34-24
Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide
OL-12247-01
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Numbered ACLs
In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its
subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular
host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet.
The last line of the list shows that the switch accepts addresses on all other network 36.0.0.0 subnets.
The ACL is applied to packets entering a port.
Switch(config)#
access-list 2 permit 36.48.0.3
Switch(config)#
access-list 2 deny 36.48.0.0 0.0.255.255
Switch(config)#
access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)#
interface gigabitethernet2/0/1
Switch(config-if)#
ip access-group 2 in
Extended ACLs
In this example, the first line permits any incoming TCP connections with destination ports greater than
1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP)
port of host 128.88.1.2. The third line permits incoming ICMP messages for error feedback.
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023
Switch(config)#
access-list 102 permit tcp any host 128.88.1.2 eq 25
Switch(config)#
access-list 102 permit icmp any any
Switch(config)#
interface gigabitethernet2/0/1
Switch(config-if)#
ip access-group 102 in
For another example of using an extended ACL, suppose that you have a network connected to the
Internet, and you want any host on the network to be able to form TCP connections to any host on the
Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on your
network, except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet have a destination port of 25. Outbound packets have the port numbers reversed. Because the
secure system of the network always accepts mail connections on port 25, the incoming and outgoing
services are separately controlled. The ACL must be configured as an input ACL on the outbound
interface and an output ACL on the inbound interface.
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
Switch(config)#
interface gigabitethernet0/1
Switch(config-if)#
ip access-group 102 in
In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address
is 128.88.1.2. The established keyword is used only for the TCP to show an established connection. A
match occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to
an existing connection. Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the
router to the Internet.
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
Switch(config)#
access-list 102 permit tcp any host 128.88.1.2 eq 25
Switch(config)#
interface gigabitethernet1/0/1
Switch(config-if)#
ip access-group 102 in