Cisco Systems OL-7396-01 Manual De Usuario
12-11
ATM Switch Router Software Configuration Guide
OL-7396-01
Chapter 12
Using Access Control
Filtering IP Packets at the IP Interfaces
Applying an IP Access List to an Interface or Terminal Line
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on
either outbound or inbound interfaces. The following two tables show how this task is accomplished for
both terminal lines and network interfaces.
either outbound or inbound interfaces. The following two tables show how this task is accomplished for
both terminal lines and network interfaces.
To apply an access list to a terminal line, perform the following tasks, beginning in global configuration
mode:
mode:
To apply an access list to a network interface, perform the following tasks, beginning in global
configuration mode:
configuration mode:
For inbound access lists, after receiving a packet, the ATM switch router software checks the source
address of the packet against the access list. If the access list permits the address, the software continues
to process the packet. If the access list rejects the address, the software discards the packet and returns
an Internet Control Message Protocol (ICMP) host unreachable message.
address of the packet against the access list. If the access list permits the address, the software continues
to process the packet. If the access list rejects the address, the software discards the packet and returns
an Internet Control Message Protocol (ICMP) host unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the source address of the packet against the access list. If the access list permits the address, the
software transmits the packet. If the access list rejects the address, the software discards the packet and
returns an ICMP host unreachable message.
checks the source address of the packet against the access list. If the access list permits the address, the
software transmits the packet. If the access list rejects the address, the software discards the packet and
returns an ICMP host unreachable message.
If you apply an access list (standard or extended) that has not yet been defined to an interface, the
software acts as if the access list has not been applied to the interface and accepts all packets. You must
define the access list to the interface if you use it as a means of security in your network.
software acts as if the access list has not been applied to the interface and accepts all packets. You must
define the access list to the interface if you use it as a means of security in your network.
Note
Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of
them.
them.
Command
Purpose
Step 1
Switch(config)# line [aux | console | vty]
line-number
line-number
Switch(config-line)#
Selects the line to be configured.
Step 2
Switch(config-line)# access-class
access-list-number {in | out}
access-list-number {in | out}
Restricts incoming and outgoing connections
between a particular virtual terminal line (into
a device) and the addresses in an access list.
between a particular virtual terminal line (into
a device) and the addresses in an access list.
Command
Purpose
Step 1
Switch(config)# interface atm card/subcard/port
Switch(config-if)#
Selects the interface or subinterface to be
configured.
configured.
Step 2
Switch(config-if)# ip access-group
access-list-number {in | out}
access-list-number {in | out}
Controls access to an interface.