29-20
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter29 Configuring Network Security with ACLs
Applying ACLs to Terminal Lines or Physical Interfaces
After you create an ACL, you can apply it to one or more m anagement interfaces or terminal lines. ACLs
can be applied on inbound interfaces. This section describes how to accomplish this task for both
terminal lines and network interfaces. Note these guidelines:
When controlling access to a line, you must use numbered IP ACLs or MAC extended ACLs.
When controlling access to an interface, you can use named or numbered ACLs.
Set identical restrictions on all the virtual terminal lines because a user can attempt to connect to
any of them.
If you apply ACLs to a management interface, the ACL only filters packets that are intended for the
CPU, such as SNMP, Telnet, or web traffic.
If you apply ACLs to a management VLAN, see the Management VLAN section on page 7-16.
Applying ACLs to a Terminal Line
Beginning in privileged EXEC mode, follow these steps to restrict incoming c onnec ti ons bet ween a
virtual terminal line and the addresses in an ACL:
Applying ACLs to a Physical Interface
Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 interface:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 line [console | vty] line-number Identify a specific line for configuration, and enter in-line configuration
mode.
Enter console for the console terminal line. The console port is DCE.
Enter vty for a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step3 access-class access-list-number {in} Restrict incoming and outgoing connections between a par ticul ar v irt ual
terminal line (into adevice) and the addresses in an access list.
Step4 end Return to privileged EXEC mode.
Step5 show running-config Display the access list configuration.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 interface interface-id Identify a specific interface for configuration and enter interface
configuration mode.
The interface must be a Layer 2 or management interface or a management
interface VLAN ID.
Step3 ip access-group {access-list-number |
name} {in} Control access to the specified interface.