545
Cisco Systems, Inc. www.cisco.com
Configuring Network Security with ACLs
Information About Network Security with ACLs
ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it
passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs. An ACL is a
sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the
switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions
to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions
in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops
testing after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the
packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch
can use ACLs on all packets it forwards, including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure
ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control
which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router
interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to
block inbound traffic, outbound traffic, or both.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of
conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in
which the ACL is used.
The switch supports IP ACLs and Ethernet (MAC) ACLs:
IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol
(IGMP), and Internet Control Message Protocol (ICMP).
Ethernet ACLs filter non-IP traffic.
This switch also supports quality of service (QoS) classification ACLs. For more information, see Classification Based on
QoS ACLs, page 580.
These sections contain this conceptual information:
Supported ACLs, page 545
Handling Fragmented and Unfragmented Traffic, page 547
Supported ACLs
Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound
direction. You can apply only one IP access list and one MAC access list to a Layer 2 interface. For more information, see
Port ACLs, page 546.
To Next Page
Loading...
Need help?
General
