Creating and applying ACLs

Create an ACL composed of one or more access control entries (ACEs) ordered and prioritized by sequence. Then, apply the ACL on an interface.

Prerequisites

You must be in the global configuration context: switch(config)#

Determine the following for each ACL:

  • Do you want to permit or deny traffic flow?

  • What matching criteria do you want to define in the ACEs?

  • On which interface so you want to apply the ACL?

  • Do you want to specify filtering on inbound or outbound packets?
    NOTE:

    No ACLs (including ACLs for IPv4, IPv6, and MAC) are supported in egress on the Layer 2 interface. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error.

Procedure
  1. Create an ACL using one of these commands:

    • access-list ip

    • access-list ipv6

    • access-list mac

  2. These access-list commands enter you into the named ACL context. Within the named ACL context, create the access control entries:

    switch(config-acl-ip)# 10 permit udp any 172.16.1.0/24

  3. To apply the ACL to an interface, enter:

    apply access-list {ip | ipv6 | mac} <ACL-NAME> {in | out}

    In the command, specify the type of ACL, ACL name, and whether to apply it to inbound or outbound packets.

Configuring and applying an ACL

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# 10 permit udp any 172.16.1.0/24
switch(config-acl-ip)# 20 permit tcp 172.16.2.0/16 lt 1023 any
switch(config-acl-ip)# 30 permit tcp 172.26.1.0/24 any syn ack dscp 10
switch(config-acl-ip)# 40 deny any any any count
switch(config-acl-ip)# exit
switch(config)# interface 1/1/2
switch(config-if)# apply access-list ip MY_IP_ACL in