DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-33
SwitchB(config)#ip access-list extended yanfa
! Prohibit all hosts of development department from using QQ, MSN and other IM
applications during 9:00-18:00 of every working day.
SwitchB(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 8000 any
time-range worktime
SwitchB(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 8001 any
time-range worktime
SwitchB(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 443 any time-range
worktime
SwitchB(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 1863 any
time-range worktime
SwitchB(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 4000 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 8000 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 1429 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 6000 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 6001 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 6002 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 6003 any
time-range worktime
SwitchB(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 6004 any
time-range worktime
! Permit all other IP traffic
SwitchB(config-ext-nacl)#permit ip any any
! Apply ACL to the in direction of SVI2
SwitchB(config)#interface vlan 2
SwitchB(config-if)#ip access-group yanfa in
1.12.2.5 Verifications
Step 1: Verify whether ACE entries are correct. The key is that whether the
precedence order of entries is correct and whether entries are effective.
SwitchA#show access-lists
ip access-list extended Virus_Defence
10 deny tcp any any eq 135
20 deny tcp any eq 135 any
30 deny tcp any eq 4444 any
40 deny tcp any any eq 5554
50 deny tcp any eq 5554 any
60 deny tcp any any eq 9995
70 deny tcp any eq 9995 any
80 deny tcp any any eq 9996
90 deny tcp any eq 9996 any
100 deny udp any any eq tftp