Chapter 34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

This example uses named ACLs to permit and deny the same traffic.

Switch(config)# ip access-list extended deny_access

Switch(config-ext-nacl)#deny tcp any any time-range new_year_day_2006

Switch(config-ext-nacl)# exit

Switch(config)# ip access-list extended may_access

Switch(config-ext-nacl)#permit tcp any any time-range workhours

Switch(config-ext-nacl)# end

Switch# show ip access-lists

Extended IP access list lpip_default

10 permit ip any any Extended IP access list deny_access

10deny tcp any any time-range new_year_day_2006 (inactive) Extended IP access list may_access

10permit tcp any any time-range workhours (inactive)

Including Comments in ACLs

You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.

To include a comment for IP numbered standard or extended ACLs, use the access-listaccess-list number remark remark global configuration command. To remove the remark, use the no form of this command.

In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 permit 171.69.2.88

Switch(config)# access-list 1 remark Do not allow Smith through

Switch(config)# access-list 1 deny 171.69.3.13

For an entry in a named IP ACL, use the remark access-list configuration command. To remove the remark, use the no form of this command.

In this example, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)#remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)#deny tcp host 171.69.2.88 any eq telnet

Applying an IPv4 ACL to a Terminal Line

You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them.

For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 34-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on

page 34-29.

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

OL-9775-02

 

 

34-19

 

 

 

 

 

Page 717
Image 717
Cisco Systems 3750E manual Applying an IPv4 ACL to a Terminal Line, Including Comments in ACLs, 34-19