37-21
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 37 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
This example shows how to apply access list 2 to a
port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/1
Router(config-if)# ip access-group
2 in
Note When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a
Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address.
Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU.
They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and routing a packe
t to a controlled interface, the switch checks the
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
By default, the input interface sends ICMP Unreachable
messages whenever a packet is discarded,
regardless of whether the packet was discarded because of an ACL on the input interface or because of
an ACL on the output interface. ICMP Unreachables are normally limited to no more than one every
one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable
global configuration command.
When you apply an undefined ACL to an interface, the sw
itch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface
(router A
CL).
Step 3
ip access-group {access-list-number |
name} {in | out}
Control access to the specified interface.
The out k
eyword is not supported for Layer 2 interfaces (port ACLs).
Step 4
end Return to privileged EXEC mode.
Step 5
show running-config Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
Need help?
General
