62-3
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
About ACLs
Supported Features That Use ACLs
The switch supports three applications of ACLs to filter traffic:
• Router ACLs are applied to Layer 3 interfaces. They control the access of routed traffic between
VLANs. All Cisco Catalyst 4500 Series Switches can create router ACLs, but you must have a Cisco
IOS software image on your switch to apply an ACL to a Layer 3 interface and filter packets routed
between VLANs.
• Port ACLs perform access control on traffic entering a Layer 2 interface. If insufficient hardware
CAM entries exist, the output port ACL is not applied to the port and a warning message is given to
user. (This restriction applies to all access group modes for output port ACLs.) When sufficient
CAM entries exist, the output port ACL may be reapplied.
If there is any output port ACL configured on a Layer 2 port, then no VACL or router ACL can be
configured on the VLANs that the Layer 2 port belongs to. Also, the reverse is true: port ACLs and
VLAN-based ACLs (VACLs and router ACLs) are mutually exclusive on a Layer 2 port. This
restriction applies to all access group modes. On the input direction, port ACLs, VLAN-based
ACLs, and router ACLs can co-exist.
You can apply one IPv4 access list, one IPv6 access list and one MAC access list for a Layer 2
interface.
• You can use VLAN maps to filter traffic between devices in the same VLAN. You do not need the
enhanced image to create or apply VLAN maps. VLAN maps are configured to control access based
on Layer 3 addresses for IP. MAC addresses using Ethernet ACEs control the access of unsupported
protocols. After you apply a VLAN map to a VLAN, all packets (routed or bridged) entering the
VLAN are checked against that map. Packets can either enter the VLAN through a switch port or
through a routed port after being routed.
You can use both router ACLs and VLAN maps on the same switch.
Router ACLs
You can apply one access list of each supported type to an interface.
Note Cisco Catalyst 4500 Series Switches running Cisco IOS Release 12.2(40)SG do not support IPv6 port
ACLs (PACLs).
Multiple features can use one ACL for a given interface, and one feature can use multiple ACLs. When
a single router ACL is used by multiple features, it is examined multiple times. The access list type
determines the input to the matching operation:
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
The switch examines ACLs associated with features configured on a given interface and a direction. As
packets enter the switch on an interface, ACLs associated with all inbound features configured on that
interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs
associated with outbound features configured on the egress interface are examined.
To Next Page
Loading...
