Creating A Numbered Extended Acl - Cisco Catalyst 3750 Software Configuration Manual

Chapter 25 Configuring Network Security with ACLs
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don't care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don't care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
The switch software can provide logging messages about packets permitted or denied by a standard IP
access list. That is, any packet that matches the ACL causes an informational logging message about the
packet to be sent to the console. The level of messages logged to the console is controlled by the logging
console commands controlling the syslog messages.
Because routing is done in hardware and logging is done in software, if a large number of packets match
Note
a permit or deny ACE containing a log keyword, the software might not be able to match the hardware
processing rate, and not all packets will be logged.
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are
collected over 5-minute intervals before they are displayed or logged. The logging message includes the
access list number, whether the packet was permitted or denied, the source IP address of the packet, and
the number of packets from that source permitted or denied in the prior 5-minute interval.
After creating a numbered standard IP ACL, you can apply it to terminal lines (see the
ACL to a Terminal Line" section on page
Interface" section on page
page

Creating a Numbered Extended ACL

Although standard ACLs use only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type information for finer
granularity of control. When you are creating ACEs in numbered extended access lists, remember that
after you create the ACL, any additions are placed at the end of the list. You cannot reorder the list or
selectively add or remove ACEs from a numbered list.
Some protocols also have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold):
Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp),
Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control Message
Protocol (icmp), Internet Group Management Protocol (igmp), Interior Gateway Routing Protocol
(igrp), any Interior Protocol (ip), IP in IP tunneling (ipinip), KA9Q NOS-compatible IP over IP
tunneling (nos), Open Shortest Path First routing (ospf), Payload Compression Protocol (pcp), Protocol
Independent Multicast (pim), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing
Command Reference for IOS Release 12.1.
Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on
the type of service (ToS) minimize-monetary-cost bit.
Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP.
78-15870-01
25-18), or to VLANs (see the
25-27).
25-17), to interfaces (see the
"Configuring VLAN Maps" section on
Catalyst 3750 Metro Switch Software Configuration Guide
Configuring IP ACLs
"Applying an IP
"Applying an IP ACL to an
25-9