Cisco Systems 3750E Manual De Usuario
34-17
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains
an implicit deny statement for everything if it did not find a match before reaching the end. For standard
ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is
assumed to be the mask.
an implicit deny statement for everything if it did not find a match before reaching the end. For standard
ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is
assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL. This example shows how you can delete individual
ACEs from the named access list border-list:
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL. This example shows how you can delete individual
ACEs from the named access list border-list:
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs
instead of numbered ACLs.
instead of numbered ACLs.
After creating a named ACL, you can apply it to interfaces (see the
) or to VLANs (see the
Using Time Ranges with ACLs
You can selectively apply extended ACLs based on the time of day and the week by using the
time-range global configuration command. First, define a time-range name and set the times and the
dates or the days of the week in the time range. Then enter the time-range name when applying an ACL
to set restrictions to the access list. You can use the time range to define when the permit or deny
statements in the ACL are in effect, for example, during a specified time period or on specified days of
the week. The time-range keyword and argument are referenced in the named and numbered extended
ACL task tables in the previous sections, the
time-range global configuration command. First, define a time-range name and set the times and the
dates or the days of the week in the time range. Then enter the time-range name when applying an ACL
to set restrictions to the access list. You can use the time range to define when the permit or deny
statements in the ACL are in effect, for example, during a specified time period or on specified days of
the week. The time-range keyword and argument are referenced in the named and numbered extended
ACL task tables in the previous sections, the
, and the
.
These are some of the many possible benefits of using time ranges:
•
You have more control over permitting or denying a user access to resources, such as an application
(identified by an IP address/mask pair and a port number).
(identified by an IP address/mask pair and a port number).
•
You can control logging messages. ACL entries can be set to log traffic only at certain times of the
day. Therefore, you can simply deny access without needing to analyze many logs generated during
peak hours.
day. Therefore, you can simply deny access without needing to analyze many logs generated during
peak hours.
Time-based access lists trigger CPU activity because the new configuration of the access list must be
merged with other features and the combined configuration loaded into the hardware memory. For this
reason, you should be careful not to have several access lists configured to take affect in close succession
(within a small number of minutes of each other.)
merged with other features and the combined configuration loaded into the hardware memory. For this
reason, you should be careful not to have several access lists configured to take affect in close succession
(within a small number of minutes of each other.)
Note
The time range relies on the switch system clock; therefore, you need a reliable clock source. We
recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more
information, see the
recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more
information, see the