Step 1
|
enable
|
Enables privileged EXEC mode.
|
Step 2
|
configure
terminal
Device# configure terminal
|
Enters global configuration mode.
|
Step 3
|
access-list
access-list-number 
{deny | permit} protocol 
source source-wildcard 
destination destination-wildcard [precedence
precedence] [tos tos] [fragments] [time-range
time-range-name] [dscp
dscp]
Device(config)# access-list 101 permit ip host 10.1.1.2 any precedence 0 tos 0 log
|
Defines an extended IPv4 access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to specify whether to deny or permit the packet if conditions are matched.
For protocol , enter the name or number of an P protocol: ahp , eigrp , esp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , pcp , pim , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP,
TCP, and UDP), use the keyword ip .
Note
|
This step includes options for most IP protocols. For additional specific parameters for TCP, UDP, ICMP, and IGMP, see the
following steps.
|
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified as:
-
The 32-bit quantity in dotted-decimal format.
-
The keyword any for 0.0.0.0 255.255.255.255 (any host).
-
The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
-
precedence —Enter to match packets with a precedence level specified as a number from 0 to 7 or by name: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), network (7).
-
fragments —Enter to check non-initial fragments.
-
tos —Enter to match by type of service level, specified by a number from 0 to 15 or a name: normal (0), max-reliability (2), max-throughput (4), min-delay (8).
-
time-range —Specify the time-range name.
-
dscp —Enter to match packets with the DSCP value specified by a number from 0 to 63, or use the question mark (?) to see a list
of available values.
Note
|
If you enter a dscp value, you cannot enter tos or precedence . You can enter both a tos and a precedence value with no dscp .
|
|
Step 4
|
access-list
access-list-number {deny | permit} tcp
source
source-wildcard [operator port] destination destination-wildcard [operator port] [precedence
precedence] [tos
tos] [fragments] [time-range
time-range-name] [dscp
dscp] [flag]
Device(config)# access-list 101 permit tcp any any eq 500
|
Defines an extended TCP access list and the access conditions.
The parameters are the same as those described for an extended IPv4 ACL, with these exceptions:
(Optional) Enter an operator and port to compare source (if positioned after source source-wildcard ) or destination (if positioned after destination destination-wildcard ) port. Possible operators include eq (equal), gt (greater than), lt (less than), neq (not equal), and range (inclusive range). Operators require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. Use only TCP port numbers or names when filtering
TCP.
The other optional keywords have these meanings:
-
flag —Enter one of these flags to match by the specified TCP header bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).
|
Step 5
|
access-list
access-list-number 
{deny | permit} udp 
source source-wildcard [operator port] destination destination-wildcard [operator port] [precedence
precedence] [tos
tos] [fragments] [time-range
time-range-name] [dscp
dscp]
Device(config)# access-list 101 permit udp any any eq 100
|
(Optional) Defines an extended UDP access list and the access conditions.
The UDP parameters are the same as those described for TCP except that the [operator [port]] port number or name must be a
UDP port number or name, and the flag keyword is not valid for UDP.
|
Step 6
|
access-list
access-list-number 
{deny | permit} icmp
source
source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence
precedence] [tos
tos] [fragments] [time-range
time-range-name] [dscp
dscp]
Device(config)# access-list 101 permit icmp any any 200
|
Defines an extended ICMP access list and the access conditions.
The ICMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with the addition of the
ICMP message type and code parameters. These optional keywords have these meanings:
-
icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
-
icmp-code—Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.
-
icmp-message—Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name.
|
Step 7
|
access-list
access-list-number 
{deny | permit} igmp
source
source-wildcard destination destination-wildcard [igmp-type] [precedence
precedence] [tos
tos] [fragments] [time-range
time-range-name] [dscp
dscp]
Device(config)# access-list 101 permit igmp any any 14
|
(Optional) Defines an extended IGMP access list and the access conditions.
The IGMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with this optional parameter.
igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter the message name: dvmrp , host-query , host-report , pim , or trace .
|
Step 8
|
end
|
Returns to privileged EXEC mode.
|