ip
Creates an access control list
(ACL) and enters its configuration mode. Access lists define access permissions to the
network using a set of rules. Each rule specifies an action taken when a packet matches the
rule. If the action is deny, the packet is dropped. If the action is permit, the packet is
allowed.
Supported on the following devices:
- Access Points:
AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP7602, AP7612, AP7622, AP7632,
AP7662, AP8163, AP8533.
- Service Platforms:
NX5500, NX7500, NX9500, NX9600
- Virtual Platforms: CX9000, VX9000
Syntax
ip [access-list|ex3500-ext-access-list|ex3500-std-access-list|snmp-access-list]
ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>
ip ex3500-std-access-list <EX3500-STD-ACL-NAME>
ip access-list <IP-ACL-NAME>
ip snmp-access-list <IP-SNMP-ACL-NAME>
Parameters
ip access-list <IP-ACL-NAME>
access-list <IP-ACL-NAME> |
Creates an IP ACL and enters its configuration
mode
- <IP-ACL-NAME> – Specify the ACL name. If the
access list does not exist, it is created.
|
ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>
ex3500-ext-access-list <EX3500-EXT-ACL-NAME> |
Creates an EX3500 Extended ACL and enters its configuration mode
- <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL with the
specified name does not exist, it is created.
|
ip ex3500-std-access-list <EX3500-STD-ACL-NAME>
ex3500-std-access-list <EX3500-STD-ACL-NAME> |
Creates an EX3500 Standard ACL and enters its configuration mode
- <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL with the
specified name does not exist, it is created.
|
ip snmp-access-list <IP-SNMP-ACL-NAME>
snmp-access-list <IP-SNMP-ACL-NAME> |
Creates a SNMP IP ACL and enters its configuration mode. An SNMP IP ACL
is an access control mechanism that uses a combination of IP ACL and SNMP
community string. SNMP performs network management functions using a data
structure called a MIB. SNMP is widely implemented but not very secure,
since it uses only text community strings for accessing controller or
service platform configuration files.
Use SNMP ACLs (firewalls) to
help reduce SNMP‘s vulnerabilities, as SNMP traffic can be easily
exploited to produce a DoS.
- <IP-SNMP-ACL-NAME> – Specify the SNMP IP ACL name. If the
access list does not exist, it is created. After creating the SNMP
ACL, define the deny/permit rules based on the network and/or host
IP addresses. Once created and configured, link this SNMP IP ACL
with a SNMP community string.
To link the SNMP community string with the SNMP IP ACL, in
the management-policy-config-mode, use the following command:
snmp-server > community <COMMUNITY-STRING> >
[ro|rw] > ip-snmp-access-list
<IP-SNMP-ACL-NAME>.
|
Examples
nx9500-6C8809(config)#ip access-list test
nx9500-6C8809(config-ip-acl-test)#?
ACL Configuration commands:
deny Specify packets to reject
disable Disable rule if not needed
no Negate a command or set its defaults
permit Specify packets to forward
clrscr Clears the display screen
commit Commit all changes made in this session
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal
nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config)#ip snmp-access-list SNMPAcl
nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#?
SNMP ACL Configuration commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward
clrscr Clears the display screen
commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal
nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#
Related Commands
no
|
Removes an existing IP access control list |