-
Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(4)EA1
-
Index
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Getting Started with CMS
-
Assigning the Switch IP Address and Default Gateway
-
Clustering Switches
-
Administering the Switch
-
Configuring Interface Characteristics
-
Creating and Maintaining VLANs
-
Configuring STP
-
Configuring IGMP Snooping and MVR
-
Configuring Traffic Suppression and Traffic Control
-
Configuring CDP
-
Configuring UDLD
-
Configuring RMON
-
Configuring System Message Logging
-
Configuring SNMP
-
Configuring Network Security with ACLs
-
Configuring QoS
-
Configuring EtherChannel
-
Configuring IP Unicast Routing
-
Configuring HSRP
-
Configuring IP Multicast Routing
-
Configuring MSDP
-
Configuring Fallback Bridging
-
Troubleshooting
-
Supported MIBs
-
Working with the IOS File System, Configuration Files, and Software Images
-
Unsupported CLI Commands
-
Table Of Contents
Configuring Network Security with ACLs
Handling Fragmented and Unfragmented Traffic
Hardware and Software Handling of Router ACLs
Creating Standard and Extended IP ACLs
Creating a Numbered Standard Access List
Creating a Numbered Extended Access List
Creating Standard and Extended Access Lists Using Names
Applying Time Ranges to Access Lists
Including Comments About Entries in ACLs
Applying the ACL to an Interface or Terminal Line
Examples of Compiling Access Lists
VLAN Map Configuration Guidelines
Creating Named MAC Extended Access Lists
Displaying the VLAN Map Information
Using VLAN Maps in Your Network
Denying Access to a Server on Another VLAN
Using VLAN Maps with Router ACLs
Determining if the ACL Configuration Fits in Hardware
Applying Router ACLs and VLAN Maps on VLANs
Configuring Network Security with ACLs
This chapter describes how to configure network security on your switch by using access control lists (ACLs). To take advantage of some of the features described in this chapter, you must have the enhanced multilayer switch image installed on your switch.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the "Configuring IP Services" section of Cisco IOS IP and IP Routing Configuration Guide and Command Reference for IOS Release 12.1.
This chapter consists of these sections:
•
•
Note
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a router and permit or deny packets from crossing specified interfaces. An access list is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied access lists to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. It tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packets. If there are no restrictions, it is forwarded; otherwise, the switch drops the packet.
Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer image installed can accelerate packet routing between VLANs by using Layer 3 switching. The switch bridges the packet, the packet is then routed internally without going to an external router, and then the packet is bridged again to send it to its destination. During this process, the switch can access-control all packets it switches, including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure access lists, all packets passing through the switch could be allowed onto all parts of the network. You can use access lists to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. Access control lists can be configured to block inbound traffic, outbound traffic, or both.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.
The switch supports two types of ACLs:
•
•
Supported ACLs
The switch supports two applications of ACLs to filter traffic:
•
•
When a VLAN map is applied to a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch port or through a routed port after being routed.
This switch also supports Quality of Service (QoS) classification ACLs. For more information, see the "Classification Based on QoS ACLs" section.
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. Router ACLs are applied on interfaces for specific directions (inbound or outbound).
One ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single router ACL is used by multiple features, it is examined multiple times.
•
•
The switch examines ACLs associated with features configured on a given interface and a direction. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined. After packets are routed and before they are forwarded out to the next hop, all ACLs associated with outbound features configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL. For example, you can use access lists to allow one host to access a part of a network, but prevent another host from accessing the same part. In Figure 17-1, ACLs applied at the router input allow Host A to access the Human Resources network, but prevent Host B from accessing the same network.
Figure 17-1 Using ACLs to Control Traffic to a Network
VLAN Maps
VLAN maps can access-control all traffic. You can apply VLAN maps on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router ACLs, VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 17-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in VLAN 10 from being forwarded.
Figure 17-2 Using VLAN Maps to Control Traffic
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, etc. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some Layer 4 information, the matching rules are modified as follows:
•
•
Consider ACL 102, configured with these commands, applied to three fragmented packets:
Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtpSwitch (config)# access-list 102 deny tcp any host 10.1.1.2 eq telnetSwitch (config)# access-list 102 permit tcp any host 10.1.1.2Switch (config)# access-list 102 deny tcp any any
Note
•
•
•
•
Configuring Router ACLs
Configuring router ACLs on Layer 3 switch-routed VLAN interfaces is the same as configuring ACLs on other Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the "Configuring IP Services" chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not supported on the Catalyst 3550 switch, see the "Unsupported Features" section.
Caution
Hardware and Software Handling of Router ACLs
ACL processing is mostly accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic. When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done by software. Because of the difference in packet handling capacity between hardware and software, if the sum of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.
These factors can cause packets to be sent to the CPU:
•
•
•
If access-control lists cause large numbers of packets to be sent to the CPU, the switch performance can be negatively affected.
When you enter the show ip access-list privileged EXEC command, the match count displayed does not account for packets that are access controlled in hardware. Use the show access-lists hardware counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
•
•
•
Unsupported Features
These IOS router ACL-related features are not supported on the switch:
•
•
•
•
•
•
•
Creating Standard and Extended IP ACLs
This section summarizes how to create router IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.
The two steps involved in using ACLs are as follows:
Step 1
Step 2
The software supports these styles of ACLs or access lists for IP:
•
•
The next sections describe access lists and the steps required to use them.
Access List Numbers
The number you use to denote your ACL shows the type of access list you are creating. Table 17-1 lists the access list number and corresponding access list type and shows whether or not they are supported in the switch. The Catalyst 3550 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Note
Creating a Numbered Standard Access List
Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL:
Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists.
Note
This example shows how to create a standard access list to deny access to IP host 171.69.198.102, permit access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102Switch (config)# access-list 2 permit anySwitch(config)# endSwitch# show access-listsStandard IP access list 2deny 171.69.198.102permit anyThe switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don't care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don't care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
The switch software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the ACL causes an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages.
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Note
Note
After creating an ACL, you must apply it to a line or interface, as shown in the "Applying the ACL to an Interface or Terminal Line" section.
Creating a Numbered Extended Access List
Although standard access lists use only source addresses for matching, you can use an extended access list source and destination addresses for matching operations and optional protocol type information for finer granularity of control. Additionally, some protocols have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold):
Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp), Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control Message Protocol (icmp), Internet Group Management Protocol (igmp), Interior Gateway Routing Protocol (igrp), any Interior Protocol (ip), IP in IP tunneling (ipinip), KA9Q NOS-compatible IP over IP tunneling (nos), Open Shortest Path First routing (ospf), Payload Compression Protocol (pcp), Protocol Independent Multicast (pim), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
•
•
•
•
•
Table 17-2 lists the possible filtering parameters for ACEs for each protocol type.
Table 17-2 Filtering Parameter ACEs Supported by Different IP Protocols
Layer 3 Parameters:
IP ToS byte3
X
X
X
X
X
Differentiated Services Code Point (DSCP)
X
X
X
X
X
IP source address
X
X
X
X
X
IP destination address
X
X
X
X
X
Fragments
X
X
X
X
X
TCP or UDP
X
X
-
-
-
ICMP
-
-
X
-
-
IGMP
-
-
-
X
-
Other IP protocol
-
-
-
-
X
Layer 4 Parameters
Source port
X
X
-
-
-
Source port operator
X
X
-
-
-
Destination port
X
X
-
-
-
Destination port operator
X
X
-
-
-
TCP flag
X
-
-
-
-
ICMP code
-
-
X
-
-
ICMP type
-
-
X
-
-
IGMP message type
-
-
-
X
-
1 X in a protocol column means support for the filtering parameter.
2 ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
3 No support for type of service (TOS) minimize monetary cost bit.
For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1.
Note
When creating ACEs in numbered extended access lists, remember that after the list is created, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Beginning in privileged EXEC mode, follow these steps to create an extended access list:
Step 1
configure terminal
Enter global configuration mode.
Step 2 a
access-list access-list-number
{deny | permit} protocol
source source-wildcard
destination destination-wildcard [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp]Note
Define an extended IP access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to specify whether to deny or permit the packet if conditions are matched.
For protocol, enter the name or number of an IP protocol: ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip.
Note
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the source.
Source, source-wildcard, destination, and destination-wildcard can be specified in three ways:
•
•
•
(Optional) Enter precedence to match packets with a precedence level specified as a number from 0 to 7 or by name: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), network (7).
(Optional) Enter fragments to check non-initial fragments.
(Optional) Enter tos to match by type of service level, specified by a number from 0 to 15 or a name: normal (0), max-reliability (2), max-throughput (4), min-delay (8).
(Optional) Enter log to create an informational logging message to be sent to the console about the packet that matches the entry or log-input to include the input interface in the log entry.
(Optional) For explanation of the time-range keyword, see the "Applying Time Ranges to Access Lists" section.
(Optional) Enter dscp to match packets with the differentiated services codepoint value specified by a number from 0 to 63, or use the question mark (?) to see a list of available values.
or
access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp]
In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.
You can use the any keyword in place of source and destination address and wildcard.
or
access-list access-list-number {deny | permit} protocol
host source host destination [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp]Define an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
You can use the host keyword in place of source and destination wildcard or mask.
Step 2b
access-list access-list-number
{deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] [flag](Optional) Define an extended TCP access list and the access conditions.
Enter tcp for Transmission Control Protocol.
The parameters are the same as those described in Step 2a with these exceptions:
(Optional) Enter an operator and port to compare source (if positioned after source source-wildcard) or destination (if positioned after destination destination-wildcard) port. Possible operators include eq (equal), gt (greater than), lt (less than), neq (not equal), and range (inclusive range). Operators require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. To see TCP port names, use the ? or refer to "Configuring IP Services" section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP.
(Optional) Enter established to match an established connection. This has the same function as matching on the ack or rst flag.
(Optional) Enter one of these flags to match by the specified TCP header bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).
Step 2c
access-list access-list-number
{deny | permit} udp
source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp](Optional) Define an extended UDP access list and the access conditions.
Enter udp for the User Datagram Protocol.
The UDP parameters are the same as those described for TCP except that [operator [port]] port number or name must be a UDP port number or name, and the flag and established parameters are not valid for UDP.
Step 2d
access-list access-list-number
{deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp](Optional) Define an extended ICMP access list and the access conditions.
Enter icmp for Internet Control Message Protocol.
The ICMP parameters are the same as those described for most IP protocols in Step 2a, with the addition of the ICMP message type and code parameters.
(Optional) Enter an icmp-type to filter by ICMP message type, a number from 0 to 255.
(Optional) Enter an icmp-code to filter ICMP packets that are filtered by ICMP message type by the ICMP message code, a number from 0 to 255.
(Optional) Enter an icmp-message to filter ICMP packets by ICMP message type name or ICMP message type and code name. To see a list of ICMP message type names and ICMP message type and code names, use the ? or refer to the "Configuring IP Services" section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Step 2e
access-list access-list-number
{deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp](Optional) Define an extended IGMP access list and the access conditions.
Enter igmp for Internet Group Management Protocol.
The IGMP parameters are the same as those described for most IP protocols in Step 2a, with the addition of the IGMP type parameter.
(Optional) To match IGMP message type, enter a number from 0 to 15, or enter the message name (dvmrp, host-query, host-report, pim, or trace).
Step 3
show access-lists [number | name]
Verify the access list configuration.
Step 4
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword after the destination address means to test for the TCP destination port number equaling Telnet.)
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnetSwitch(config)# access-list 102 permit tcp any anySwitch(config)# endSwitch# show access-listsExtended IP access list 102deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnetpermit tcp any anyAfter an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list entries from a numbered access list.
Note
After creating an ACL, you must apply it to a line or interface, as described in the "Applying the ACL to an Interface or Terminal Line" section.
Creating Standard and Extended Access Lists Using Names
You can identify IP access lists with an alphanumeric string (a name) rather than a number. You can use named access lists to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named access list.
Note
Consider these guidelines and limitations before configuring named access lists:
•
•
•
•
Beginning in privileged EXEC mode, follow these steps to create a standard access list using names:
Beginning in privileged EXEC mode, follow these steps to create an extended access list using names:
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip access-list extended name
Define an extended IP access list using a name and enter access-list configuration mode.
Note
Step 3
{deny | permit} protocol {source [source-wildcard] | host source | any} {destination [destination-wildcard] | host destination | any} [precedence precedence] [tos tos] [established] [log] [time-range time-range-name]
In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.
Refer to the "Creating a Numbered Extended Access List" section for definitions of protocols and other keywords.
•
•
Step 4
end
Return to privileged EXEC mode.
Step 5
show access-lists [number | name]
Show the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When making the standard and extended access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. With standard access lists, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add access list entries to a specific access list. However, you can use no permit and no deny commands to remove entries from a named access list. This example shows how you can delete individual ACEs from a named access list:
Switch(config)# ip access-list extended border-listSwitch(config-ext-nacl)# no permit ip host 10.1.1.3 anyThis ability to selectively remove lines from a named access list is one reason you might use named access lists instead of numbered access lists.
After creating an access list, you must apply it to a line or interface, as described in the "Applying the ACL to an Interface or Terminal Line" section.
Applying Time Ranges to Access Lists
You can implement extended access lists based on the time of day and week by using the time-range command. First, define the name and times of the day and week of the time range, and then reference the time range by name in an ACL to apply restrictions to the access list. You can use the time range to define when the permit or deny statements in the access list are in effect. The time-range keyword and argument are referenced in the named and numbered extended access list task tables in the previous sections, the "Creating Standard and Extended IP ACLs" section, and the "Creating Standard and Extended Access Lists Using Names" section.
These are some of the many possible benefits of using time ranges:
•
•
Note
Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an access list:
Repeat these tasks if you have multiple items that you want in effect at different times. This example shows how to configure time ranges for workhours and for company holidays and how to verify your configuration.
Switch(config)# time-range workhoursSwitch(config-time-range)# periodic weekdays 8:00 to 12:00Switch(config-time-range)# periodic weekdays 13:00 to 17:00Switch(config-time-range)# exitSwitch(config)# time-range new_year_day_2000Switch(config-time-range)# absolute start 00:00 1 Jan 2000 end 23:59 1 Jan 2000Switch(config-time-range)# exitSwitch(config)# time-range thanksgiving_2000Switch(config-time-range)# absolute start 00:00 22 Nov 2000 end 23:59 23 Nov 2000Switch(config-time-range)# exitSwitch(config)# time-range christmas_2000Switch(config-time-range)# absolute start 00:00 24 Dec 2000 end 23:50 25 Dec 2000Switch(config-time-range)# endSwitch# show time-rangetime-range entry: christmas_2000 (inactive)absolute start 00:00 24 December 2000 end 23:50 25 December 2000time-range entry: new_year_day_2000 (inactive)absolute start 00:00 01 January 2000 end 23:59 01 January 2000time-range entry: thanksgiving_2000 (inactive)absolute start 00:00 22 November 2000 end 23:59 23 November 2000time-range entry: workhours (inactive)periodic weekdays 8:00 to 12:00periodic weekdays 13:00 to 17:00For a time range to be applied, you must reference it by name in an extended access list that can implement time ranges. This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday time ranges and permits all TCP traffic during work hours.
Switch(config)# access-list 188 deny tcp any any time-range new_year_day_2000Switch(config)# access-list 188 deny tcp any any time-range thanskgiving_2000Switch(config)# access-list 188 deny tcp any any time-range christmas_2000Switch(config)# access-list 188 permit tcp any any time-range workhoursSwitch(config)# endSwitch# show access-listExtended IP access list 188deny tcp any any time-range new_year_day_2000 (inactive)deny tcp any any time-range thanskgiving_2000 (active)deny tcp any any time-range christmas_2000 (inactive)permit tcp any any time-range workhours (inactive)This example uses named access lists to permit and deny the same traffic.
Switch(config)# ip access-list extended deny_accessSwitch(config-ext-nacl)# deny tcp any any time-range new_year_day_2000Switch(config-ext-nacl)# deny tcp any any time-range thanksgiving_2000Switch(config-ext-nacl)# deny tcp any any time-range christmas_2000Switch(config-ext-nacl)# exitSwitch(config)# ip access-list extended may_accessSwitch(config-ext-nacl)# permit tcp any any time-range workhoursSwitch(config-ext-nacl)# endSwitch# show ip access-listExtended IP access list deny_accessdeny tcp any any time-range new_year_day_2000 (inactive)deny tcp any any time-range thanksgiving_2000 (inactive)deny tcp any any time-range christmas_2000 (inactive)Extended IP access list may_accesspermit tcp any any time-range workhours (inactive)Including Comments About Entries in ACLs
You can use the remark command to include comments (remarks) about entries in any IP standard or extended access list. The remarks make the access list easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
For IP numbered standard or extended access lists, use the access-list access-list number remark remark global configuration command to include a comment about an access list. To remove the remark, use the no form of this command.
In this example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation throughSwitch(config)# access-list 1 permit 171.69.2.88Switch(config)# access-list 1 remark Do not allow Smith workstation throughSwitch(config)# access-list 1 deny 171.69.3.13For an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnettingSwitch(config-ext-nacl)# remark Do not allow Jones subnet to telnet outSwitch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnetApplying the ACL to an Interface or Terminal Line
After you create an ACL, you can apply it to one or more interfaces or terminal lines. Access lists can be applied on either outbound or inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines:
•
•
•
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an access list:
