Creating A Numbered Extended Acl - Cisco Catalyst 2950 Software Configuration Manual

Configuring ACLs

Creating a Numbered Extended ACL

Although standard ACLs use only source addresses for matching, you can use an extended ACL source
and destination addresses for matching operations and optional protocol type information for finer
granularity of control. Some protocols also have specific parameters and keywords that apply to that
protocol.
These IP protocols are supported on physical interfaces (protocol keywords are in parentheses in bold):
Internet Protocol (ip), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
•
•
Table 28-3
Table 28-3
Filtering Parameter
Layer 3 Parameters:
Layer 4 Parameters
1. X in a protocol column means support for the filtering parameter.
2. No support for type of service (ToS) minimize monetary cost bit.
For more details about the specific keywords relative to each protocol, see the Cisco IP and IP Routing
Command Reference, Cisco IOS Release 12.1.
The switch does not support dynamic or reflexive access lists. It also does not support filtering based on
Note
the minimize-monetary-cost type of service (ToS) bit.
When creating ACEs in numbered extended access lists, remember that after you create the list, any
additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs
from a numbered list.
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
28-10
TCP
UDP
lists the possible filtering parameters for ACEs for each protocol type.
Filtering Parameter ACEs Supported by Different IP Protocols
1
IP type of service (ToS) byte
Differentiated Services Code Point (DSCP)
IP source address
IP destination address
Fragments
TCP or UDP
Source port operator
Source port
Destination port operator
Destination port
TCP flag
Chapter 28
TCP
2
–
X
X
X
–
X
X
X
X
X
–
Configuring Network Security with ACLs
UDP
–
X
X
X
–
X
X
X
X
X
–
78-11380-12