Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
IP Access List Configuration on a Catalyst Switch using CLI
Home > Work With My Switches > Cisco Catalyst Switches > IP Access List Configuration on a Catalyst Switch using CLI  
 

IP Access List Configuration on a Catalyst Switch using CLI

     Introduction
     Requirements
     IP Access List Overview
     Connect to the Switch
     Configure ACL on a Catalyst Switch
     Verify your configuration
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF


 		 IP Access List Configuration on a Catalyst Switch using CLI 


Introduction

This document provides instructions on how to configure an IP Access List on your Cisco Catalyst Switch. This procedure applies to Cisco Catalyst switches that runs Cisco IOS software.


Back to Top


Requirements

To perform the steps described in this document, you need these items:

  • You must have completed the initial configuration of the switch, if not, refer to .

  • A console cable. For more information about cables, refer to Cable Descriptions.

  • Terminal emulation software such as HyperTerminal.

  • Switch running IOS version 12.1(11)EA1 or later for SMI images or any EMI image.

  • Complete the Switch Port Assignment Worksheets as instructed in the Site Survey.


Back to Top


IP Access List Overview

Access Lists or ACLs are used to filter out undesired IP traffic from entering or leaving a network. In case of a Layer 2 interface, ACLs can be applied only in the inbound direction. However, in case of a Layer 3 interface ACLs can be applied in either inbound, outbound or both directions. This interface can be a physical interface or a VLAN interface. In case of switches, different networks are implemented using different VLANs. In this scenario, an ACL can be used to filter out IP traffic from entering or leaving a VLAN. When a new VLAN is created and an IP address is assigned to it, the VLAN becomes a Layer 3 VLAN. IP traffic from different Layer 3 VLANs can be passed to other Layer 3 VLANs using a router or if routing feature is supported by the switch. When routing feature is enabled in a switch, every VLAN configured on the switch participates in routing and IP traffic could easily flow between them.

For security reasons, it is not desirable to permit all IP traffic flowing between the VLANs. In such a case IP ACLs can be used to filter out the traffic that is allowed to pass between VLANs. In this document, we take the case of two VLANs, VLAN 21 and VLAN 22, which must communicate with each other. However, they must not communicate with the Guest VLAN (VLAN 23). The network address used by VLAN 21 is 192.168.11.0, VLAN 22 is 192.168.12.0 and VLAN 23 is 192.168.13.0.

Note: To configure routing on Catalyst Switches refer to, Configure Inter VLAN routing on Catalyst Switches.


Back to Top


Connect to the Switch

Follow these steps to connect your PC to the switch for configuration:

  1. Connect a PC to the switch with a console cable.

  2. Create a HyperTerminal connection to your switch. For more information, refer to Create a HyperTerminal Connection.

  3. Log into the switch with the login and password that you entered in fields B10 and B11 of the Switch Worksheet.

    Username:admin
Password:

  4. Type enable and press Enter to access the privileged mode. Type the enable password that you entered in field S5 of the Switch Port Assignment Worksheet.

    switch>enable
Password:

Back to Top


Configure ACL on a Catalyst Switch

Follow these steps to configure access lists on a Catalyst Switch:

  1. Make sure that the VLANs are already created and appropriate ip addresses are allocated to the VLANs. If not, then complete the steps in Configure a Catalyst Switch with Cisco Network Assistant.

  2. Get into the configuration mode and enter the command access-list followed by an ID and permit keyword to permit traffic from VLAN 22 to VLAN 21. Any other traffic is denied by default by the implicit deny at the end of access list.

    Switch#configure terminal
Switch(config)#access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

  3. Use a different access list ID to configure a second access list by entering the access-list command followed by an ID and permit keyword to permit traffic from VLAN 21 to VLAN 22. Any other traffic is denied by default by the implicit deny at the end of access list.

    Switch(config)#access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

  4. Use a different access list ID to configure a third access list by entering the access-list command followed by an ID and deny keyword to deny the traffic coming from VLAN 21 to get into VLAN 23. Add two more access-list entries with same ID to deny traffic coming from VLAN 22 to get into VLAN 23 and to permit any other traffic to VLAN 23.

    Switch(config)#access-list 103 deny ip 192.168.11.0 0.0.0.255 192.168.13.0 0.0.0.255
Switch(config)#access-list 103 deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
Switch(config)#access-list 103 permit ip any 192.168.13.0 0.0.0.255

  5. Get into the VLAN 21 interface using the command interface vlan followed by VLAN ID21. Apply the access-list 101 to VLAN 21 using command ip access-group followed by VLAN ID.

    Switch(config)#interface vlan 21
Switch(config-if)#ip access-group 101 in

  6. Repeat step 5 to apply access-list 102 to VLAN 22 and access-list 103 to VLAN 23. Enter the command end to come out of configuration mode. Enter the command copy running-config startup-config to save the configuration to NVRAM.

    Switch(config-if)#end
Switch#copy running-config startup-config

Back to Top


Verify your configuration

A simple ping from one of the hosts in a VLAN to some other host in another VLAN could be used to verify if the configuration is correct. A ping from VLAN 21 to 22 and vice versa must be successful. However, a ping from VLAN 23 to either of the VLANs and vice versa must not be successful if the configuration is correct.


Back to Top


Next Step

You have completed configuring IP ACLs on your Cisco Catalyst Switches.

To make further changes to your switch, refer to the Switch Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

The switch boots and displays several error messages but does not display a prompt in HyperTerminal.

Press Enter to clear the output and display the switch prompt.

For further assistance, contact the SMB Technical Assistance Center (SMB TAC).


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this site:
++ + +/- - --

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.