Chapter 31
Configuring Network Security with ACLs
•
•
•
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
ip access-group {access-list-number |
name} {in | out}
Step 4
end
Step 5
show running-config
Step 6
copy running-config startup-config
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 2 in
This example shows how to apply access list 3 to filter packets going to the CPU:
Switch(config)# interface vlan 1
Switch(config-if)# ip access-group 3 in
When you apply the ip access-group interface configuration command to a Layer 3 SVI, the interface
Note
must have an IP address. Layer 3 access groups filter packets that are routed or are received by Layer 3
processes on the CPU.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and sending a packet to a controlled interface, the switch checks the
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
OL-26520-01
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface. The port ACL always
filters incoming packets received on the Layer 2 port.
If you apply an ACL to a Layer 3 interface and routing is not enabled, the ACL only filters packets
that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable
routing to apply ACLs to Layer 2 interfaces.
When you configure an egress ACL to permit traffic with a particular DSCP value, you must use
the original DSCP value instead of a rewritten value.
Purpose
Enter global configuration mode.
Identify a specific interface for configuration, and enter interface
configuration mode.
On switches running the LAN base image, the interface can be a physical
interface or VLAN interface. On switches running the LAN Lite image, the
interface must be a VLAN interface.
Control access to the specified interface.
The out keyword is supported only for VLAN interfaces.
Return to privileged EXEC mode.
Display the access list configuration.
(Optional) Save your entries in the configuration file.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Configuring IPv4 ACLs
31-19