How to Create and Apply the ACLs to Switch ?

Steven_zhangCreated at:Dec 11, 2019 13:26:31Updated at:Dec 11, 2019 13:26:38

Topology:

mceclip2.png

Before we apply the ACL to switch, we can access to WEB/FTP service and ping.

mceclip4.png

 

1) Set ACL depend on IP address.

Configuration:

*Create ACL "aclip" and set rule. (Deny client access to the specific IP.)

Console(config)# access-list ip extended aclip
Console(config-ext-acl)# deny host 192.168.20.10 host 192.168.20.150
Console(config-ext-acl)# exit

*Apply the ACL to specific port on switch.

Console(config)# interface ethernet 1/2
Console(config-if)# ip access-group aclip in

mceclip6.png

Results:

Client (192.168.20.10) cannot ping and access to WEB and FTP (192.168.20.150), but available Ping to others IP address.

mceclip11.png mceclip12.png

mceclip10.png

 

2) Set ACL depend on IP and TCP.

Configuration:

*Create ACL "acltcp" and set rule. (Deny client using TCP access to the specific IP.)

Console(config)#access-list ip extended acltcp
Console(config-ext-acl)#deny tcp host 192.168.20.10 host 192.168.20.150
Console(config-ext-acl)#exit

*Apply ACL to specific port on switch.

Console(config)#int ethernet 1/2
Console(config-if)#ip access-group acltcp in

mceclip14.png

Results:

Client (192.168.20.10) cannot access to WEB and FTP, but available Ping and access to TFTP (192.168.20.150).

mceclip15.png mceclip16.png

mceclip17.png

 

3) Set ACL depend on IP and UDP.

Configuration:

*Create ACL "acludp" and set rule. (Deny client using UDP access to specific IP)

Console(config)#access-list ip extended acludp
Console(config-ext-acl)#deny udp host 192.168.20.10 host 192.168.20.150
Console(config-ext-acl)#exit

*Apply ACL to specific port on switch.

Console(config)#int ethernet 1/2
Console(config-if)#ip access-group acludp in

mceclip19.png

Results:

Client (192.168.20.10) cannot access to TFTP, but available Ping and access to the WEB/FTP (192.168.20.150).

mceclip20.png mceclip21.png

mceclip23.png

 

4) Set the ACL depend on IP and port number.

Configuration:

*Create ACL "aclport" and set rule. (Deny client access specific IP address and port number.)

Console(config)#access-list ip extended aclport
Console(config-ext-acl)#deny host 192.168.20.10 host 192.168.20.150 destination-port 21
Console(config-ext-acl)#exit

*Apply the ACL to specific port on switch.

Console(config)#int ethernet 1/2
Console(config-if)#ip access-group aclport in

mceclip25.png

Results:

Client (192.168.20.10) cannot access FTP, but available Ping and access to WEB/TFTP (192.168.20.150).

mceclip27.png

mceclip28.png

mceclip29.png


    Hot articles