54-2
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
About ACLs
Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
About ACLs
This section includes these topics:
• Overview, page 54-2
• Supported Features That Use ACLs, page 54-3
• Router ACLs, page 54-3
• Port ACLs, page 54-4
• Dynamic ACLs, page 54-5
• VLAN Maps, page 54-5
Overview
An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to
verify that the packet has the permissions required to be forwarded, based on the conditions specified in
the access lists. It tests the packets against the conditions in an access list one-by-one. The first match
determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions
after the first match, the order of conditions in the list is critical. If no conditions match, the switch drops
the packet. If no restrictions exist, the switch forwards the packet; otherwise, the switch drops the packet.
Switches traditionally operate at Layer 2, switching traffic within a VLAN. Routers route traffic between
VLANs at Layer 3. The Catalyst 4500 series switch can accelerate packet routing between VLANs by
using Layer 3 switching. The Layer 3 switch bridges the packet, and then routes the packet internally
without going to an external router. The packet is then bridged again and sent to its destination. During
this process, the switch can control all packets, including packets bridged within a VLAN.
You configure access lists on a router or switch to filter traffic and provide basic security for your
network. If you do not configure ACLs, all packets passing using the switch could be allowed on all parts
of the network. You can use ACLs to control which hosts can access different parts of a network or to
decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow
e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic,
outbound traffic, or both. However, on Layer 2 interfaces, you can apply ACLs only in the inbound
direction.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The Catalyst 4500 series switch supports three types of ACLs:
• IP ACLs, which filter IP traffic, including TCP, the User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
• IPv6 ACLs
• MAC ACLs which match based on Ethernet addresses and Ether Type
To Next Page
Loading...
Need help?
General
