본문 바로가기

네트워크

Port Access-List [L3 스위치에서 L2포트에(Trunk등) ACL 걸기]

Port ACL(PACL)
 트렁크 포트에 PACL을 적용할 때 ACL은 트렁크 포트에 있는 모든 VLAN의 트래픽을 필터링 한다. 음성 VLAN 포트에 PACL을 적용할 때 ACL은 데이터와 음성 VLAN 트래픽 모두를 필터링 한다.


ip access-group

Use the ip access-group interface configuration command on the switch stack or on a standalone switch to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface.

ip access-group {access-list-number | name} {in | out}

no ip access-group [access-list-number | name] {in | out}

Syntax Description

access-list-number

The number of the IP access control list (ACL). The range is 1 to 199 or 1300 to 2699.

name

The name of an IP ACL, specified in the ip access-list global configuration command.

in

Specify filtering on inbound packets.

out

Specify filtering on outbound packets. This keyword is valid only on Layer 3 interfaces.


Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(35)SE2

This command was introduced.


Usage Guidelines

You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.

You can use this command to apply an access list to a Layer 2 or Layer 3 interface. However, note these limitations for Layer 2 interfaces (port ACLs):
   : L3 스위치에서 L2 인터페이스, L3 인터페이스 모두 ACL을 설정할 수 있지만, L2 인터페이스에서는
     아래와 같이 ACL 설정이 제한이 생긴다.

You can only apply ACLs in the inbound direction; the out keyword is not supported for Layer 2 interfaces. 
    : L2 인터페이스에서 ACL 설정은 오직 Inbound 방향만 가능하다.

You can only apply one IP ACL and one MAC ACL per interface. 
    : 하나의 인터페이스 1개의 IP ACL과 MAC ACL만이 설정 가능하다. (각각 1개씩, 즉 2개 설정은 가능)

Layer 2 interfaces Port ACLs do not support logging; if the log keyword is specified in the IP ACL, it is ignored.
     : L2 인터페이스의 Port-ACLs은 Logging을 지원하지 않는다.

An IP ACL applied to a Layer 2 interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs.
     :  L2 인터페이스에서는 IP 패킷에 대해서만 필터링 가능하다. IP패킷이 아닌 필터링은 mac-access-group를 사용한,   MAC extended ACLs를 사용해야 한다.

You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map:

When an input port ACL is applied to an interface and a VLAN map is applied to a VLAN that the interface is a member of, incoming packets received on ports with the ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map.

When an input router ACL and input port ACLs exist in an switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.

When an output router ACL and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered.

When a VLAN map, input router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.

When a VLAN map, output router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.

You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.

A Layer 3 interface can have one IP ACL applied in each direction.

You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.

For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.

For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.

If the specified access list does not exist, all packets are passed.

Examples

This example shows how to apply IP access list 101 to inbound packets on a port:

Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 101 in

You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.

Related Commands

Command
Description

access list

Configures a numbered ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands

ip access-list

Configures a named ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

show access-lists

Displays ACLs configured on the switch.

show ip access-lists

Displays IP ACLs configured on the switch. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

show ip interface

Displays information about interface status and configuration. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.



http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/command/reference/cli1.html#wp2774755