SupportedTypeAccess List Number
NoXNS extended access list
500–599
NoAppleTalk access list
600–699
No48-bit MAC address access list
700–799
NoIPX standard access list
800–899
NoIPX extended access list
900–999
NoIPX SAP access list
1000–1099
NoExtended 48-bit MAC address access list
1100–1199
NoIPX summary address access list
1200–1299
YesIP standard access list (expanded range)
1300–1999
YesIP extended access list (expanded range)
2000–2699
In addition to numbered standard and extended ACLs, you can also create standard and extended named IP
ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of
an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that
you can delete individual entries from a named list.
Numbered Standard IPv4 ACLs
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement
for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit
the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do
not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines, to interfaces, or to VLANs.
Numbered Extended IPv4 ACLs
Although standard ACLs use only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type information for finer granularity of
control. When you are creating ACEs in numbered extended access lists, remember that after you create the
ACL, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove
ACEs from a numbered list.
The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the
type of service (ToS) minimize-monetary-cost bit.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
114 OL-29434-01
Configuring IPv4 ACLs
Standard and Extended IPv4 ACLs
To Next Page
Loading...
Need help?
General