User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

841

842

843

844

845

846

847

848

849

850

37-19

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 37 Configuring Network Security with ACLs

Configuring IPv4 ACLs

This example uses named ACLs to permit and deny the same traffic.

Switch(config)# ip access-list extended deny_access

Switch(config-ext-nacl)# deny tcp

any any time-range new_year_day_2006

Switch(config-ext-nacl)# exit

Switch(config)# ip access-list ext

ended may_access

Switch(config-ext-nacl)# permit tc

p any any time-range workhours

Switch(config-ext-nacl)# end

Switch# s

how ip access-lists

Extended IP access list lpip_default

10 permit ip any any

Extended IP access list deny_access

10 deny tcp any any time-range new_year_day_2006 (inactive)

Extended IP access list may_access

10 permit tcp any any time-range workhours (inactive)

Including Comments in ACLs

You can use the remark keyword to include comments (remarks) about entries in any IP standard or

extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is

limited to 100 characters.

The remark can go before or after a permit or deny statement. Y

ou should be consistent about where you

put the remark so that it is clear which remark describes which permit or deny statement. For example,

it would be confusing to have some remarks before the associated permit or deny statements and some

remarks after the associated statements.

To include a comment for IP numbered standard or extended ACLs, use the acc

ess-list access-list

number remark remark global configuration command. To remove the remark, use the no form of this

command.

In this example, the workstation that belongs to Jones is allo

wed access, and the workstation that belongs

to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 perm

it 171.69.2.88

Switch(config)# access-list 1 rema

rk Do not allow Smith through

Switch(config)# access-list 1 deny

171.69.3.13

For an entry in a named IP ACL, use the remark access-list configuration command. To remove the

remark, use the no form of this command.

In this example, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do

not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp

host 171.69.2.88 any eq telnet

Applying an IPv4 ACL to a Terminal Line

You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named

ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can

attempt to connect to any of them.

For procedures for applying A

CLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section

on page 37-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on

page 37-31.