Configuring ACLs
Commented IP ACL Entry Examples
In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the
workstation belonging to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation through
Switch(config)# access-list 1 permit 171.69.2.88
Switch(config)# access-list 1 remark Do not allow Smith workstation through
Switch(config)# access-list 1 deny 171.69.3.13
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the
Web:
Switch(config)# access-list 100 remark Do not allow Winter to browse the web
Switch(config)# access-list 100 deny host 171.69.3.85 any eq www
Switch(config)# access-list 100 remark Do not allow Smith to browse the web
Switch(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:
Switch(config)# ip access-list standard prevention
Switch(config-std-nacl)# remark Do not allow Jones subnet through
Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet
Creating Named MAC Extended ACLs
You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC
extended ACLs. The procedure is similar to that of configuring other extended named access lists.
Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
Note
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Though visible in the command-line help strings, appletalk is not supported as a matching condition for
Note
the deny and permit MAC access-list configuration mode commands, nor is matching on any
SNAP-encapsulated packet with a non-zero Organizational Unique Identifier (OUI).
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:
Command
Step 1
configure terminal
Step 2
mac access-list extended name
Catalyst 2950 Desktop Switch Software Configuration Guide
12-20
Chapter 12
Purpose
Enter global configuration mode.
Define an extended MAC access list by using a name.
Configuring Network Security with ACLs
78-11380-03