Cisco Catalyst 3560-X Software Configuration Manual page 879

Chapter 1 Configuring Network Security with ACLs
Use the no access-list access-list-number global configuration command to delete the entire ACL. You
cannot delete individual ACEs from numbered access lists.
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
Note
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don't care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don't care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines (see the
IPv4 ACL to a Terminal Line" section on page
an Interface" section on page
page
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type information for finer
granularity of control. When you are creating ACEs in numbered extended access lists, remember that
after you create the ACL, any additions are placed at the end of the list. You cannot reorder the list or
selectively add or remove ACEs from a numbered list.
Some protocols also have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold):
Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp),
Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control Message
Protocol (icmp), Internet Group Management Protocol (igmp), any Interior Protocol (ip), IP in IP
tunneling (ipinip), KA9Q NOS-compatible IP over IP tunneling (nos), Open Shortest Path First routing
(ospf), Payload Compression Protocol (pcp), Protocol-Independent Multicast (pim), Transmission
Control Protocol (tcp), or User Datagram Protocol (udp).
For more details on the specific keywords for each protocol, see these command references:
•
•
•
OL-25303-03
10 deny 171.69.198.102
20 permit any
1-21), or to VLANs (see the
1-32).
Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4
Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4
Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.4
1-20), to interfaces (see the
"Configuring VLAN Maps" section on
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring IPv4 ACLs
"Applying an
"Applying an IPv4 ACL to
1-11