Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Chapter 37 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Named ACLs
This example creates a standard ACL named internet_filter and an extended ACL named
marketing_group. The internet_filter ACL allows all traffic from the source address
Switch(config)# ip access-list standard Internet_filter
Switch(config-ext-nacl)# permit 1
Switch(config-ext-nacl)# exit
The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic
from any source to the destination address range through with a destination
port less than 1024, denies any other IP traffic, and provides a log of the result.
Switch(config)# ip access-list extended marketing_group
Switch(config-ext-nacl)# permit t
cp any eq telnet
Switch(config-ext-nacl)# deny tcp
any any
Switch(config-ext-nacl)# permit i
cmp any any
Switch(config-ext-nacl)# deny udp
any lt 1024
Switch(config-ext-nacl)# deny ip
any any log
Switch(config-ext-nacl)# exit
The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to
incoming traffic on a Layer 3 port.
Switch(config)# interface gigabitethernet3/0/2
Switch(config-if)# no switchport
Switch(config-if)# ip address 2.0
Switch(config-if)# ip access-grou
p Internet_filter out
Switch(config-if)# ip access-grou
p marketing_group in
Time Range Applied to an IP ACL
This example denies HTTP traffic on IP on Monday through Friday between the hours of 8:00 a.m. and
6:00 p.m (18:00). The example allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m.
Switch(config)# time-range no-http
Switch(config)# periodic weekdays
8:00 to 18:00
Switch(config)# time-range udp-ye
Switch(config)# periodic weekend
12:00 to 20:00
Switch(config)# ip access-list ex
tended strict
Switch(config-ext-nacl)# deny tcp
any any eq www time-range no-http
Switch(config-ext-nacl)# permit u
dp any any time-range udp-yes
Switch(config-ext-nacl)# exit
Switch(config)# interface gigabit
Switch(config-if)# ip access-grou
p strict in
Commented IP ACL Entries
In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the
workstation that belongs to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation through
Switch(config)# access-list 1 per
Switch(config)# access-list 1 rem
ark Do not allow Smith workstation through
Switch(config)# access-list 1 den