.
|
The
source is the number of the network or host from
which the packet is sent.
The
source-wildcard applies wildcard bits to the
source.
The
destination is the network or host number to which
the packet is sent.
The
destination-wildcard applies wildcard bits to the
destination.
Source,
source-wildcard, destination, and destination-wildcard can be specified as:
-
The 32-bit
quantity in dotted-decimal format.
-
The keyword
any for 0.0.0.0 255.255.255.255 (any host).
-
The keyword
host for a single host 0.0.0.0.
The other
keywords are optional and have these meanings:
-
precedence —Enter to match packets with a
precedence level specified as a number from 0 to 7 or by name:
routine (0),
priority (1),
immediate (2),
flash (3),
flash-override (4),
critical (5),
internet (6),
network (7).
-
fragments —Enter to check non-initial fragments.
-
tos —Enter to match by type of service level,
specified by a number from 0 to 15 or a name:
normal (0),
max-reliability (2),
max-throughput (4),
min-delay (8).
-
time-range —Specify the time-range name.
-
dscp —Enter to match packets with the DSCP value
specified by a number from 0 to 63, or use the question mark (?) to see a list
of available values.
Note
|
If you enter
a
dscp value, you cannot enter
tos or
precedence . You can enter both a
tos and a
precedence value with no
dscp .
|
|
Step 3 |
access-list
access-list-number
{deny |
permit}
tcp
source
source-wildcard [operator port]
destination
destination-wildcard [operator port] [established] [precedence
precedence] [tos
tos] [fragments]
[time-range
time-range-name]
[dscp
dscp] [flag]
Switch(config)# access-list 101 permit tcp any any eq 500
|
Defines an
extended TCP access list and the access conditions.
The parameters
are the same as those described for an extended IPv4 ACL, with these
exceptions:
(Optional) Enter
an
operator and
port to
compare source (if positioned after
source
source-wildcard ) or destination (if positioned after
destination destination-wildcard ) port. Possible
operators include
eq (equal),
gt (greater than),
lt (less than),
neq (not equal), and
range (inclusive range). Operators require a port
number (range requires two port numbers separated by a space).
Enter the
port number
as a decimal number (from 0 to 65535) or the name of a TCP port. Use only TCP
port numbers or names when filtering TCP.
The other
optional keywords have these meanings:
-
established —Enter to match an established
connection. This has the same function as matching on the
ack or
rst flag.
-
flag —Enter one of these flags to match by the
specified TCP header bits:
ack (acknowledge),
fin (finish),
psh (push),
rst (reset),
syn (synchronize), or
urg (urgent).
|
Step 4 |
access-list
access-list-number
{deny |
permit}
udp
source source-wildcard [operator port]
destination
destination-wildcard [operator port] [precedence
precedence] [tos
tos] [fragments]
[time-range
time-range-name]
[dscp
dscp]
Switch(config)# access-list 101 permit udp any any eq 100
|
(Optional)
Defines an extended UDP access list and the access conditions.
The UDP
parameters are the same as those described for TCP except that the [operator
[port]] port number or name must be a UDP port number or name, and the
flag and
established
keywords are not valid for UDP.
|
Step 5 |
access-list
access-list-number
{deny |
permit}
icmp
source
source-wildcard destination
destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence
precedence] [tos
tos] [fragments]
[time-range
time-range-name]
[dscp
dscp]
Switch(config)# access-list 101 permit icmp any any 200
|
Defines an
extended ICMP access list and the access conditions.
The ICMP
parameters are the same as those described for most IP protocols in an extended
IPv4 ACL, with the addition of the ICMP message type and code parameters. These
optional keywords have these meanings:
-
icmp-type—Enter to filter by ICMP message type, a number
from 0 to 255.
-
icmp-code—Enter to filter ICMP packets that are filtered by
the ICMP message code type, a number from 0 to 255.
-
icmp-message—Enter to filter ICMP packets by the ICMP
message type name or the ICMP message type and code name.
|
Step 6 |
access-list
access-list-number
{deny |
permit}
igmp
source
source-wildcard destination
destination-wildcard [igmp-type] [precedence
precedence] [tos
tos] [fragments]
[time-range
time-range-name]
[dscp
dscp]
Switch(config)# access-list 101 permit igmp any any 14
|
(Optional)
Defines an extended IGMP access list and the access conditions.
The IGMP
parameters are the same as those described for most IP protocols in an extended
IPv4 ACL, with this optional parameter.
igmp-type—To match IGMP message type, enter a number from 0
to 15, or enter the message name:
dvmrp ,
host-query ,
host-report ,
pim , or
trace .
|
Step 7 |
end
|
Returns to
privileged EXEC mode.
|