Chapter 67: Advanced Access Control Lists (ACLs)
Assigning ACLs to Ports
Assigning
Numbered IP
ACLs to a Port
Command
awplus> enable
awplus# configure terminal
awplus(config)# access-list 3097
deny ip any 149.107.22.0/24
awplus(config)# interface
port1.0.12,port1.0.13
awplus(config_if)# access-group
3002
1042
Before you can assign an ACL to a port, you must first create an ACL. The
command that you use to assign an ACL to a port depends on which type
of ACL you have created. See the following sections:
"Assigning Numbered IP ACLs to a Port" on page 1042
"Assigning MAC Address ACLs to a Port" on page 1043
Note
In situations where ports have both permit and deny ACLs, you must
assign the permit ACLs to a port first because ingress packets are
compared against the ACLs in the order in which they are added to
the ports. If you add the deny ACLs first, the ports may block
packets you want them to forward.
To assign a Numbered IPv4 ACL to a port on the switch, use the
ACCESS-GROUP command in the Port Interface mode. Using this
command, you can add one Numbered IP ACL to a port or several ports.
The ACL must exist on the switch. Here is the format of the command:
id_number
access-group
For more information about this command, see "ACCESS-GROUP" on
page 1057.
In this example, ports 12 and 13 are assigned an ACL, ID number 3002,
that blocks all untagged ingress packets with a destination address in the
149.107.22.0 subnet. This example adds two Numbered IP ACLs with ID
numbers 3002 and 3075 to ports 12 and 13. See Table 118.
Table 118. Assigning Numbered IP ACLs
Description
Enter the Privileged Executive mode from the
User Executive mode.
Enter the Global Configuration mode.
Create the deny ACL.
Enter the Port Interface mode for ports 12 and
13.
Apply the ACL to the ports with the ACCESS-
GROUP command.
Section X: Network Management