37-21
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 37 Configuring Network Security with ACLs
Configuration Examples for Network Security with ACLs
Including Comments in ACLs: Examples
In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs
to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation through
Switch(config)# access-list 1 permit 171.69.2.88
Switch(config)# access-list 1 remark Do not allow Smith through
Switch(config)# access-list 1 deny 171.69.3.13
For an entry in a named IP ACL, use the remark access-list configuration command. To remove the
remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet
Applying ACL to a Port: Example
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 2 in
Applying an ACL to an Interface: Example
For example, if you apply this ACL to an interface:
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
permit tcp source source-wildcard destination destination-wildcard
And if this message appears:
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The flag-related operators are not available. To avoid this issue,
Move the fourth ACE before the first ACE by using ip access-list resequence global configuration
command:
permit tcp source source-wildcard destination destination-wildcard
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
or
Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for
example, rename ACL 79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available
mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the
TCAM.