Cisco Systems 2960 User Manual
31-18
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Applying an IPv4 ACL to an Interface
Note these guidelines:
•
Apply an ACL only to inbound Layer 2 ports.
•
Apply an ACL to either inbound or outbound VLAN interfaces to filter packets that are intended for
the CPU, such as SNMP, Telnet, or web traffic. IPv4 ACLs applied to VLAN interfaces provide
switch management security by limiting access to a specific host in the network or to specific
applications (SNMP, Telnet, SSH, and so on). ACLs attached to VLAN interfaces do not impact the
hardware switching of packets on the VLAN.
the CPU, such as SNMP, Telnet, or web traffic. IPv4 ACLs applied to VLAN interfaces provide
switch management security by limiting access to a specific host in the network or to specific
applications (SNMP, Telnet, SSH, and so on). ACLs attached to VLAN interfaces do not impact the
hardware switching of packets on the VLAN.
Note
On switches running the LAN Lite image, you can apply ACLs only to VLAN interfaces and
not to physical interfaces.
not to physical interfaces.
•
Apply an ACL to either outbound or inbound Layer 3 SVIs.
•
When controlling access to an interface, you can use a named or numbered ACL.
•
If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an
ACL applied to the VLAN interface.
ACL applied to the VLAN interface.
•
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface. The port ACL always
filters incoming packets received on the Layer 2 port.
takes precedence over an input Layer 3 ACL applied to the VLAN interface. The port ACL always
filters incoming packets received on the Layer 2 port.
•
If you apply an ACL to a Layer 3 interface and routing is not enabled, the ACL only filters packets
that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable
routing to apply ACLs to Layer 2 interfaces.
that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have to enable
routing to apply ACLs to Layer 2 interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 2 in
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Identify a specific interface for configuration, and enter interface
configuration mode.
configuration mode.
On switches running the LAN base image, the interface can be a physical
interface or VLAN interface. On switches running the LAN Lite image, the
interface must be a VLAN interface.
interface or VLAN interface. On switches running the LAN Lite image, the
interface must be a VLAN interface.
Step 3
ip access-group {access-list-number |
name} {in | out}
name} {in | out}
Control access to the specified interface.
The out keyword is supported only for VLAN interfaces.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Display the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.