Configuring ACLs
Commented IP ACL Entry Examples
In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the
workstation belonging to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation through
Switch(config)# access-list 1 permit 171.69.2.88
Switch(config)# access-list 1 remark Do not allow Smith workstation through
Switch(config)# access-list 1 deny 171.69.3.13
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the
Web:
Switch(config)# access-list 100 remark Do not allow Winter to browse the web
Switch(config)# access-list 100 deny host 171.69.3.85 any eq www
Switch(config)# access-list 100 remark Do not allow Smith to browse the web
Switch(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:
Switch(config)# ip access-list standard prevention
Switch(config-std-nacl)# remark Do not allow Jones subnet through
Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet
Creating Named MAC Extended ACLs
You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC
extended ACLs. The procedure is similar to that of configuring other extended named access lists.
Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
Note
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identifier (OUI) is
Note
not supported.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:
Command
Step 1
configure terminal
Step 2
mac access-list extended name
Catalyst 2950 Desktop Switch Software Configuration Guide
23-20
Chapter 23
Purpose
Enter global configuration mode.
Define an extended MAC access list by using a name.
Configuring Network Security with ACLs
78-11380-04