ACL Configuration Overview
24-6 Configuring Access Control Lists
2: deny ip 30.0.0.1 0.0.255.255 any
3: deny ip 40.0.0.1 0.0.255.255 any
4: permit ip any any
Inserting ACL Rules
When you enter an ACL rule, the new rule is appended to the end of the existing rules by default.
You can insert a new rule into a specified entry location using the insert option.
The following example inserts a new entry into IPv4 extended ACL 121 before entry 2.
C5(su)->router(Config)#show access-lists 121
Extended IP access list 121
1: deny ip 10.0.0.1 0.0.255.255 any
2: deny ip 30.0.0.1 0.0.255.255 any
3: deny ip 40.0.0.1 0.0.255.255 any
4: permit ip any any
C5(su)->router(Config)#access-list 121 insert 2 deny ip 20.0.0.1 0.0.255.255 any
C5(su)->router(Config)#show access-lists 121
Extended IP access list 121
1: deny ip 10.0.0.1 0.0.255.255 any
2: deny ip 20.0.0.1 0.0.255.255 any
3: deny ip 30.0.0.1 0.0.255.255 any
4: deny ip 40.0.0.1 0.0.255.255 any
5: permit ip any any
Applying ACLs
Once you have defined the ACL, it can be applied to both VLAN interfaces and to ports. ACLs are
supported on Link Aggregation ports.
• IPv4 standard and extended access control lists are applied to VLAN interfaces by using the
ip access-group command and to ports with the access-list interface command.
• IPv6 access control lists are applied to VLAN interfaces by using the
ipv6 access-group
command and to ports with the access-list interface command.
• MAC access control lists are applied to VLAN interfaces by using the
ip access-group
command and to ports with the access-list interface command.
When applying an ACL, you can specify the order in which the ACL is applied relative to other
ACLs that may already be associated with the interface or port, with the sequence option.
The following example applies the IPv4 extended access list 121 in the inbound direction to VLAN
100.
C5(su)->router(Config)#interface vlan 100
C5(su)->router(Config-if(Vlan 100))#ip access-group 121 in
C5(su)->router(Config-if(Vlan 100))#exit
C5(su)->router(Config)#show access-lists vlan 100
Vlan ID Access-list
------- -----------
100 121
The following example applies the IPv4 extended ACL 121 to the port ge.1.29.
C5(su)->router(Config)#access-list interface 121 ge.1.29
C5(su)->router(Config)#show access-lists interface ge.1.29