Cisco Systems 3130 Applying an IPv4 ACL to an Interface

34-20

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing co nne ction s

between a virtual terminal line and the addresses in an ACL:

To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line

configuration command.

Applying an IPv4 ACL to an Interface

This section describes how to apply IPv4 ACLs to network interfaces. Note thes e guide li nes :

•Apply an ACL only to inbound Layer 2 interfaces. Apply an ACL to either outbound or inbound

Layer 3 interfaces.

•When controlling access to an interface, you can use a named or numbered ACL.

•If you apply an ACL to a Layer 2 interface that is a memb er o f a VL AN , th e La yer 2 (po rt) ACL

takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applie d

to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.

•If you apply an ACL to a Layer 3 interface and routing is not enable d on the swi tch , the ACL only

filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have

to enable routing to apply ACLs to Layer 2 interfaces.

•When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs.

The ACL is applied to both primary and secondary VLAN Layer 3 traffic.

Note By default, the router sends Internet Control Message Protocol (IC MP) u nre ach able m essag es whe n a

packet is denied by an access group. These access-group denied packet s are not dropped in hardware but

are bridged to the switch CPU so that it can generate the ICMP-unreachable message.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode.

•console—Specify the console terminal line. The console port is DCE.

•vty—Specify a virtual terminal for remote console access.

The line-number is the first line number in a contiguous group that you want

to configure when the line type is specified. The range is from 0 to 16.

Step3 access-class access-list-number

{in |out} Restrict incoming and outgoing connections between a partic ula r v irtua l

terminal line (into adevice) and the addresses in an access list.

Step4 end Return to privileged EXEC mode.

Step5 show running-config Display the access list configuration.

Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.