31-18
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 31 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Applying an IPv4 ACL to a Terminal Line
You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named
ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can
attempt to connect to any of them.
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section
on page 31-18.
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections
between a virtual terminal line and the addresses in an ACL:
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
Applying an IPv4 ACL to an Interface
Note these guidelines:
• Apply an ACL only to inbound Layer 2 ports.
• Apply an ACL to either inbound or outbound VLAN interfaces to filter packets that are intended for
the CPU, such as SNMP, Telnet, or web traffic. IPv4 ACLs applied to VLAN interfaces provide
switch management security by limiting access to a specific host in the network or to specific
applications (SNMP, Telnet, SSH, and so on). ACLs attached to VLAN interfaces do not impact the
hardware switching of packets on the VLAN.
Note On switches running the LAN Lite image, you can apply ACLs only to VLAN interfaces and
not to physical interfaces.
• Apply an ACL to either outbound or inbound Layer 3 SVIs.
• When controlling access to an interface, you can use a named or numbered ACL.
• If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an
ACL applied to the VLAN interface.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode.
• console—Specify the console terminal line. The console port is DCE.
• vty—Specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step 3
access-class access-list-number
{in | out}
Restrict incoming and outgoing connections between a particular virtual
terminal line (into a device) and the addresses in an access list.
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
