Access-list in Cisco 3560 Series Switch

Unanswered Question
Jul 13th, 2009
User Badges:

Guys,


I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.


Hope you can help me guys.


Thanks,


John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Mon, 07/13/2009 - 20:34
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

ip access-list extended yabba-dabba-doo

permit tcp any any eq 80 81 8080 25 110 143

permit udp any any eq 23



Lucien Avramov Mon, 07/13/2009 - 20:55
User Badges:
  • Red, 2250 points or more

and then dont forget to call this access-list on the interface or vlan you want to apply it.


You can use a number for the ACL > 100 or a name as indicated earlier.


If you go with just a number :

access-list 100 permit tcp any any eq 80 81 ...

access-list 100 permit udp any any eq 23


int g1/0/1

ip access-group NAME in

OR

ip access-group 100 in


As for example :


NMS-3750-A(config-if)#ip acc

NMS-3750-A(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name


helios999 Mon, 07/13/2009 - 22:20
User Badges:

Thanks for the reply lavramov. I have one more concern, how about my plan to block all ports then allow ports that users will use one by one.


Do you have any idea how to do it?

Joseph W. Doherty Tue, 07/14/2009 - 03:22
User Badges:
  • Super Bronze, 10000 points or more

What both Leo and Lucien showed would do that.


ACLs terminate with an implicit deny everything. So, the shown examples defined the ports permitted, and block everything else. BTW, you can explicting define an ACL to block traffic too. However, since ACLs are processed in sequence, the "default" shouldn't be the first entry or you'll block all traffic.

Leo Laohoo Tue, 07/14/2009 - 18:45
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi John,


Sorry for the delayed response. At the end of the ACL, there's an "implicit dny (all) deny (all)".


Which means, allow all the traffic from the ports mentioned. If any traffic arrives that are NOT in the specified list, drop-em.


:)

Actions

This Discussion