Chapter 34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

line [console vty] line-number

Identify a specific line to configure, and enter in-line configuration mode.

 

 

console—Specify the console terminal line. The console port is DCE.

 

 

vty—Specify a virtual terminal for remote console access.

 

 

The line-numberis the first line number in a contiguous group that you want

 

 

to configure when the line type is specified. The range is from 0 to 16.

Step 3

 

 

access-classaccess-list-number

Restrict incoming and outgoing connections between a particular virtual

 

{in out}

terminal line (into a device) and the addresses in an access list.

Step 4

 

 

end

Return to privileged EXEC mode.

Step 5

 

 

show running-config

Display the access list configuration.

Step 6

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To remove an ACL from a terminal line, use the no access-classaccess-list-number{in out} line configuration command.

Applying an IPv4 ACL to an Interface

This section describes how to apply IPv4 ACLs to network interfaces. Note these guidelines:

Apply an ACL only to inbound Layer 2 interfaces. Apply an ACL to either outbound or inbound Layer 3 interfaces.

When controlling access to an interface, you can use a named or numbered ACL.

If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.

If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable routing to apply ACLs to Layer 2 interfaces.

When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic.

Note By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group. These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message.

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

34-20

OL-9775-02

Page 718
Image 718
Cisco Systems 3750E manual Applying an IPv4 ACL to an Interface, Access-class access-list-number, Out, 34-20