Consolidated Platform Configuration Guide, Cisco Ios Release 15.2(4)E (Catalyst 2960-X Switches - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Command or Action
Step 2
configure terminal
Example:
Device# configure terminal
Step 3
ip access-list extended access-list-name
Example:
Device(config)# ip access-list extended kmd1
Step 4
[sequence-number] permit tcp source source-wildcard
[operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all}
{+ | -} flag-name] [precedence precedence] [tos tos]
[log] [time-range time-range-name] [fragments]
Example:
Device(config-ext-nacl)# permit tcp any any
match-any +rst
Step 5
[sequence-number] deny tcp source source-wildcard
[operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all}
{+ | -} flag-name] [precedence precedence] [tos tos]
[log] [time-range time-range-name] [fragments]
Example:
Device(config-ext-nacl)# deny tcp any any
match-all -ack -fin
Step 6
Repeat Step 4 or Step 5 as necessary, adding statements
by sequence number where you planned. Use the no
sequence-numbercommand to delete an entry.
Step 7
end
Example:
Device(config-ext-nacl)# end
Step 8
show ip access-lists access-list-name
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
How to Configure ACL Support for Filtering IP Options
Purpose
Enters global configuration mode.
Specifies the IP access list by name and enters named access
list configuration mode.
Specifies a permit statement in named IP access list mode.
• This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
order of statements you need.
• Use the TCP command syntax of the permitcommand.
• Any packet with the RST TCP header flag set will be
matched and allowed to pass the named access list kmd1
in Step 3.
(Optional) Specifies a deny statement in named IP access list
mode.
• This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
order of statements you need.
• Use the TCP command syntax of the denycommand.
• Any packet that does not have the ACK flag set, and also
does not have the FIN flag set, will not be allowed to pass
the named access list kmd1 in Step 3.
• See the deny(IP) command for additional command syntax
to permit upper-layer protocols (ICMP, IGMP, TCP, and
UDP).
Allows you to revise the access list.
(Optional) Exits the configuration mode and returns to
privileged EXEC mode.
(Optional) Displays the contents of the IP access list.
1241
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
