트렁크 포트에 PACL을 적용할 때 ACL은 트렁크 포트에 있는 모든 VLAN의 트래픽을 필터링 한다. 음성 VLAN 포트에 PACL을 적용할 때 ACL은 데이터와 음성 VLAN 트래픽 모두를 필터링 한다.
ip access-group
Use the ip access-group interface configuration command on the switch stack or on a standalone switch to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface.
ip access-group {access-list-number | name} {in | out}
no ip access-group [access-list-number | name] {in | out}
Syntax Description
Defaults
No access list is applied to the interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.
You can use this command to apply an access list to a Layer 2 or Layer 3 interface. However, note these limitations for Layer 2 interfaces (port ACLs):
: L3 스위치에서 L2 인터페이스, L3 인터페이스 모두 ACL을 설정할 수 있지만, L2 인터페이스에서는
아래와 같이 ACL 설정이 제한이 생긴다.
•
You can only apply ACLs in the inbound direction; the out keyword is not supported for Layer 2 interfaces.
: L2 인터페이스에서 ACL 설정은 오직 Inbound 방향만 가능하다.
•You can only apply one IP ACL and one MAC ACL per interface.
: 하나의 인터페이스 1개의 IP ACL과 MAC ACL만이 설정 가능하다. (각각 1개씩, 즉 2개 설정은 가능)
•Layer 2 interfaces Port ACLs do not support logging; if the log keyword is specified in the IP ACL, it is ignored.
: L2 인터페이스의 Port-ACLs은 Logging을 지원하지 않는다.
•An IP ACL applied to a Layer 2 interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs.
: L2 인터페이스에서는 IP 패킷에 대해서만 필터링 가능하다. IP패킷이 아닌 필터링은 mac-access-group를 사용한, MAC extended ACLs를 사용해야 한다.
You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map:
•When an input port ACL is applied to an interface and a VLAN map is applied to a VLAN that the interface is a member of, incoming packets received on ports with the ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map.
•When an input router ACL and input port ACLs exist in an switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
•When an output router ACL and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered.
•When a VLAN map, input router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.
•When a VLAN map, output router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.
You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.
A Layer 3 interface can have one IP ACL applied in each direction.
You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.
For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.
For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
Examples
This example shows how to apply IP access list 101 to inbound packets on a port:
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 101 in
You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.
Related Commands
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/command/reference/cli1.html#wp2774755
