Applying An Ipv4 Acl To An Interface - Cisco ME 3400 Software Configuration Manual

Chapter 31 Configuring Network Security with ACLs
Command
Step 4
end
Step 5
show running-config
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.

Applying an IPv4 ACL to an Interface

This section describes how to apply IPv4 ACLs to network interfaces. You can apply an ACL to either
outbound or inbound Layer 3 interfaces. You can apply ACLs only to inbound Layer 2 interfaces. Note
these guidelines:
•
•
•
•
By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
Note
packet is denied by an access group. These access-group denied packets are not dropped in hardware but
are bridged to the switch CPU so that it can generate the ICMP-unreachable message.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command
Step 1
configure terminal
Step 2 interface interface-id
Step 3
no shutdown
Step 4
ip access-group {access-list-number |
name} {in | out}
Step 5 end
Step 6 show running-config
Step 7
copy running-config startup-config
OL-9639-07
Purpose
Return to privileged EXEC mode.
Display the access list configuration.
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only
filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic. You do not have
to enable routing to apply ACLs to Layer 2 interfaces.
When private VLANs are configured, you can apply router ACLs only on the primary-VLAN SVIs.
The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
Purpose
Enter global configuration mode.
Identify a specific interface for configuration, and enter interface
configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface
(router ACL).
Enable the port, if necessary. By default, user network interfaces (UNIs)
and enhanced network interfaces (ENIs) are disabled, and network node
interfaces (NNIs) are enabled.
Control access to the specified interface.
The out keyword is not supported for Layer 2 interfaces (port ACLs).
Return to privileged EXEC mode.
Display the access list configuration.
(Optional) Save your entries in the configuration file.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
Configuring IPv4 ACLs
31-19