Configuration Examples For Acl Support For Filtering Ip Options - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Configuration Examples for ACL Support for Filtering IP Options
Command or Action
Example:
Device# show ip access-lists kmd1
Configuration Examples for ACL Support for Filtering IP Options
Example: Filtering Packets That Contain IP Options
The following example shows an extended access list named mylist2 that contains access list entries (ACEs)
that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:
ip access-list extended mylist2
10 permit ip any any option eool
20 permit ip any any option record-route
30 permit ip any any option zsu
40 permit ip any any option mtup
The show access-list command has been entered to show how many packets were matched and therefore
permitted:
Device# show ip access-list mylist2
Extended IP access list test
10 permit ip any any option eool (1 match)
20 permit ip any any option record-route (1 match)
30 permit ip any any option zsu (1 match)
40 permit ip any any option mtup (1 match)
Example: Filtering Packets That Contain TCP Flags
The following access list allows TCP packets only if the TCP flags ACK and SYN are set and the FIN flag
is not set:
ip access-list extended aaa
permit tcp any any match-all +ack +syn -fin
end
The show access-list command has been entered to display the ACL:
Device# show access-list aaa
Extended IP access list aaa
10 permit tcp any any match-all +ack +syn -fin
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1242
Purpose
• Review the output to confirm that the access list includes
the new entry.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
