Use these steps to use ACLs:
Step 1 Create an ACL by specifying an access list number or name and access conditions.
Step 2 Apply the ACL to interfaces or terminal lines.
The software supports these styles of ACLs or IP access lists:
Standard IP access lists use source addresses for matching operations. Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control. MAC extended access list use source and destination MAC addresses and optional protocol type information for matching operations. The next sections describe access lists and the steps for using them.
The number you use to denote your ACL shows the type of access list that you are creating. Table 12-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Table 12-2 Access List Numbers
Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP Cisco CCNA Training ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Creating a Numbered Standard ACL
Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL:
Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists.
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the ask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
This example shows how to create a standard ACL to deny access to IP host 188.8.131.52, permit access to any others, and display the results.
Switch (config)# access-list 2 deny host 184.108.40.206 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 deny 220.127.116.11 permit any
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use an extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of control. Some protocols also have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold): Internet Protocol (ip), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
TCP UDP Table 12-3 lists the possible filtering parameters for ACEs for each protocol type.
Table 12-3 Filtering Parameter ACEs Supported by Different IP Protocols
For more details on the specific keywords relative to each protocol, refer to the Cisco IP and IP Routing Command Reference for IOS Release 12.1.
Note The Catalyst 2950 switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (TOS) bit.
When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list Cisco CCNA Certification.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any host in network 18.104.22.168 to any host in network 172.20.52.0 and permit any others. (The eq keyword after the destination address means to test for the TCP destination port number equaling Telnet.)
Switch(config)# accesslist 102 deny tcp 22.214.171.124 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet Switch(config)# access-list 102 permit tcp any any Switch(config)# end Switch# show access-lists Extended IP access list 102 deny tcp 126.96.36.199 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet permit tcp any any
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.
Note When creating an ACL, remember that, by default, the end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end.
After creating an ACL, you must apply it to a line or interface.
Creating Named Standard and Extended ACLs
You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL.
Note The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Consider these guidelines and limitations before configuring named ACLs: