User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

851

852

853

854

855

856

857

858

859

860

37-25

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 37 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Extended IP access list 106

10 permit ip any 172.20.128.64 0.0.0.31

Switch(config)# interface gigabite

thernet1/0/1

Switch(config-if)# ip access-group

106 in

Numbered ACLs

In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its

subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular

host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet.

The last line of the list shows that the switch accepts addresses on all other network 36.0.0.0 subnets.

The ACL is applied to packets entering a port.

Switch(config)# access-list 2 permit 36.48.0.3

Switch(config)# access-list 2 deny

36.48.0.0 0.0.255.255

Switch(config)# access-list 2 perm

it 36.0.0.0 0.255.255.255

Switch(config)# interface gigabite

thernet2/0/1

Switch(config-if)# ip access-group

2 in

Extended ACLs

In this example, the first line permits any incoming TCP connections with destination ports greater than

1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP)

port of host 128.88.1.2. The third line permits incoming ICMP messages for error feedback.

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023

Switch(config)# access-list 102 pe

rmit tcp any host 128.88.1.2 eq 25

Switch(config)# access-list 102 pe

rmit icmp any any

Switch(config)# interface gigabite

thernet2/0/1

Switch(config-if)# ip access-group

102 in

In this example, suppose that you have a network connected to the Internet, and you want any host on

the network to be able to form TCP connections to any host on the Internet. However, you do not want

IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port

of a dedicated mail host.

SMTP uses TCP port 25 on one end of the connection and a rando

m port number on the other end. The

same port numbers are used throughout the life of the connection. Mail packets coming in from the

Internet have a destination port of 25. Outbound packets have the port numbers reversed. Because the

secure system of the network always accepts mail connections on port 25, the incoming and outgoing

services are separately controlled. The ACL must be configured as an input ACL on the outbound

interface and an output ACL on the inbound interface.

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23

Switch(config)# access-list 102 pe

rmit tcp any 128.88.0.0 0.0.255.255 eq 25

Switch(config)# interface gigabite

thernet0/1

Switch(config-if)# ip access-group

102 in

In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address

is 128.88.1.2. The established keyword is used only for the TCP to show an established connection. A

match occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to

an existing connection. Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the

router to the Internet.

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established

Switch(config)# access-list 102 pe

rmit tcp any host 128.88.1.2 eq 25

Switch(config)# interface gigabite

thernet1/0/1

Switch(config-if)# ip access-group

102 in