28-18
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter28 Configuring Network Security with ACLs
Configuring IPv4 ACLs
IPv4 ACL Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about
compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring
IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration
Guide, Release 12.2.
This example uses a standard ACL to allow a port acce ss to a specific Internet host with the addres s
172.20.128.64.
Switch(config)# access-list 6 permit 172.20.128.64 0.0.0
Switch(config)# end
Switch# show access-lists
Standard IP access list 6
10 permit 172.20.128.64 wildcard bits 0.0.0.0
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 6 in
This example uses an extended ACL to deny to a port traffic coming from por t 80 (HTTP). It permits all
other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80
Switch(config)# access-list 106 permit ip any any
Switch(config)# end
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 106 in

Numbered ACLs

This ACL accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0
subnets. The ACL is applied to packets entering a port.
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 2 in

Extended ACLs

In this example, suppose that you have a network connected to the In ternet, and you want any host on
the network to be able to form TCP connections to any host on t he Internet. However, you do not want
IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port
of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same port numbers are used throughout the life of the conn ection. Mail packets coming in from the
Internet have a destination port of 25. Because the secure system of the network always accepts mail
connections on port 25, the incoming services are controlled.
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 102 in