Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
It is important to remember that this ACL (and all ACLs) include an implicit
“deny IP any”. That is, routed IP packets (and switched packets having the
switch as the destination IP address) that the ACL does not explicitly permit
or deny will be implicitly denied, and therefore dropped instead of forwarded
on the VLAN. You can preempt the implicit deny by inserting a “permit IP any”
at the end of an ACL, but this solution does not apply in the preceding example,
where the intention is for the switch to forward only explicitly permitted
packets routed on VLAN 12.
Overriding the Implicit “deny IP any”. If you want an ACL to permit any
routed packets that are not explicitly denied by other entries in the ACL, you
can do so by configuring a permit any entry as the last entry in the ACL. Doing
so permits any packet not explicitly denied by earlier entries.
Planning an ACL Application
Before creating and implementing ACLs, you need to define the policies you
want your ACLs to enforce, and understand how your ACLs will impact your
network users.
Traffic Management and Improved Network
Performance
You can use ACLs to block unnecessary traffic caused by individual hosts,
workgroups, or subnets, and to block user access to subnets, devices, and
services. Answering the following questions can help you to design and
properly position ACLs for optimum network usage.
■ What are the logical points for minimizing unwanted traffic? In many
cases it makes sense to prevent unwanted traffic from reaching the
core of your network by configuring ACLs to drop unwanted traffic
at or close to the edge of the network. (The earlier in the network path
you can block unwanted traffic, the greater the benefit for network
performance.)
■ What traffic should you explicitly block? Depending on your network
size and the access requirements of individual hosts, this can involve
creating a large number of ACEs in a given ACL (or a large number of
ACLs), which increases the complexity of your solution.
9-16
To Next Page
Loading...
