27-14
Catalyst 3560 Switch Software Configuration Guide
78-16156-01
Chapter 27 Configuring Network Security with ACLs
Configuring IP ACLs
After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IP
ACL to a Terminal Line” section on page 27-18), to interfaces (see the “Applying an IP ACL to an
Interface” section on page 27-19), or to VLANs (see the “Configuring VLAN Maps” section on
page 27-29).
Creating Named Standard and Extended ACLs
You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named
ACLs to configure more IP access lists in a router than if you were to use numbered access lists. If you
identify your access list with a name rather than a number, the mode and command syntax are slightly
different. However, not all commands that use IP access lists accept a named access list.
Note The name you give to a standard or extended ACL can also be a number in the supported range of access
list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL
can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete
individual entries from a named list.
Consider these guidelines and limitations before configuring named ACLs:
• Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and
route filters on interfaces can use a name. VLAN maps also accept a name.
• A standard ACL and an extended ACL cannot have the same name.
• Numbered ACLs are also available, as described in the “Creating Standard and Extended IP ACLs”
section on page 27-7.
• You can use standard and extended ACLs (named or numbered) in VLAN maps.
Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names:
To remove a named standard ACL, use the no ip access-list standard name global configuration
command.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
ip access-list standard name Define a standard IP access list using a name, and enter access-list
configuration mode.
Note The name can be a number from 1 to 99.
Step 3
deny {source [source-wildcard] | host source |
any} [log]
or
permit {source [source-wildcard] | host source
| any} [log]
In access-list configuration mode, specify one or more conditions
denied or permitted to determine if the packet is forwarded or
dropped.
• host source—A source and source wildcard of source 0.0.0.0.
• any—A source and source wildcard of 0.0.0.0
255.255.255.255.
Step 4
end Return to privileged EXEC mode.
Step 5
show access-lists [number | name] Show the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
Need help?
General