54-4
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
About ACLs
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL. For
example, you can use access lists to allow one host to access a part of a network, but prevent another
host from accessing the same part. In Figure 54-1, ACLs applied at the router input allow Host A to
access the Human Resources network, but prevent Host B from accessing the same network.
Figure 54-1 Using ACLs to Control Traffic to a Network
Port ACLs
You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical
interfaces and EtherChannel interfaces.
The following access lists are supported on Layer 2 interfaces:
• Standard IP access lists using source addresses
• Extended IP access lists using source and destination addresses and optional protocol type
information
• IPv6 access lists using source and destination addresses and optional protocol type information
• MAC extended access lists using source and destination MAC addresses and optional protocol type
information
As with router ACLs, the switch examines ACLs associated with features configured on a given interface
and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In the
example in Figure 54-1, if all workstations were in the same VLAN, ACLs applied at the Layer 2 input
would allow Host A to access the Human Resources network, but prevent Host B from accessing the
same network.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
Si
Host A
Host B
94152
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Catalyst 4500 series switch
Human
Resources
network
To Next Page
Loading...
Need help?
General
