Configuring ACLs
Command
Step 5
show running-config
Step 6
copy running-config startup-config
This example shows how to apply access list 2 on Gigabit Ethernet interface 0/3 to filter packets entering
the interface:
Switch(config)# interface gigabitethernet0/3
Router(config-if)# ip access-group 2 in
The ip access-group interface configuration command is only valid when applied to a management
Note
interface of a Layer 2 interface. ACLs cannot be applied to interface port-channels.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
Displaying ACLs
You can display existing ACLs by using show commands.
Beginning in privileged EXEC mode, follow these steps to display access lists:
Command
Step 1
show access-lists [number | name]
Step 2
show ip access-list [number | name]
This example displays all standard and extended ACLs:
Switch# show access-lists
Standard IP access list 1
Standard IP ACL 10
Standard IP access list 12
Standard IP access list 32
Standard IP access list 34
Extended IP access list 120
Extended MAC access list mac1
Catalyst 2950 Desktop Switch Software Configuration Guide
23-16
Purpose
Display the access list configuration.
(Optional) Save your entries in the configuration file.
Purpose
Show information about all IP and MAC address access lists or about a
specific access list (numbered or named).
Show information about all IP address access lists or about a specific IP
ACL (numbered or named).
permit 172.20.10.10
permit 12.12.12.12
deny
1.3.3.2
permit 172.20.20.20
permit 10.24.35.56
permit 23.45.56.34
Chapter 23
Configuring Network Security with ACLs
78-11380-04