For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet
against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet,
the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded, regardless
of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the
output interface. ICMP Unreachables are normally limited to no more than one every one-half second per
input interface, but this can be changed by using the ip icmp rate-limit unreachable global configuration
command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the
interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Related Topics
Applying an IPv4 ACL to an Interface, on page 130
Restrictions for Configuring Network Security with ACLs, on page 105
How to Configure ACLs
Configuring IPv4 ACLs
These are the steps to use IP ACLs on the switch:
SUMMARY STEPS
1.
Create an ACL by specifying an access list number or name and the access conditions.
2.
Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to
VLAN maps.
DETAILED STEPS
PurposeCommand or Action
Create an ACL by specifying an access list number or name and the access conditions.
Step 1
Apply the ACL to interfaces or terminal lines. You can also apply standard and extended
IP ACLs to VLAN maps.
Step 2
Creating a Numbered Standard ACL
Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL:
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
120 OL-29434-01
Configuring IPv4 ACLs
How to Configure ACLs
To Next Page
Loading...
Need help?
General