28-20
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-09
Chapter 28 Configuring Network Security with ACLs
Configuring IP ACLs
• A Layer 2 interface can have one IP access list applied to the input; a Layer 3 interface can have one
IP access list applied to the input and one IP access list applied to the output. If you apply an IP ACL
to an interface that already has an IP ACL configured (in that direction), the new ACL replaces the
previously configured one.
• You can apply a port ACL only to a physical Layer 2 interface; you cannot apply port ACLs to
EtherChannel interfaces.
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections
between a virtual terminal line and the addresses in an ACL:
To remove access restrictions on a terminal line, use the no access-class access-list-number {in | out}
line configuration command.
Beginning in privileged EXEC mode, follow these steps to apply an IP access list to control access to a
Layer 2 or Layer 3 interface:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
line [console | vty] line-number Identify a specific line for configuration, and enter in-line configuration
mode.
• console—Enter to specify the console terminal line. The console port
is DCE.
• vty—Enter to specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step 3
access-class access-list-number
{in | out}
Restrict incoming or outgoing connections between a virtual terminal line
(into a device) by using the conditions in the specified access list.
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
The interface can be a Layer 2 interface (port ACL) or a Layer 3 interface
(router ACL).
Step 3
ip access-group {access-list-number |
name} {in | out}
Control access to the specified interface by using the IP access list. You can
enter a standard or extended IP access number or name.
Note The out keyword is not valid for Layer 2 interfaces. Port ACLs are
supported only in the inbound direction.
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
Need help?
General
