28-14
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 28 Configuring Network Security with ACLs
Configuring ACLs
When making the standard and extended ACL, remember that, by default, the end of the ACL contains
an implicit deny statement for everything if it did not find a match before reaching the end. For standard
ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is
assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACEs
to a specific ACL. However, you can use no permit and no deny commands to remove ACEs from a
named ACL. This example shows how you can delete individual ACEs from a named ACL:
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs
instead of numbered ACLs.
After creating an ACL, you must apply it to a line or interface, as described in the “Applying ACLs to
Terminal Lines or Physical Interfaces” section on page 28-19.
Applying Time Ranges to ACLs
You can implement extended ACLs based on the time of day and week by using the time-range global
configuration command. First, define the name and times of the day and week of the time range, and then
reference the time range by name in an ACL to apply restrictions to the access list. You can use the time
range to define when the permit or deny statements in the ACL are in effect. The time-range keyword
and argument are referenced in the named and numbered extended ACL task tables in the “Creating
Standard and Extended IP ACLs” section on page 28-7, and the “Creating Named Standard and
Extended ACLs” section on page 28-13.
These are some of the many benefits of using time ranges:
You have more control over permitting or denying a user access to resources, such as an application
(identified by an IP address mask pair and a port number).
Step 3 {deny | permit} protocol
{source source-wildcard | host source | any}
[operator port] {destination
destination-wildcard | host destination | any}
[operator port] [dscp dscp-value] [time-range
time-range-name]
In access-list configuration mode, specify the conditions allowed
or denied.
See the “Creating a Numbered Extended ACL” section on
page 28-10 for definitions of protocols and other keywords.
host source represents a source and source-wildcard of source
0.0.0.0, and host destination represents a destination and
destination-wildcard of destination 0.0.0.0.
any represents a source and source-wildcard or destination
and destination-wildcard of 0.0.0.0 255.255.255.255.
dscp—Enter to match packets with any of the supported 13 DSCP
values ( 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56), or use
the question mark (?) to see a list of available values.
The time-range keyword is optional. For an explanation of this
keyword, see the “Applying Time Ranges to ACLs” section on
page 28-14.
Step 4 end Return to privileged EXEC mode.
Step 5 show access-lists [number | name]Show the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose