• What traffic can you implicitly block by taking advantage of the implicit deny any, denying
traffic you have not explicitly permitted? This can reduce the number of entries needed in an
ACL and make more economical use of switch resources.
• What traffic should you permit? Sometimes you need to explicitly identify permitted traffic; at
other times, depending on your policies, you can insert a permit any (standard ACL) or
permit ip any any (extended ACL) entry at the end of an ACL to permit all IP traffic not
specifically matched by earlier entries in the list.
Security
ACLs can enhance security by blocking IPv6 traffic carrying an unauthorized source IPv6 address.
This can include:
• Blocking access to or from subnets in your network
• Blocking access to or from the internet
• Blocking access to sensitive data storage or restricted equipment
• Preventing the use of specific TCP or UDP functions (such as Telnet, SSH, web browser) for
unauthorized access
You can also enhance switch management security by using ACLs to block inbound IP traffic that
has the switch itself as the destination address (DA).
CAUTION: ACLs can enhance network security by blocking selected IP traffic, and they can serve
as one aspect of maintaining network security. However, because ACLs do not provide user or
device authentication or protection from malicious manipulation of data carried in IP packet
transmissions, do not rely on them for a complete security solution.
NOTE:
ACLs do not screen non-IP traffic such as AppleTalk, and IPX packets.
Guidelines for planning ACL structure
The first step in planning a specific ACL is to determine where to apply it. (See “ACL inbound
application points” (page 59)") Then determine the order in which you want individual ACEs in
the ACL to filter traffic. For applications that place high demand on switch resources for ACLs,
order the individual ACEs in a list to avoid unnecessary resource demand. For more on this topic,
see “Planning an ACL application” (page 68)"Planning an ACL Application" on page 69.
• The first match dictates the action on a packet; subsequent matches are ignored.
• On any ACL, the switch implicitly denies IPv6 packets that are not explicitly permitted or denied
by the ACEs configured in the ACL. If you want the switch to forward a packet for which there
is no match in an ACL, add permit any as the last ACE in an ACL. This ensures that no
packets reach the implicit deny any case for that ACL.
• Generally, list ACEs from the most specific (individual hosts) to the most general (subnets or
groups of subnets), unless doing so permits traffic that you want dropped.
For example, an ACE allowing a small group of workstations to use a specialized printer
should occur earlier in an ACL than an entry used to block widespread access to the same
printer.
Traffic management and improved network performance 71
To Next Page
Loading...
Need help?
General
