Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access-list in Cisco 3560 Series Switch

Guys,

I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.

Hope you can help me guys.

Thanks,

John

5 REPLIES
Hall of Fame Super Gold

Re: Access-list in Cisco 3560 Series Switch

ip access-list extended yabba-dabba-doo

permit tcp any any eq 80 81 8080 25 110 143

permit udp any any eq 23

Re: Access-list in Cisco 3560 Series Switch

and then dont forget to call this access-list on the interface or vlan you want to apply it.

You can use a number for the ACL > 100 or a name as indicated earlier.

If you go with just a number :

access-list 100 permit tcp any any eq 80 81 ...

access-list 100 permit udp any any eq 23

int g1/0/1

ip access-group NAME in

OR

ip access-group 100 in

As for example :

NMS-3750-A(config-if)#ip acc

NMS-3750-A(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

New Member

Re: Access-list in Cisco 3560 Series Switch

Thanks for the reply lavramov. I have one more concern, how about my plan to block all ports then allow ports that users will use one by one.

Do you have any idea how to do it?

Super Bronze

Re: Access-list in Cisco 3560 Series Switch

What both Leo and Lucien showed would do that.

ACLs terminate with an implicit deny everything. So, the shown examples defined the ports permitted, and block everything else. BTW, you can explicting define an ACL to block traffic too. However, since ACLs are processed in sequence, the "default" shouldn't be the first entry or you'll block all traffic.

Hall of Fame Super Gold

Re: Access-list in Cisco 3560 Series Switch

Hi John,

Sorry for the delayed response. At the end of the ACL, there's an "implicit dny (all) deny (all)".

Which means, allow all the traffic from the ports mentioned. If any traffic arrives that are NOT in the specified list, drop-em.

:)

4510
Views
5
Helpful
5
Replies
CreatePlease to create content