Cisco Catalyst 2950 Software Configuration Manual page 512

Configuring ACLs
Command
access-list access-list-number
{deny | permit | remark} protocol
{source source-wildcard | host
source | any} [operator port]
{destination destination-wildcard |
host destination | any} [operator
port] [dscp dscp-value]
[time-range time-range-name]
(continued)
Step 3 show access-lists [number | name]
Step 4 copy running-config
startup-config
Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any
host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword
after the destination address means to test for the TCP destination port number equaling Telnet.)
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq
telnet
Switch(config)# access-list 102 permit tcp any any
Switch(config)# end
Switch# show access-lists
Extended IP access list 102
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.
When creating an ACL, remember that, by default, the end of the access list contains an implicit deny
Note
statement for all packets if the access list does not find a match before reaching the end. With standard
access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is
assumed to be the mask.
After creating an ACL, you must apply it to a line or interface, as described in the
Terminal Lines or Physical Interfaces" section on page
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
28-12
Purpose
Source, source-wildcard, destination, and destination-wildcard can be
specified in three ways:
The 32-bit quantity in dotted-decimal format.
•
The keyword any as an abbreviation for source and source-wildcard
•
of 0.0.0.0 255.255.255.255 or any source host.
The keyword host, followed by the 32-bit quantity in dotted-decimal
•
format, as an abbreviation for a single host with source and
source-wildcard of source 0.0.0.0.
dscp—Enter to match packets with any of the supported 13 DSCP values
(0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56), or use the question mark
(?) to see a list of available values.
The time-range keyword is optional. For an explanation of this keyword, see
the "Applying Time Ranges to ACLs" section on page
Verify the access list configuration.
(Optional) Save your entries in the configuration file.
deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
permit tcp any any
Chapter 28 Configuring Network Security with ACLs
28-14.
28-18.
"Applying ACLs to
78-11380-12