25-20
Catalyst 3750 Metro Switch Software Configuration Guide
78-15870-01
Chapter 25 Configuring Network Security with ACLs
Configuring IP ACLs
Router ACLs function as follows:
• The hardware controls permit and deny actions of standard and extended ACLs (input and output)
for security access control.
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped
by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched
in hardware.
• Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the
CPU for logging only. If the ACE is a permit statement, the packet is still switched and routed
in hardware.
IP ACL Configuration Examples
This section provides examples of configuring and applying IP ACLs. For detailed information about
compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco
IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Figure 25-3 shows a small networked office environment with the routed Port 2 connected to Server A,
containing benefits and other information that all employees can access, and routed Port 1 connected to
Server B, containing confidential payroll data. All users can access Server A, but Server B has restricted
access.
Use router ACLs to do this in one of two ways:
• Create a standard ACL, and filter traffic coming to the server from Port 1.
• Create an extended ACL, and filter traffic coming from the server into Port 1.
Figure 25-3 Using Router ACLs to Control Traffic
Server A
Benefits
Server B
Payroll
Port 2 Port 1
Accounting
172.20.128.64-95
Human Resources
172.20.128.0-31
101354
To Next Page
Loading...
