user manual
37-23
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 37 Configuring Network Security with ACLs
Configuration Examples for Network Security with ACLs
Switch# show access-lists
Standard IP access list 6
 permit 172.20.128.64, wildcard bits 0.0.0.31 
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 6 out
This example uses an extended ACL to filter traffic coming from Server B into a port, permitting traffic 
from any source address (in this case Server B) to only the Accounting destination addresses 
172.20.128.64 to 172.20.128.95. The ACL is applied to traffic going into routed Port 1, permitting it to 
go only to the specified destination addresses. Note that with extended ACLs, you must enter the 
protocol (IP) before the source and destination information.
Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31
Switch(config)# end
Switch# show access-lists
Extended IP access list 106
 permit ip any 172.20.128.64 0.0.0.31 
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 106 in
Configuring Numbered ACLs: Example
In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its 
subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular 
host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. 
The last line of the list shows that the switch accepts addresses on all other network 36.0.0.0 subnets. 
The ACL is applied to packets entering a port.
Switch(config)# access-list 2 permit 36.48.0.3
Switch(config)# access-list 2 deny 36.48.0.0 0.0.255.255 
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 2 in
Configuring Extended ACLs: Examples
In this example, the first line permits any incoming TCP connections with destination ports greater than 
1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) 
port of host 128.88.1.2. The third line permits incoming ICMP messages for error feedback. 
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023
Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
Switch(config)# access-list 102 permit icmp any any
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 102 in
In this example, suppose that you have a network connected to the Internet, and you want any host on 
the network to be able to form TCP connections to any host on the Internet. However, you do not want 
IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port 
of a dedicated mail host. 
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The 
same port numbers are used throughout the life of the connection. Mail packets coming in from the 
Internet have a destination port of 25. Outbound packets have the port numbers reversed. Because the 
secure system of the network always accepts mail connections on port 25, the incoming and outgoing 
services are separately controlled. The ACL must be configured as an input ACL on the outbound 
interface and an output ACL on the inbound interface. 










