10-17
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Adding a Standard Access Control List
FWSM/contexta(config)# access-list
acl_name
ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any |
hex_number
}
The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or
equal to 0x600. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
When you enter the access-list command for a given ACL name, the ACE is added to the end of the ACL.
Tip Enter the acl_name in upper case letters so the name is easy to see in the configuration. You might want
to name the ACL for the interface (for example, INSIDE), or for the purpose (for example, MPLS or
IPX).
Step 2 To apply an EtherType ACL to the inbound or outbound direction of an interface, enter the following
command:
FWSM/contexta(config)# access-group
acl_name
{in | out} interface
interface_name
You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See
the “Inbound and Outbound Access Control Lists” section on page 10-10 for more information about
ACL directions.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic
to pass in both directions.
For example, the following sample ACL allows common EtherTypes originating on the inside interface:
FWSM/contexta(config)# access-list ETHER ethertype permit ipx
FWSM/contexta(config)# access-list ETHER ethertype permit bpdu
FWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicast
FWSM/contexta(config)# access-group ETHER in interface inside
The following ACL allows some EtherTypes through the FWSM, but denies IPX:
FWSM/contexta(config)# access-list ETHER ethertype deny ipx
FWSM/contexta(config)# access-list ETHER ethertype permit 0x1234
FWSM/contexta(config)# access-list ETHER ethertype permit bpdu
FWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicast
FWSM/contexta(config)# access-group ETHER in interface inside
FWSM/contexta(config)# access-group ETHER in interface outside
The following ACL denies traffic with EtherType 0x1256 but allows all others on both interfaces:
FWSM/contexta(config)# access-list nonIP ethertype deny 1256
FWSM/contexta(config)# access-list nonIP ethertype permit any
FWSM/contexta(config)# access-group ETHER in interface inside
FWSM/contexta(config)# access-group ETHER in interface outside
Adding a Standard Access Control List
Single context mode only
Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for
OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic.
To Next Page
Loading...
Need help?
General