Cisco Catalyst 6500 Series Configuration Manual page 194
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Adding an Extended Access Control List
To add an extended ACL and apply it to an interface, follow these steps:
Add one or more ACEs of the following types using the same ACL name.
Step 1
When you enter the access-list command for a given ACL name, the ACE is added to the end of the ACL.
Tip
Enter the acl_name in upper case letters so the name is easy to see in the configuration. You might want
to name the ACL for the interface (for example, INSIDE), or for the purpose (for example, NO_NAT or
VPN).
Note
You specify a network mask in the access-list command (for example, 255.255.255.0 for a class C
mask). This method is different from the Cisco IOS software access-list command, which uses wildcard
bits (for example, 0.0.0.255).
Add an ACE for a specific protocol by entering the following command:
•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} protocol
source_address mask dest_address mask
This type of ACE lets you specify any protocol for the source and destination addresses, but not
ports. Typically, you identify ip for the protocol, but other protocols are accepted.
Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter
any instead of the address and mask to specify any address.
For a list of protocol names, see the
For information about logging options that you can add to the end of the ACE, see the
Extended Access Control List Activity" section on page
See the following examples:
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the
FWSM:
FWSM/contexta(config)# access-list ACL_IN extended permit ip any any
The following sample ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted:
FWSM/contexta(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
FWSM/contexta(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all
other traffic is denied unless explicitly permitted.
FWSM/contexta(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
Add an ACE for TCP or UDP ports by entering the following command:
•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} {tcp | udp}
source_address mask [ operator port ] dest_address mask [ operator port ]
Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter
any instead of the address and mask to specify any address.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-14
Chapter 10
Controlling Network Access with Access Control Lists
"Protocols and Applications" section on page
10-26.
D-5.
"Logging
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series