Foundry Networks Switch and Router Installation And Configuration Manual page 393

To store this many ACLs, you need a Management IV module with a PCMCIA flash card. The flash card contains
enough space to store a startup-config file with 4096 ACLs. You can boot the device from the PCMCIA flash card
and load a configuration file containing ACLs and VLANs from the PCMCIA flash card. For information, see
"Loading the Startup-Config File from a PCMCIA Flash Card During System Load" on page 5-30.
You also can load ACLs dynamically by saving them in an external configuration file, then loading them using one
of the following commands:
• copy slot1 | slot2 running <from-name>
• ncopy slot1 | slot2 <from-name> running
• copy tftp running-config <ip-addr> <filename>
• ncopy tftp <ip-addr> <from-name> running-config
Disabling or Re-Enabling Access Control Lists (ACLs)
A Layer 3 Switch cannot actively use both IP access policies and ACLs for filtering IP traffic. When you boot a
Layer 3 Switch with software release 06.5.00 or higher, the software checks the device's startup-config file for ip
access-policy-group commands, which associate IP access policies with ports. If the software finds an ip
access-policy-group command in the file, the software disables all packet-forwarding ACLs (those associated
with specific ports) and also prevents you from applying an ACL to a port.
The next time you save the startup-config file, the software adds the following command near the top of the file,
underneath the ver (software version) statement:
ip dont-use-acl
This command disables all packet-forwarding ACLs (those associated with specific ports) and also prevents you
from associating an ACL with a port. However, the command does not remove existing ACLs from the startup-
config file. In addition, the command does not affect ACLs used for controlling management access to the device.
Enabling ACL Mode
If you try to apply an ACL to a port when the ACL mode is disabled (when the ip dont-use-acl command is in
effect), a message is displayed, as shown in the following CLI example:
BigIron(config-if-e1000-1/1)# ip access-group 1 out
Must enable ACL mode first by using no ip dont-use-acl command and removing all ip
access-policy-group commands from interfaces, write memory and reload
As the message states, if you want to use ACLs, you must first enable the ACL mode. To do so, use either of the
following methods.
USING THE CLI
To enable the ACL mode, enter the following commands:
BigIron(config-if-e1000-1/1)# exit
BigIron(config)# no ip dont-use-acl
BigIron(config)# write memory
BigIron(config)# end
BigIron# reload
The write memory command removes the ip dont-use-acl command from the startup-config file. The reload
command reloads the software. When the software finishes loading, you can apply ACLs to ports.
The commands that configure the IP access policies and apply them to ports remain in the startup-config file in
case you want to use them again, but they are disabled. If you later decide you want to use the IP access policies
again instead of ACLs, you must disable the ACL mode again. See the following section.
USING THE WEB MANAGEMENT INTERFACE
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
December 2000
Using Access Control Lists (ACLs)
13 - 5