Cisco Systems 3550 Displaying ACLs and Access Groups

19-20

Catalyst 3550 Multilayer Switch Software Configuration Guide

78-11194-03

Chapter19 Configuring Network Security with ACLs

Configuring Router ACLs

Note The ip access-group interface configuration command is only valid when appl ie d to a L ayer 3

interface: an SVI, a Layer 3 EtherChannel, or a routed port. The in terface must ha ve been configu red

with an IP address. Layer 3 access groups filter packets that are routed or are received by Laye r 3

processes on the CPU. They do not affect packets bridged within a VLAN .

For inbound ACLs, after receiving a packet, the switch ch ecks th e pa ck et a ga inst th e A CL . If t he A CL

permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch

discards the packet.

For outbound ACLs, after receiving and routing a packet to a controlled interfac e, the switch ch ecks th e

packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects

the packet, the switch discards the packet.

If the input interface is configured to send ICMP Unreachable messages, these messages are sent

whenever a packet is discarded, regardless of whether the packet was discarded because of an ACL on

the input interface or because of an ACL on the output interface. ICMP Unreachables are normally

limited to no more than one every one-half second per input interface, but this can be c ha nged by using

the ip icmp rate-limit unreachable global configuration command.

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied

to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network

security.

Displaying ACLs and Access Groups

You can display existing ACLs and when you use the ip access-group interface configuration co mmand

to apply ACLs to a Layer 3 interface, you can display th e acce ss gr oup s on th e inter face . You can use

the privileged EXEC commands as described in Table1 9-3 to display this information.

Table19-3 Commands for Displaying Access Lists and Access Groups

Command Purpose

show access-lists [number | name] Display the contents of one or all current IP and MAC address ac ces s lists

or a specific access list (numbered or named).

show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list

(numbered or named).

show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled

on the interface and ACLs have been applied by using the ip access-group

interface configuration command, the access groups are included in the

display.

show running-config [interface interface-id] Displays the contents of the configuration file for the switch or the

specified interface, including all configured access groups, whether or not

IP is enabled on an interface.