25-10
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Configuring Network Security with ACLs
Configuring ACLs
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
deny 171.69.198.102
permit any
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use an extended ACL source
and destination addresses for matching operations and optional protocol type information for finer
granularity of control. Some protocols also have specific parameters and keywords that apply to that
protocol.
These IP protocols are supported on physical interfaces (protocol keywords are in parentheses in bold):
Internet Protocol (ip), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
• TCP
• UDP
Table 25-3 lists the possible filtering parameters for ACEs for each protocol type.
For more details about the specific keywords relative to each protocol, refer to the Cisco IP and IP
Routing Command Reference for IOS Release 12.1.
Table 25-3 Filtering Parameter ACEs Supported by Different IP Protocols
Filtering Parameter
1
1. X in a protocol column means support for the filtering parameter.
TCP UDP
Layer 3 Parameters:
IP type of service (ToS) byte
2
2. No support for type of service (ToS) minimize monetary cost bit.
––
Differentiated Services Code Point (DSCP) X X
IP source address X X
IP destination address X X
Fragments ––
TCP or UDP X X
Layer 4 Parameters
Source port operator X X
Source port X X
Destination port operator X X
Destination port X X
TCP flag ––