31-19
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 31 Configuring Network Security with ACLs
Configuring IPv4 ACLs
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface. The port ACL always
filters incoming packets received on the Layer 2 port.
• If you apply an ACL to a Layer 3 interface and routing is not enabled, the ACL only filters packets
that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable
routing to apply ACLs to Layer 2 interfaces.
• When you configure an egress ACL to permit traffic with a particular DSCP value, you must use
the original DSCP value instead of a rewritten value.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 2 in
This example shows how to apply access list 3 to filter packets going to the CPU:
Switch(config)# interface vlan 1
Switch(config-if)# ip access-group 3 in
Note When you apply the ip access-group interface configuration command to a Layer 3 SVI, the interface
must have an IP address. Layer 3 access groups filter packets that are routed or are received by Layer 3
processes on the CPU.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and sending a packet to a controlled interface, the switch checks the
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
On switches running the LAN base image, the interface can be a physical
interface or VLAN interface. On switches running the LAN Lite image, the
interface must be a VLAN interface.
Step 3
ip access-group {access-list-number |
name} {in | out}
Control access to the specified interface.
The out keyword is supported only for VLAN interfaces.
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
