Cisco Catalyst 3560-X Software Configuration Manual page 890

Configuring IPv4 ACLs
By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
Note
packet is denied by an access group. These access-group denied packets are not dropped in hardware but
are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Port ACLs are an
exception. They do not generate ICMP unreachable messages.
ICMP unreachable messages can be disabled on router ACLs with the no ip unreachables interface
command.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command
Step 1 configure terminal
Step 2
interface interface-id
Step 3
ip access-group {access-list-number |
name} {in | out}
Step 4 end
Step 5 show running-config
Step 6 copy running-config startup-config
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/1
Router(config-if)# ip access-group 2 in
Note When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a
Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address.
Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU.
They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the
packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects
the packet, the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded,
regardless of whether the packet was discarded because of an ACL on the input interface or because of
an ACL on the output interface. ICMP Unreachables are normally limited to no more than one every
one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable
global configuration command.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-22
Purpose
Enter global configuration mode.
Identify a specific interface for configuration, and enter interface
configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface
(router ACL).
Control access to the specified interface.
The out keyword is not supported for Layer 2 interfaces (port ACLs).
Return to privileged EXEC mode.
Display the access list configuration.
(Optional) Save your entries in the configuration file.
Chapter 1 Configuring Network Security with ACLs
OL-25303-03