34-20
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Applying an IPv4 ACL to a Terminal Line
You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named
ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can
attempt to connect to any of them.
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section
on page 34-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on
page 34-30.
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections
between a virtual terminal line and the addresses in an ACL:
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
Applying an IPv4 ACL to an Interface
Note these guidelines:
Apply an ACL only to inbound Layer 2 ports.
Apply an ACL to either outbound or inbound Layer 3 interfaces.
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an
ACL applied to the VLAN interface.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. The port ACL always filters incoming packets received on the Layer 2 port.
If you apply an ACL to a Layer 3 interface and routing is not enabled, the ACL only filters packets
that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable
routing to apply ACLs to Layer 2 interfaces.
When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs.
The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode.
console—Specify the console terminal line. The console port is DCE.
vty—Specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Step3 access-class access-list-number
{in |out}
Restrict incoming and outgoing connections between a particular virtual
terminal line (into a device) and the addresses in an access list.
Step4 end Return to privileged EXEC mode.
Step5 show running-config Display the access list configuration.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.