Cisco Systems 3130 Manuale Utente
34-21
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/1
Router(config-if)# ip access-group 2 in
Note
When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a
Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address.
Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU.
They do not affect packets bridged within a VLAN.
Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address.
Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU.
They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded,
regardless of whether the packet was discarded because of an ACL on the input interface or because of
an ACL on the output interface. ICMP Unreachables are normally limited to no more than one every
one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable
global configuration command.
regardless of whether the packet was discarded because of an ACL on the input interface or because of
an ACL on the output interface. ICMP Unreachables are normally limited to no more than one every
one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable
global configuration command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Identify a specific interface for configuration, and enter interface
configuration mode.
configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface
(router ACL).
(router ACL).
Step 3
ip access-group {access-list-number |
name} {in | out}
name} {in | out}
Control access to the specified interface.
The out keyword is not supported for Layer 2 interfaces (port ACLs).
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Display the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.