Creating A Numbered Extended Acl - Cisco Catalyst 2928 Software Configuration Manual

Chapter 30 Configuring Network Security with ACLs
Command
Step 3
end
Step 4
show access-lists [number | name]
Step 5 copy running-config startup-config
Use the no access-list access-list-number global configuration command to delete the entire ACL. You
cannot delete individual ACEs from numbered access lists.
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
Note
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don't care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don't care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines (see the
IPv4 ACL to a Terminal Line" section on page
IPv4 ACL to a VLAN Interface" section on page

Creating a Numbered Extended ACL

Although standard ACLs use only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type information for finer
granularity of control. When you are creating ACEs in numbered extended access lists, remember that
after you create the ACL, any additions are placed at the end of the list. You cannot reorder the list or
selectively add or remove ACEs from a numbered list.
Some protocols also have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold):
Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp),
Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control Message
Protocol (icmp), Internet Group Management Protocol (igmp), any Interior Protocol (ip), IP in IP
tunneling (ipinip), KA9Q NOS-compatible IP over IP tunneling (nos), Open Shortest Path First routing
(ospf), Payload Compression Protocol (pcp), Protocol Independent Multicast (pim), Transmission
Control Protocol (tcp), or User Datagram Protocol (udp).
Note
OL-23389-01
10 deny 171.69.198.102
20 permit any
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
Purpose
Return to privileged EXEC mode.
Show the access list configuration.
(Optional) Save your entries in the configuration file.
30-16) and to VLAN interfaces (see the
30-16).
Catalyst 2928 Switch Software Configuration Guide
Configuring IPv4 ACLs
"Applying an
"Applying an
30-7