Table of Contents
Advertisement
Switch(Config)#ip access list extended udpFlow
Switch(Config-Ext-Nacl-udpFlow)#deny igmp any-source any-destination
Switch(Config-Ext-Nacl-udpFlow)#permit udp any-source host-destination 192.168.0.1 d-port 32
12.2.2.9
permit | deny(standard)
Command: {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}}
no {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}}
Function: Creates a standard name-based IP access rule; the "no" form command deletes the
name-based standard IP access rule
Parameters: <sIpAddr> is the source IP address in decimal format; <sMask> is the mask
complement for source IP in decimal format.
Command Mode: named-based standard IP ACL configuration mode
Default: No IP address is configured by default.
Example: Allowing packets from 10.1.1.0/24 and denying packets from 10.1.1.0/16.
Switch(Config)# ip access list standard ipFlow
Switch(Config-Std-Nacl-ipFlow)# permit 10.1.1.0 0.0.0.255
Switch(Config-Std-Nacl-ipFlow)# deny 10.1.1.0 0.0.255.255
12.3
ACL Example
Scenario 1:
The user has the following configuration requirement: port 1/10 of the switch connects to
10.0.0.0/24 segment, ftp is not desired for the user.
Configuration description:
1. Create a proper ACL
2. Configuring packet filtering function
3. Bind the ACL to the port
The configuration steps are listed below:
Switch(Config)#access list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
Switch(Config)#firewall enable
Switch(Config)#firewall default permit
Switch(Config)#interface ethernet 1/10
EES4710BD 10 Slots L2/L3/L4 Chassis Switch
275
Advertisement
Table of Contents
Troubleshooting
