Chapter 62
Configuring Network Security with ACLs
•
•
Configuring Access-group Mode on Layer 2 Interface
To configure an access mode on a Layer 2 interface, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface interface
Step 3
Switch(config-if)# [no] access-group mode
{prefer {port | vlan} | merge}
Step 4
Switch(config)# show running-config
This example shows how to merge and apply features other than PACL on the interface:
Switch# configure terminal
Switch(config)# interface fast 6/1
Switch(config-if)# access-group mode prefer port
This example shows how to merge applicable ACL features before they are programmed into hardware:
Switch# configure terminal
Switch(config)# interface fast 6/1
Switch(config-if)# access-group mode merge
Applying ACLs to a Layer 2 Interface
To apply IPv4, IPv6, and MAC ACLs to a Layer 2 interface, perform one of these tasks:
Command
Switch(config-if)# ip access-group ip-acl {in | out}
Switch(config-if)# ipv6 traffic-filter ipv6-acl {in | out}
Switch(config-if)# mac access-group mac-acl {in | out}
This example applies the extended named IP ACL simple-ip-acl to interface FastEthernet 6/1 ingress
traffic:
Switch# configure terminal
Switch(config)# interface fast 6/1
Switch(config-if)# ip access-group simple-ip-acl in
This example applies the IPv6 ACL simple-ipv6-acl to interface FastEthernet 6/1 ingress traffic:
Switch# configure terminal
Switch(config)# interface fast 6/1
Switch(config-if)# ipv6 traffic-filter simple-ipv6-acl in
prefer VLAN mode
VLAN-based ACL features take effect on the port if they have been applied on
—
the port and no PACLs are in effect. If no VLAN-based ACL features are applicable to the Layer 2
interface, then the PACL feature already on the interface is applied.
merge mode
Merges applicable ACL features before they are programmed into the hardware.
—
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Purpose
Enters global configuration mode.
Enters interface configuration mode.
Applies numbered or named ACL to the Layer 2 interface.
The no form deletes the IP or MAC ACL from the Layer 2
interface.
Displays the access list configuration.
Purpose
Applies an IPv4 ACL to the Layer 2 interface.
Applies an IPv6 ACL to the Layer 2 interface.
Applies a MAC ACL to the Layer 2 interface.
Configuring PACLs
62-35