31-24
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Displaying IPv4 ACL Configuration
Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to
a Layer 2 interface:
To remove the specified access group, use the no mac access-group {name} interface configuration
command.
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# mac access-group mac1 in
Note The mac access-group interface configuration command is only valid when applied to a physical
Layer 2 interface.You cannot use the command on EtherChannel port channels.
After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When yo u apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
Displaying IPv4 ACL Configuration
You can display the ACLs that are configured on the switch, and you can display the ACLs that have
been applied to interfaces.
When you use the ip access-group interface configuration command to apply ACLs to a Layer 2
interface, you can display the access groups on the interface. You can also display the MAC ACLs
applied to a Layer 2 interface. You can use the privileged EXEC commands as described in Table 31-2
to display this information.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Step 3 mac access-group {name} {in} Control access to the specified interface by using the MAC access
list.
Port ACLs are supported only in the inbound direction.
Step 4 end Return to privileged EXEC mode.
Step 5 show mac access-group [interface interface-id] Display the MAC access list applied to the interface or all Layer 2
interfaces.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.