EasyManuals Logo

Cisco IE 3000 User Manual

Cisco IE 3000
760 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #543 background imageLoading...
Page #543 background image
30-3
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-01
Chapter 30 Configuring Network Security with ACLs
Understanding ACLs
Figure 30-1 Using ACLs to Control Traffic to a Network
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port
numbers, ICMP type and code, and so on. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer
4 information, the matching rules are modified:
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Host A
Host B
101365
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
=Packet
Human
Resources
network

Table of Contents

Other manuals for Cisco IE 3000

Preview: Getting Started Guide
Getting Started Guide32 pages
Preview: Hardware Installation Guide
Hardware Installation Guide186 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco IE 3000 and is the answer not in the manual?

Cisco IE 3000 Specifications

General IconGeneral
Operating Temperature-40 to 75°C (-40 to 167°F)
DRAM128 MB
Flash Memory32 MB
Uplink Ports2 x 10/100/1000Base-T or SFP
MAC Address Table Size8000
MountingDIN rail, Wall

Related product manuals