Applying An Ipv4 Og Acl To An Interface - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Object Group ACLs
Command or Action
Step 3
remark remark
Example:
Switch(config-ext-nacl)# remark my-ogacl-policy
is to provide the marketing network access to
the server
Step 4
permit protocol source [source-wildcard] destination
[destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log |
log-input] [time-range time-range-name]
[fragments]
Example:
Switch(config-ext-nacl)# permit object-group
my-service-object-group object-group
my-network-object-group any
Step 5
Repeat the steps to specify the fields and values on
which you want to base your access list.
Step 6
end
Example:
Device(config-ext-nacl)# end
Applying an IPv4 OG ACL to an Interface
An object group ACL can be used to control traffic on the interface it is applied to. To apply an object
group ACL to an interface, perform the following task:
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
62-44
Chapter 62
Configuring Network Security with ACLs
Purpose
(Optional) Adds a comment about the configured access
list entry.
A remark can precede or follow an access list entry.
In this example, the remark reminds the network
administrator that the subsequent entry denies the
Marketing network access to the interface.
Permits any packet that matches all conditions specified in
the statement.
Every access list needs at least one permit statement.
Optionally use the object-group
service-object-group-name keyword and argument as a
substitute for the protocol.
Optionally use the object-group
source-network-object-group-name keyword and argument
as a substitute for the source source-wildcard.
Optionally use the object-group
destination-network-object-group-name keyword and
argument as a substitute for the destination
destination-wildcard.
If source-wildcard or destination-wildcard is omitted, a
wildcard mask of 0.0.0.0 is assumed, which matches on all
bits of the source or destination address, respectively.
Optionally use the any keyword as a substitute for the
source source-wildcard or destination destination-wildcard
to specify the address and wildcard of 0.0.0.0
255.255.255.255.
Use the log-input keyword to include input interface,
source MAC address, or virtual circuit in the logging
output.
Remember that all sources not specifically permitted are
denied by an implicit deny statement at the end of the
access list.
Exits extended access-list configuration mode and returns
to privileged EXEC mode.
Advertisement
Chapters
Table of Contents
Troubleshooting
