Table of Contents
Advertisement
Configuring Network Security with ACLs
Configuration Examples for Network Security with ACLs
For an entry in a named IP ACL, use the remark access-list configuration command. To remove the remark, use the no
form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet
Applying ACL to a Port: Example
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface GigabitEthernet1/17
Switch(config-if)# ip access-group 2 in
Applying an ACL to an Interface: Example
For example, if you apply this ACL to an interface:
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
permit tcp source source-wildcard destination destination-wildcard
And if this message appears:
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The flag-related operators are not available. To avoid this issue,
Move the fourth ACE before the first ACE by using ip access-list resequence global configuration command:
permit tcp source source-wildcard destination destination-wildcard
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
or
Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for example, rename ACL
79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available mapping bits in
the Opselect index and then allocates flag-related operators to use the same bits in the TCAM.
Router ACLs function as follows:
The hardware controls permit and deny actions of standard and extended ACLs (input and output) for security
access control.
If log has not been specified, the flows that match a deny statement in a security ACL are dropped by the hardware
if ip unreachables is disabled. The flows matching a permit statement are switched in hardware.
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU for logging
only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
564
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
