Support User Manuals

Cisco Systems OL-6244-01 Switch User Manual

Open as PDF

of 1438

2-628

Catalyst 6500 Series Switch Command Reference—Release 8.4

OL-6244-01

Chapter 2 Catalyst 6500 Series Switch and ROM Monitor Commands

set security acl ip

If a Layer 4 protocol is specified, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}

{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]

[before editbuffer_index | modify editbuffer_index]

For IP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip]

{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]

[before editbuffer_index | modify editbuffer_index]

For ICMP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]

{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]

[precedence precedence] [tos tos] [capture] [before editbuffer_index |

modify editbuffer_index]

For TCP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]

{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]

[precedence precedence] [tos tos] [capture] [before editbuffer_index |

modify editbuffer_index]

For UDP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]

{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]

[precedence precedence] [tos tos] [capture] [before editbuffer_index |

modify editbuffer_index]

Note With PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do

not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000

packets per second and the second flow is 10 packets per second, both flows return the same result with

a PFC2. PFC3 and later PFCs do not have this limitation.

Examples These examples show different ways to use the set security acl ip commands to configure IP security

ACL:

Console> (enable) set security acl ip IPACL1 deny 1.2.3.4 0.0.0.0

IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)

Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2 before 2

IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)

Console> (enable) set security acl ip IPACL1 permit any any

IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)

previous next