54-5
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
About ACLs
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
With port ACLs, you can filter IPv4 traffic with IPv4 access lists, IPv6 traffic with IPv6 access lists, and
non-IP traffic with MAC access lists. You can filter multiple types of traffic simultaneously by applying
ACLs of the appropriate type to the Layer 2 interface simultaneously.
Note You cannot simultaneously apply more than one access list of a given type to a Layer 2 interface. If an
IPv4, IPv6, or MAC access list is already configured on a Layer 2 interface, and you apply a new IPv4,
IPv6 or MAC access list to the interface, the new ACL replaces the previously configured ACL of the
same type.
Dynamic ACLs
Various security features, such as 802.1X, NAC and Web Authentication, are capable of downloading
ACLs from a central server and applying them to interfaces. Prior to Cisco IOS Release 12.2(54)SG,
these features required the explicit configuration of a standard port ACL
Starting with Cisco IOS Release 12.2(54)SG, a port ACL does not require configuration. For more
details refer to the “Removing the Requirement for a Port ACL” section on page 54-29.
VLAN Maps
VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch
to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are not
defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. Access of all non-IP protocols
is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not
controlled by MAC ACLs in VLAN maps.) You can enforce VLAN maps only on packets heading to the
switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding packets is permitted or denied, based on the action specified in the map.
Figure 54-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in
VLAN 10 from being forwarded.
Figure 54-2 Using VLAN Maps to Control Traffic
Si
Host B
(VLAN 10)
Host A
(VLAN 10)
94153
= VLAN map denying specific type
of traffic from Host A
= Packet
Catalyst 4500 series switch
To Next Page
Loading...
Need help?
General
