Configuring Network Security With Acls
Configuring Network Security With Acls
This chapter describes how to configure network security on the Catalyst 2960 switch by using access
control lists (ACLs), which in commands and tables are also referred to as access lists.
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, the “Configuring IP Services” section in the “IP Addressing and Services”
chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2. The Cisco IOS documentation is
available from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >
Configuration Guides or Command References.
This chapter consists of these sections:
• Understanding ACLs, page 34-1
• Configuring IPv4 ACLs, page 34-4
• Creating Named MAC Extended ACLs, page 34-20
• Displaying IPv4 ACL Configuration, page 34-22
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces. An
ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is
received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access
lists. One by one, it tests packets against the conditions in an access list. The first match decides whether
the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order
of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no
restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use
ACLs on all packets it forwards.
You configure access lists on a switch to provide basic security for your network. If you do not configure
ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use
ACLs to control which hosts can access different parts of a network or to decide which types of traffic
are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet
traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports IP ACLs and Ethernet (MAC) ACLs:
• IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
• Ethernet ACLs filter non-IP traffic.
This switch also supports quality of service (QoS) classification ACLs. For more information, see the
“Classification Based on QoS ACLs” section on page 35-7.
These sections contain this conceptual information:
• Port ACLs, page 34-2
• Handling Fragmented and Unfragmented Traffic, page 34-3
Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on
physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the
inbound direction. These access lists are supported:
• Standard IP access lists using source addresses
• Extended IP access lists using source and destination addresses and optional protocol type
information
• MAC extended access lists using source and destination MAC addresses and optional protocol type
information
The switch examines ACLs associated with all inbound features configured on a given interface and
permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way,
ACLs control access to a network or to part of a network. Figure 34-1 is an example of using port ACLs
to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer
2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing
the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
Host A
Host B
101365
and permitting traffic from Host A
= Packet
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)# access-list 102 permit tcp any host 10.1.1.2
Switch(config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and
Telnet, respectively.
• Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a
complete packet because all Layer 4 information is present. The remaining fragments also match the
first ACE, even though they do not contain the SMTP port information, because the first ACE only
checks Layer 3 information when applied to fragments. The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Step 1 Create an ACL by specifying an access list number or name and the access conditions.
Step 2 Apply the ACL to interfaces or terminal lines.
Note In addition to numbered standard and extended ACLs, you can also create standard and extended named
IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the
name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of
numbered lists is that you can delete individual entries from a named list.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and
source [source-wildcard] wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300
to 1999.
Enter deny or permit to specify whether to deny or permit access
if conditions are matched.
The source is the source address of the network or host from which
the packet is being sent specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for source and
source-wildcard of 0.0.0.0 255.255.255.255. You do not need
to enter a source-wildcard.
• The keyword host as an abbreviation for source and
source-wildcard of source 0.0.0.0.
(Optional) The source-wildcard applies wildcard bits to the
source.
Step 3 end Return to privileged EXEC mode.
Step 4 show access-lists [number | name] Show the access list configuration.
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Use the no access-list access-list-number global configuration command to delete the entire ACL. You
cannot delete individual ACEs from numbered access lists.
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
10 deny 171.69.198.102
20 permit any
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines (see the “Applying an
IPv4 ACL to a Terminal Line” section on page 34-16) and to interfaces (see the “Applying an IPv4 ACL
to an Interface” section on page 34-16).
Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
For more details on the specific keywords for each protocol, see these command references:
• Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
• Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2
• Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.2
These documents are available from the Cisco.com page under Documentation > Cisco IOS Software
> 12.2 Mainline > Command References.
Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on
the type of service (ToS) minimize-monetary-cost bit.
Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2a access-list access-list-number Define an extended IPv4 access list and the access conditions.
{deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
source source-wildcard
destination destination-wildcard Enter deny or permit to specify whether to deny or permit the packet if
[precedence precedence] [tos tos] conditions are matched.
[fragments] [time-range For protocol, enter the name or number of an IP protocol: ahp, eigrp, esp, gre,
time-range-name] [dscp dscp] icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in
Note If you enter a dscp value, the range 0 to 255 representing an IP protocol number. To match any Internet
you cannot enter tos or protocol (including ICMP, TCP, and UDP), use the keyword ip.
precedence. You can enter Note This step includes options for most IP protocols. For additional specific
both a tos and a parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e.
precedence value with no
dscp. The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified
as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any host).
• The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified as a
number from 0 to 7 or by name: routine (0), priority (1), immediate (2),
flash (3), flash-override (4), critical (5), internet (6), network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number from 0
to 15 or a name: normal (0), max-reliability (2), max-throughput (4),
min-delay (8).
• time-range—For an explanation of this keyword, see the “Using Time
Ranges with ACLs” section on page 34-14.
• dscp—Enter to match packets with the DSCP value specified by a number
from 0 to 63, or use the question mark (?) to see a list of available values.
or access-list access-list-number In access-list configuration mode, define an extended IP access list using an
{deny | permit} protocol any any abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
[precedence precedence] [tos tos] an abbreviation for a destination and destination wildcard of 0.0.0.0
[fragments] [time-range 255.255.255.255.
time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and
wildcard.
Command Purpose
or access-list access-list-number Define an extended IP access list by using an abbreviation for a source and a
{deny | permit} protocol source wildcard of source 0.0.0.0 and an abbreviation for a destination and
host source host destination destination wildcard of destination 0.0.0.0.
[precedence precedence] [tos tos] You can use the host keyword in place of the source and destination wildcard
[fragments] [time-range or mask.
time-range-name] [dscp dscp]
Step 2b access-list access-list-number (Optional) Define an extended TCP access list and the access conditions.
{deny | permit} tcp source Enter tcp for Transmission Control Protocol.
source-wildcard [operator port]
destination destination-wildcard The parameters are the same as those described in Step 2a, with these
[operator port] [established] exceptions:
[precedence precedence] [tos tos] (Optional) Enter an operator and port to compare source (if positioned after
[fragments] [time-range source source-wildcard) or destination (if positioned after destination
time-range-name] [dscp dscp] destination-wildcard) port. Possible operators include eq (equal), gt (greater
[flag] than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services”
section in the “IP Addressing and Services” chapter of the Cisco IOS IP
Configuration Guide, Release 12.2. Use only TCP port numbers or names when
filtering TCP.
The other optional keywords have these meanings:
• established—Enter to match an established connection. This has the same
function as matching on the ack or rst flag.
• flag—Enter one of these flags to match by the specified TCP header bits:
ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize),
or urg (urgent).
Step 2c access-list access-list-number (Optional) Define an extended UDP access list and the access conditions.
{deny | permit} udp Enter udp for the User Datagram Protocol.
source source-wildcard [operator
port] destination The UDP parameters are the same as those described for TCP except that the
destination-wildcard [operator [operator [port]] port number or name must be a UDP port number or name, and
port] [precedence precedence] the flag and established parameters are not valid for UDP.
[tos tos] [fragments] [time-range
time-range-name] [dscp dscp]
Command Purpose
Step 2d access-list access-list-number (Optional) Define an extended ICMP access list and the access conditions.
{deny | permit} icmp source Enter icmp for Internet Control Message Protocol.
source-wildcard destination
destination-wildcard [icmp-type | The ICMP parameters are the same as those described for most IP protocols in
[[icmp-type icmp-code] | Step 2a, with the addition of the ICMP message type and code parameters.
[icmp-message]] [precedence These optional keywords have these meanings:
precedence] [tos tos] [fragments] • icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
[time-range time-range-name]
[dscp dscp] • icmp-code—Enter to filter ICMP packets that are filtered by the ICMP
message code type, a number from 0 to 255.
• icmp-message—Enter to filter ICMP packets by the ICMP message type
name or the ICMP message type and code name. To see a list of ICMP
message type names and code names, use the ?, or see the “Configuring IP
Services” section of the Cisco IOS IP Configuration Guide, Release 12.2.
Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
{deny | permit} igmp source
Enter igmp for Internet Group Management Protocol.
source-wildcard destination
destination-wildcard [igmp-type] The IGMP parameters are the same as those described for most IP protocols in
[precedence precedence] [tos tos] Step 2a, with this optional parameter.
[fragments] [time-range igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter
time-range-name] [dscp dscp] the message name (dvmrp, host-query, host-report, pim, or trace).
Step 3 end Return to privileged EXEC mode.
Step 4 show access-lists [number | name] Verify the access list configuration.
Step 5 copy running-config (Optional) Save your entries in the configuration file.
startup-config
Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any
host in network 171.69.198.0 to any host in network 172.20.52.0 and to permit any others. (The eq
keyword after the destination address means to test for the TCP destination port number equaling
Telnet.)
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq
telnet
Switch(config)# access-list 102 permit tcp any any
Switch(config)# end
Switch# show access-lists
Extended IP access list 102
10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
20 permit tcp any any
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You cannot selectively add or remove access list entries from a numbered access list.
Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit
deny statement for all packets if it did not find a match before reaching the end.
After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4
ACL to a Terminal Line” section on page 34-16), to interfaces (see the “Applying an IPv4 ACL to an
Interface” section on page 34-16).
Note The name you give to a standard or extended ACL can also be a number in the supported range of access
list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL
can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete
individual entries from a named list.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter
access-list configuration mode.
The name can be a number from 1 to 99.
Step 3 deny {source [source-wildcard] | host source | In access-list configuration mode, specify one or more conditions
any} denied or permitted to decide if the packet is forwarded or dropped.
or • host source—A source and source wildcard of source 0.0.0.0.
permit {source [source-wildcard] | host source • any—A source and source wildcard of 0.0.0.0
| any} 255.255.255.255.
Command Purpose
Step 4 end Return to privileged EXEC mode.
Step 5 show access-lists [number | name] Show the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove a named standard ACL, use the no ip access-list standard name global configuration
command.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 ip access-list extended name Define an extended IPv4 access list using a name, and enter
access-list configuration mode.
The name can be a number from 100 to 199.
Step 3 {deny | permit} protocol {source In access-list configuration mode, specify the conditions allowed
[source-wildcard] | host source | any} or denied.
{destination [destination-wildcard] | host
See the “Creating a Numbered Extended ACL” section on
destination | any} [precedence precedence]
page 34-8 for definitions of protocols and other keywords.
[tos tos] [established] [time-range
time-range-name] • host source—A source and source wildcard of source 0.0.0.0.
• host destination—A destination and destination wildcard of
destination 0.0.0.0.
• any—A source and source wildcard or destination and
destination wildcard of 0.0.0.0 255.255.255.255.
Step 4 end Return to privileged EXEC mode.
Step 5 show access-lists [number | name] Show the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove a named extended ACL, use the no ip access-list extended name global configuration
command.
When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains
an implicit deny statement for everything if it did not find a match before reaching the end. For standard
ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is
assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL. This example shows how you can delete individual
ACEs from the named access list border-list:
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs
instead of numbered ACLs.
After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to an
Interface” section on page 34-16).
Note The time range relies on the switch system clock; therefore, you need a reliable clock source. We
recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more
information, see the “Managing the System Time and Date” section on page 6-1.
Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to
be created, and enter time-range configuration mode. The name cannot
contain a space or quotation mark and must begin with a letter.
Step 3 absolute [start time date] Specify when the function it will be applied to is operational.
[end time date]
• You can use only one absolute statement in the time range. If you
or configure more than one absolute statement, only the one configured
periodic day-of-the-week hh:mm to last is executed.
[day-of-the-week] hh:mm
• You can enter multiple periodic statements. For example, you could
or configure different hours for weekdays and weekends.
periodic {weekdays | weekend | daily}
See the example configurations.
hh:mm to hh:mm
Step 4 end Return to privileged EXEC mode.
Step 5 show time-range Verify the time-range configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Repeat the steps if you have multiple items that you want in effect at different times.
To remove a configured time-range limitation, use the no time-range time-range-name global
configuration command.
This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a
company holiday and to verify your configuration.
Switch(config)# time-range workhours
Switch(config-time-range)# periodic weekdays 8:00 to 12:00
Switch(config-time-range)# periodic weekdays 13:00 to 17:00
Switch(config-time-range)# exit
To apply a time range, enter the time-range name in an extended ACL that can implement time ranges.
This example shows how to create and verify extended access list 188 that denies TCP traffic from any
source to any destination during the defined holiday times and permits all TCP traffic during work hours.
Switch(config)# access-list 188 deny tcp any any time-range new_year_day_2006
Switch(config)# access-list 188 permit tcp any any time-range workhours
Switch(config)# end
Switch# show access-lists
Extended IP access list 188
10 deny tcp any any time-range new_year_day_2006 (inactive)
20 permit tcp any any time-range workhours (inactive)
This example uses named ACLs to permit and deny the same traffic.
Switch(config)# ip access-list extended deny_access
Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2006
Switch(config-ext-nacl)# exit
Switch(config)# ip access-list extended may_access
Switch(config-ext-nacl)# permit tcp any any time-range workhours
Switch(config-ext-nacl)# end
Switch# show ip access-lists
Extended IP access list lpip_default
10 permit ip any any
Extended IP access list deny_access
10 deny tcp any any time-range new_year_day_2006 (inactive)
Extended IP access list may_access
10 permit tcp any any time-range workhours (inactive)
For an entry in a named IP ACL, use the remark access-list configuration command. To remove the
remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode.
• console—Specify the console terminal line. The console port is DCE.
• vty—Specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step 3 access-class access-list-number Restrict incoming and outgoing connections between a particular virtual
{in | out} terminal line (into a device) and the addresses in an access list.
Step 4 end Return to privileged EXEC mode.
Step 5 show running-config Display the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
Step 3 ip access-group {access-list-number | Control access to the specified interface.
name} {in}
Step 4 end Return to privileged EXEC mode.
Step 5 show running-config Display the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove the specified access group, use the no ip access-group {access-list-number | name} {in}
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 2 in
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
This example uses a standard ACL to allow a port access to a specific Internet host with the address
172.20.128.64.
Switch(config)# access-list 6 permit 172.20.128.64 0.0.0
Switch(config)# end
Switch# show access-lists
Standard IP access list 6
10 permit 172.20.128.64 wildcard bits 0.0.0.0
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 6 in
This example uses an extended ACL to deny to a port traffic coming from port 80 (HTTP). It permits all
other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80
Switch(config)# access-list 106 permit ip any any
Switch(config)# end
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 106 in
Numbered ACLs
This ACL accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0
subnets. The ACL is applied to packets entering a port.
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 2 in
Extended ACLs
In this example, suppose that you have a network connected to the Internet, and you want any host on
the network to be able to form TCP connections to any host on the Internet. However, you do not want
IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port
of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet have a destination port of 25. Because the secure system of the network always accepts mail
connections on port 25, the incoming services are controlled.
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 102 in
Named ACLs
This example creates an extended ACL named marketing_group. The marketing_group ACL allows any
TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other
TCP traffic. It permits any other IP traffic.
Switch(config)# ip access-list extended marketing_group
Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet
Switch(config-ext-nacl)# deny tcp any any
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the
web:
Switch(config)# access-list 100 remark Do not allow Winter to browse the web
Switch(config)# access-list 100 deny host 171.69.3.85 any eq www
Switch(config)# access-list 100 remark Do not allow Smith to browse the web
Switch(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:
Switch(config)# ip access-list standard prevention
Switch(config-std-nacl)# remark Do not allow Jones subnet through
Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition for
the deny and permit MAC access-list configuration mode commands.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 mac access-list extended name Define an extended MAC access list using a name.
Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to
address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address
host destination MAC address | destination with a mask, or a specific host source MAC address and any
MAC address mask} [type mask | lsap lsap mask destination MAC address, destination MAC address with a mask,
| aarp | amber | dec-spanning | decnet-iv | or a specific destination MAC address.
diagnostic | dsm | etype-6000 | etype-8042 | lat (Optional) You can also enter these options:
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo |vines-ip | • type mask—An arbitrary EtherType number of a packet with
xns-idp | 0-65535] [cos cos] Ethernet II or SNAP encapsulation in decimal, hexadecimal,
or octal with optional mask of don’t care bits applied to the
EtherType before testing for a match.
• lsap lsap mask—An LSAP number of a packet with
IEEE 802.2 encapsulation in decimal, hexadecimal, or octal
with optional mask of don’t care bits.
• aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
etype-6000 | etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios | vines-echo |vines-ip
| xns-idp—A non-IP protocol.
• cos cos—An IEEE 802.1Q cost of service number from 0 to 7
used to set priority.
Step 4 end Return to privileged EXEC mode.
Step 5 show access-lists [number | name] Show the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
10 deny any any decnet-iv
20 permit any any
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Step 3 mac access-group {name} {in} Control access to the specified interface by using the MAC access
list.
Port ACLs are supported only in the inbound direction.
Step 4 end Return to privileged EXEC mode.
Step 5 show mac access-group [interface interface-id] Display the MAC access list applied to the interface or all Layer 2
interfaces.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove the specified access group, use the no mac access-group {name} interface configuration
command.
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/2
Router(config-if)# mac access-group mac1 in
Note The mac access-group interface configuration command is only valid when applied to a physical
Layer 2 interface.You cannot use the command on EtherChannel port channels.
After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
Table 34-2 Commands for Displaying Access Lists and Access Groups
Command Purpose
show access-lists [number | name] Display the contents of one or all current IP and MAC address access lists
or a specific access list (numbered or named).
show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list
(numbered or named).
show running-config [interface interface-id] Displays the contents of the configuration file for the switch or the
specified interface, including all configured MAC and IP access lists and
which access groups are applied to an interface.
show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified
Layer 2 interface.