Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

481

482

483

484

485

486

487

488

489

490

26-17

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Configuring IP ACLs

To remove the specified access group, use the no ip access-group {access-list-number | name} {in}

interface configuration command.

This example shows how to apply access list 2 on Gigabit Ethernet interface 0/3 to filter packets entering

the interface:

Switch(config)# interface gigabitethernet0/3

Router(config-if)# ip access-group 2 in

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL

permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch

discards the packet.

By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded. ICMP

Unreachables are normally limited to no more than one every one-half second per input interface, but

this can be changed by using the ip icmp rate-limit unreachable global configuration command.

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to

the interface and permits all packets. Remember this behavior if you use undefined ACLs for network

security.

Hardware and Software Treatment of IP ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to

the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,

packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is

substantially less than for hardware-forwarded traffic.If ACLs cause large numbers of packets to be sent

to the CPU, the switch performance can be negatively affected.

When you enter the show ip access-lists privileged EXEC command, the match count displayed does

not account for packets that are access controlled in hardware. Use the show access-lists hardware

counters privileged EXEC command to obtain some basic hardware ACL statistics for switched packets.

IP ACL Configuration Examples

This section provides examples of configuring and applying IP ACLs. For detailed information about

compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco

IOS IP and IP Routing Configuration Guide for IOS Release 12.1.

This example uses a standard ACL to allow access to the interface to a specific Internet host with the

address 172.20.128.64.

Switch(config)# access-list 6 permit 172.20.128.64 0.0.0

Switch(config)# end

Switch# show access-lists

Standard IP access list 6

permit 172.20.128.64 wildcard bits 0.0.0.0

Step 3

ip access-group {access-list-number |

name} {in}

Control access to the specified interface.

Step 4

end Return to privileged EXEC mode.

Step 5

show running-config Display the access list configuration.

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose