Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

481

482

483

484

485

486

487

488

489

490

26-18

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Configuring IP ACLs

Switch(config)# interface gigabitethernet 0/3

Switch(config-if)# ip access-group 6 in

This example uses an extended ACL to deny traffic coming from port 80 (HTTP). It permits all other

types of traffic.

Switch(config)# access-list 106 deny tcp any any eq 80

Switch(config)# access-list 106 permit ip any any

Switch(config)# end

Switch(config)# interface gigabitethernet0/3

Switch(config-if)# ip access-group 106 in

Numbered ACLs

This ACL accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0

subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1.

Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255

Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 2 in

Extended ACLs

In this example, suppose that you have a network connected to the Internet, and you want any host on

the network to be able to form TCP connections to any host on the Internet. However, you do not want

IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port

of a dedicated mail host.

SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The

same port numbers are used throughout the life of the connection. Mail packets coming in from the

Internet have a destination port of 25. Because the secure system of the network always accepts mail

connections on port 25, the incoming services are controlled.

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 102 in

Named ACLs

The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard

171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any other IP traffic.

Switch(config)# ip access-list extended marketing_group

Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet

Switch(config-ext-nacl)# deny tcp any any

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

The ACLs are applied to Gigabit Ethernet port 0/4with the marketing_group ACL applied to incoming

traffic.

Switch(config)# interface gigabitethernet0/4

Switch(config-if)# ip access-group marketing_group in