28-19
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter28 Configuring Network Securi ty with ACLs Configuring IPv4 ACLs
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing co nne ction s
between a virtual terminal line and the addresses in an ACL:
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
Applying an IPv4 ACL to an Interface
This section describes how to apply IPv4 ACLs to network interfaces. You can apply an ACL to either
outbound or inbound Layer 3 interfaces. You can apply ACLs only to inbound Layer 2 interfaces. Note
these guidelines:
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interfac e or a VLAN map ap plied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
If you apply an ACL to a Layer 3 interface and routing is not enable d on the swi tch , the ACL only
filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have
to enable routing to apply ACLs to Layer 2 interfaces.
When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs.
The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
Note By default, the router sends Internet Control Message Protocol (IC MP) u nre ach able m essag es whe n a
packet is denied by an access group. These access-group denied pa ckets are not dropped in hardware but
are bridged to the switch CPU so that it can generate the ICMP-unreachable message.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode.
console—Specify the console terminal line. The console port is DCE.
vty—Specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step3 access-class access-list-number
{in |out} Restrict incoming and outgoing connections between a particul ar virt ual
terminal line (into adevice) and the addresses in an access list.
Step4 end Return to privileged EXEC mode.
Step5 show running-config Display the access list configuration.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.