HP 3020 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide, - Page 500
copy running-config, show access-lists
UPC - 882658086625
View all HP 3020 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 500 highlights
Configuring IPv4 ACLs Chapter 26 Configuring Network Security with ACLs Command Purpose Step 2d access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those described for most IP protocols in Step 2a, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings: • icmp-type-Enter to filter by ICMP message type, a number from 0 to 255. • icmp-code-Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255. • icmp-message-Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the "Configuring IP Services" section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended IGMP access list and the access conditions. Enter igmp for Internet Group Management Protocol. The IGMP parameters are the same as those described for most IP protocols in Step 2a, with this optional parameter. igmp-type-To match IGMP message type, enter a number from 0 to 15, or enter the message name (dvmrp, host-query, host-report, pim, or trace). Step 3 end Return to privileged EXEC mode. Step 4 show access-lists [number | name] Verify the access list configuration. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and to permit any others. (The eq keyword after the destination address means to test for the TCP destination port number equaling Telnet.) Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet Switch(config)# access-list 102 permit tcp any any Switch(config)# end Switch# show access-lists Extended IP access list 102 10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet 20 permit tcp any any After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list entries from a numbered access list. Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end. 26-12 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL-8915-01