Ip Acl Configuration Examples - Cisco Catalyst 3550 series Software Configuration Manual

Chapter 28 Configuring Network Security with ACLs
To remove the specified access group, use the no ip access-group {access-list-number | name} {in | out}
interface configuration command.
This example shows how to apply access list 2 on Gigabit Ethernet interface 0/3 to filter packets entering
the interface:
Switch(config)# interface gigabitethernet0/3
Router(config-if)# ip access-group 2 in
Note When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a
Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address.
Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU.
They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs (Layer 3 interfaces only), after receiving and routing a packet to a controlled
interface, the switch checks the packet against the ACL. If the ACL permits the packet, the switch sends
the packet. If the ACL rejects the packet, the switch discards the packet.
If the input interface is configured to send ICMP Unreachable messages, these messages are sent
whenever a packet is discarded, regardless of whether the packet was discarded because of an ACL on
the input interface or because of an ACL on the output interface. ICMP Unreachables are normally
limited to no more than one every one-half second per input interface, but this can be changed by using
the ip icmp rate-limit unreachable global configuration command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.

IP ACL Configuration Examples

This section provides examples of configuring IP ACLs. For detailed information about compiling
ACLs, refer to the Security Configuration Guide and the "IP Services" chapter of the Cisco IOS IP and
IP Routing Configuration Guide for IOS Release 12.1.
Figure 28-3
A, containing benefits and other information that all employees can access, and routed port 0/3
connected to Server B, containing confidential payroll data. All users can access Server A, but Server B
has restricted access.
Use router ACLs to do this in one of these ways:
•
•
78-11194-09
shows a small networked office environment with the routed port 0/2 connected to Server
Create a standard IP ACL, and filter traffic coming to the server from port 0/3.
Create an extended IP ACL, and filter traffic coming from the server into port 0/3.
Catalyst 3550 Multilayer Switch Software Configuration Guide
Configuring IP ACLs
28-21