34-19
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
This example uses an extended ACL to deny to a port traffic coming from port 80 (HTTP). It permits all
other types of traffic.
Switch(config)#
access-list 106 deny tcp any any eq 80
Switch(config)#
access-list 106 permit ip any any
Switch(config)#
end
Switch(config)#
interface gigabitethernet0/1
Switch(config-if)#
ip access-group 106 in
Numbered ACLs
This ACL accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0
subnets. The ACL is applied to packets entering a port.
Switch(config)#
access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)#
access-list 2 deny 56.0.0.0 0.255.255.255
Switch(config)#
interface gigabitethernet1/1
Switch(config-if)#
ip access-group 2 in
Extended ACLs
In this example, suppose that you have a network connected to the Internet, and you want any host on
the network to be able to form TCP connections to any host on the Internet. However, you do not want
IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port
of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet have a destination port of 25. Because the secure system of the network always accepts mail
connections on port 25, the incoming services are controlled.
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23
Switch(config)#
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
Switch(config)#
interface gigabitethernet1/1
Switch(config-if)#
ip access-group 102 in
Named ACLs
This example creates an extended ACL named
marketing_group
. The
marketing_group
ACL allows any
TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other
TCP traffic. It permits any other IP traffic.
Switch(config)#
ip access-list extended marketing_group
Switch(config-ext-nacl)#
permit tcp any 171.69.0.0 0.0.255.255 eq telnet
Switch(config-ext-nacl)#
deny tcp any any
Switch(config-ext-nacl)#
permit ip any any
Switch(config-ext-nacl)#
exit
The
marketing_group
ACL is applied to incoming traffic on a port.
Switch(config)#
interface gigabitethernet1/2
Switch(config-if)#
ip access-group marketing_group in
Содержание IE 3000
Страница 36: ...xxxiv Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Preface ...
Страница 784: ...39 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 39 Troubleshooting Troubleshooting Tables ...
Страница 874: ...Index IN 42 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 ...