30-17
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 30 Configuring Network Security with ACLs
Configuring IPv4 ACLs
•
If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an
ACL applied to the VLAN interface.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
To remove the specified access group, use the
no ip access-group
{
access-list-number
|
name
} {
in
|
out
}
interface configuration command.
This example shows how to apply access list 3 to filter packets going to the CPU:
Switch(config)#
interface vlan 1
Switch(config-if)#
ip access-group 3 in
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
For outbound ACLs, after receiving and routing a CPU packet to the VLAN, the switch checks the packet
against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the
packet, the switch discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied
and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Hardware and Software Treatment of IP ACLs
ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,
packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is
substantially less than for hardware-forwarded traffic.
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
When you enter the
show ip access-lists
privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the
show access-lists hardware
counters
privileged EXEC command to obtain some basic hardware ACL statistics for switched packets.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface
interface-id
Identify a specific interface for configuration, and enter interface
configuration mode.The interface must be a VLAN interface.
Step 3
ip access-group
{
access-list-number |
name
} {
in
|
out
}
Control access to the specified interface.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Display the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.