Cisco 3845 - Security Bundle Router Software Manual page 459

Chapter 26 Configuring Network Security with ACLs
•
•
Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Command
Step 1 configure terminal
Step 2a access-list access-list-number
{deny | permit} protocol
source source-wildcard
destination destination-wildcard
[precedence precedence] [tos tos]
[fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
Note If you enter a dscp value,
you cannot enter tos or
precedence. You can enter
both a tos and a
precedence value with no
dscp.
OL-23400-01
For source and destination address, the supported entries are ip-address, any, or host.
See the "Using ACLs to Classify Traffic" section on page
Purpose
Enter global configuration mode.
Define an extended IPv4 access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched.
For protocol, enter the name or number of an IP protocol: ahp, eigrp, esp, gre,
icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in
the range 0 to 255 representing an IP protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP) use the keyword ip.
Note
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified
as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any host).
• The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
precedence—Enter to match packets with a precedence level specified as a
•
number from 0 to 7 or by name: routine (0), priority (1), immediate (2),
flash (3), flash-override (4), critical (5), internet (6), network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number from 0
to 15 or a name: normal (0), max-reliability (2), max-throughput (4),
min-delay (8).
log—Enter to create an informational logging message to be sent to the
•
console about the packet that matches the entry or log-input to include the
input interface in the log entry.
time-range—For an explanation of this keyword, see the
•
Ranges with ACLs" section on page
dscp—Enter to match packets with the DSCP value specified by a number
•
from 0 to 63, or use the question mark (?) to see a list of available values.
This step includes options for most IP protocols. For additional specific
parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e.
Cisco ME 3800X and 3600X Switch Software Configuration Guide
Configuring IPv4 ACLs
27-28.
"Using Time
26-16.
26-11