Applying An Ipv4 Acl To An Interface - Cisco Catalyst 3560-X Software Configuration Manual

Chapter 1 Configuring Network Security with ACLs
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections
between a virtual terminal line and the addresses in an ACL:
Command
Step 1 configure terminal
Step 2
line [console | vty] line-number
Step 3 access-class access-list-number
{in | out}
Step 4 end
Step 5 show running-config
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.

Applying an IPv4 ACL to an Interface

This section describes how to apply IPv4 ACLs to network interfaces. Note these guidelines:
•
On switches running the LAN base feature set, router (Layer 3) ACLs are supported only on SVIs and
Note
not on physical interfaces or Layer 3 EtherChannels.
•
•
•
•
•
OL-25303-03
Purpose
Enter global configuration mode.
Identify a specific line to configure, and enter in-line configuration mode.
•
•
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
Restrict incoming and outgoing connections between a particular virtual
terminal line (into a device) and the addresses in an access list.
Return to privileged EXEC mode.
Display the access list configuration.
Apply an ACL only to inbound Layer 2 interfaces. Apply an ACL to either outbound or inbound
Layer 3 interfaces.
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only
filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have
to enable routing to apply ACLs to Layer 2 interfaces.
When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs.
The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
When you configure an egress ACL to permit traffic with a particular DSCP value, you must use
the original DSCP value instead of a rewritten value.
console—Specify the console terminal line. The console port is DCE.
vty—Specify a virtual terminal for remote console access.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring IPv4 ACLs
1-21