IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Caution IPv4 ACLs can enhance network security by blocking selected traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
Note Static ACLs for the switches covered by this guide do not filter non-IPv4 traffic
such as IPv6, AppleTalk, and IPX. Dynamic port ACLs assigned by a RADIUS
server can be configured on the server to filter IPv4 traffic, but do not filter
non-IP traffic.
Guidelines for Planning the Structure of a Static ACL
After determining the filtering type (standard or extended) to use at a partic-
ular point in your network, determine the order in which to apply individual
ACEs to filter IPv4 traffic (For information on ACL applications, refer to “ACL
Applications” on page 9-14.).
■ The sequence of ACEs is significant. When the switch uses an ACL to
determine whether to permit or deny an ip packet, it compares the
packet to the criteria specified in the individual Access Control
Entries (ACEs) in the ACL, beginning with the first ACE in the list and
proceeding sequentially until a match is found. When a match is
found, the switch applies the indicated action (permit or deny) to the
packet.
■ The first match in an ACL dictates the action on a packet. Subsequent
matches in the same ACL are ignored. However, if a packet is
permitted by one ACL assigned to an interface, but denied by another
ACL assigned to the same interface, the packet will be denied on the
interface.
■ On any ACL, the switch implicitly denies IPv4 packets that are not
explicitly permitted or denied by the ACEs configured in the ACL. If
you want the switch to forward a packet for which there is not a match
in an ACL, append an ACE that enables Permit Any forwarding as the
last ACE in the ACL. This ensures that no packets reach the Implicit
Deny case for that ACL.
9-26
To Next Page
Loading...
Need help?
General
