31-2
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-07
Chapter 31 Configuring Network Security with ACLs
Understanding ACLs
which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail
traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound
traffic, or both.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports IPv4 ACLs and Ethernet (MAC) ACLs:
• IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
• Ethernet ACLs filter non-IP traffic.
This switch also supports quality of service (QoS) classification ACLs. For more information, see the
“Understanding QoS” section on page 33-1.
These sections contain this conceptual information:
• Supported ACLs, page 31-2
• Handling Fragmented and Unfragmented Traffic, page 31-5
Supported ACLs
The switch supports three applications of ACLs to filter traffic:
• Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs
in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer
2 interface.
• Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in
a specific direction (inbound or outbound). The switch must be running the metro IP access image
to support router ACLs.
• VLAN ACLs or VLAN maps access-control all packets (forwarded and routed). You can use VLAN
maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide
access control based on Layer
3 addresses for IPv4. Unsupported protocols are access-controlled
through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets
entering the VLAN are checked against the VLAN map. Packets can either enter the VLAN through
a switch port or through a routed port after being routed.
You can use input port ACLs, router ACLs, and VLAN maps on the same switch. However, a port ACL
takes precedence over a router ACL or VLAN map.
• When both an input port ACL and a VLAN map are applied, incoming packets received on ports
with a port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map
• When an input router ACL and input port ACL exist in an switch virtual interface (SVI), incoming
packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming
routed IPv4 packets received on other ports are filtered by the router ACL. Other packets are not
filtered.
• When an output router ACL and input port ACL exist in an SVI, incoming packets received on the
ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv4 packets are
filtered by the router ACL. Other packets are not filtered.
To Next Page
Loading...
Need help?
General
