Hey guys,

Here is a screen shot of the gui and setting up the acl.  It is quite easy, if your blocking an ip address you can do that, if your blocking an protocol then you can do that by selecting the protocol tab.

There is also an option to do mac-base acl's or ipv6 ones.

Hi Ivor

I had a look at that referring document in your post above.

It seems a bit ambiguous to me. If the information is confusing to me,  I guess others may be confused as well.

See page 7 of 10 of your referring document above..

I am concerned with the usage of  255.255.255.255 for masking a specific IP host, or maybe I don't understand the context the 255.255.255.255 mask is being used within QOS?

The  300 series switches incorporates a great  built in help manual.  This help text within the switch for the section on ACE mentions the following;

Source IP Wildcard Mask—Enter the mask to define a range of  IP addresses. Note that this mask is different than in other uses, such as  subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to  mask that value

I think this masking is just about identical to inverse mask I use on say a catalyst 2960, where a  0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".

So using that information,  if I wish a my PC  to be excluded from accessing another specific  IP  host.

My source host IP=192.168.20.102  and the use mask of  0.0.0.0  to specify this is a host specific address.

My destination host IP=10.1.1.11  and the use mask of  0.0.0.0  to specify this is a host specific address.

So to put this into action

Step 1 Create a ACL name

Step 2    I have a few entries in my ACE  attached to the ACL .

I have them a specific  orde,r as I know the switch runs through the ACE entries from top to bottom and if it finds a pattern match exits at that point.

Deny  access from MY PC to IP host at 10.1.1.14

Permit  access from MY PC to IP host 4.2.2.1

Deny  access to any other host in the 4.2.2.2-254  range  (circled in red below)

Deny access from MY PC to a IP host at 192.168.20.61

Permit all other traffic ( otherwise the implicit (hidden) rule is to deny all at the end of a ACE list..)

Step 3. Attach the ACL to my Gi3 interface as MY PC is connected to that switch port.

             The ACL will filter or pattern match  on ingress of packets coming into the switch.

Ivor, am I way off here is the usage of ACL in QOS treated differently.

regards Dave

Dave,

You are correct. The wildcard mask in the doc is a typo - it should say 0.0.0.0 instead. I have asked for a correction to be made and will post an updated document to the forum when it is done.

Ivor

Is it possible tot post some examples

Firstly, please note that I did upload an updated document. Here's the link:

https://supportforums.cisco.com/docs/DOC-16271

Here's an example of an ACL which accomplishes the following:

ip access-list IPACL

permit ip 176.176.100.100  0.0.0.0 176.176.1.1  0.0.0.0 dscp 34

permit-tcp any any any  23

deny-udp 175.175.1.1  0.0.255.255 any any any

deny-udp disable-port any any 176.176.1.1  0.0.0.0 any