26-19
Cisco ME 3800X and 3600X Switch Software Configuration Guide
OL-23400-01
Chapter 26 Configuring Network Security with ACLs
Configuring IPv4 ACLs
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
Applying an IPv4 ACL to an Interface
This section describes how to apply IPv4 ACLs to network interfaces. You can apply an ACL to either
outbound or inbound Layer 3 interfaces. You can apply ACLs only to inbound Layer 2 interfaces. Note
these guidelines:
• You cannot apply an ACL to a port configured with a service instance. Layer 2 ACLs are not
supported on these ports.
• When controlling access to an interface, you can use a named or numbered ACL.
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
• If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only
filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have
to enable routing to apply ACLs to Layer 2 interfaces.
Note By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
packet is denied by an access group. These access-group denied packets are not dropped in hardware but
are bridged to the switch CPU so that it can generate the ICMP-unreachable message.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface
(router ACL).
Step 3
ip access-group {access-list-number |
name} {in | out}
Control access to the specified interface.
The out keyword is not supported for Layer 2 interfaces (port ACLs).
Although you can enter this command on a Layer 2 port that has a service
instance, the command is rejected with a warning message when you apply
it.
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
Need help?
General