Filter
Top Products
28-10
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 28 Configuring Network Security with ACLs
Configuring ACLs
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use an extended ACL source
and destination addresses for matching operations and optional protocol type information for finer
granularity of control. Some protocols also have specific parameters and keywords that apply to that
protocol.
These IP protocols are supported on physical interfaces (protocol keywords are in parentheses in bold):
Internet Protocol (ip), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
• TCP
• UDP
Table 28-3 lists the possible filtering parameters for ACEs for each protocol type.
For more details about the specific keywords relative to each protocol, see the Cisco IP and IP Routing
Command Reference, Cisco IOS Release 12.1.
Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on
the minimize-monetary-cost type of service (ToS) bit.
When creating ACEs in numbered extended access lists, remember that after you create the list, any
additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs
from a numbered list.
Ta b l e 28-3 Filtering Parameter ACEs Supported by Different IP Protocols
Filtering Parameter
1
1. X in a protocol column means support for the filtering parameter.
TCP UDP
Layer 3 Parameters:
IP type of service (ToS) byte
2
2. No support for type of service (ToS) minimize monetary cost bit.
– –
Differentiated Services Code Point (DSCP) X X
IP source address X X
IP destination address X X
Fragments – –
TCP or UDP X X
Layer 4 Parameters
Source port operator X X
Source port X X
Destination port operator X X
Destination port X X
TCP flag – –