Adding A Standard Access Control List - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
Adding a Standard Access Control List
FWSM/contexta(config)# access-list acl_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number }
The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or
equal to 0x600. See RFC 1700, "Assigned Numbers," at
http://www.ietf.org/rfc/rfc1700.txt
for a list of
EtherTypes.
When you enter the access-list command for a given ACL name, the ACE is added to the end of the ACL.
Enter the acl_name in upper case letters so the name is easy to see in the configuration. You might want
Tip
to name the ACL for the interface (for example, INSIDE), or for the purpose (for example, MPLS or
IPX).
Step 2
To apply an EtherType ACL to the inbound or outbound direction of an interface, enter the following
command:
FWSM/contexta(config)# access-group acl_name {in | out} interface interface_name
You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See
the
"Inbound and Outbound Access Control Lists" section on page 10-10
for more information about
ACL directions.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic
to pass in both directions.
For example, the following sample ACL allows common EtherTypes originating on the inside interface:
FWSM/contexta(config)# access-list ETHER ethertype permit ipx
FWSM/contexta(config)# access-list ETHER ethertype permit bpdu
FWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicast
FWSM/contexta(config)# access-group ETHER in interface inside
The following ACL allows some EtherTypes through the FWSM, but denies IPX:
FWSM/contexta(config)# access-list ETHER ethertype deny ipx
FWSM/contexta(config)# access-list ETHER ethertype permit 0x1234
FWSM/contexta(config)# access-list ETHER ethertype permit bpdu
FWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicast
FWSM/contexta(config)# access-group ETHER in interface inside
FWSM/contexta(config)# access-group ETHER in interface outside
The following ACL denies traffic with EtherType 0x1256 but allows all others on both interfaces:
FWSM/contexta(config)# access-list nonIP ethertype deny 1256
FWSM/contexta(config)# access-list nonIP ethertype permit any
FWSM/contexta(config)# access-group ETHER in interface inside
FWSM/contexta(config)# access-group ETHER in interface outside
Adding a Standard Access Control List
Single context mode only
Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for
OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-17
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
