Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
■ What traffic can you implicitly block by taking advantage of the
implicit deny IP any to deny traffic that you have not explicitly
permitted? This can reduce the number of entries needed in an ACL.
■ What traffic should you permit? In some cases you will need to
explicitly identify permitted traffic. In other cases, depending on your
policies, you can insert a permit any entry at the end of an ACL. This
means that all IP traffic not specifically matched by earlier entries in
the list will be permitted.
Security
ACLs can enhance security by blocking routed IP traffic carrying an unautho-
rized source IP address (SA). This can include:
■ Blocking access to or from subnets in your network
■ Blocking access to or from the internet
■ Blocking access to sensitive data storage or restricted equipment
■ Preventing the use of specific TCP or UDP functions (such as Telnet,
SSH, web browser) for unauthorized access
You can also enhance switch management security by using ACLs to block
bridged IP traffic that has the switch itself as the destination address (DA).
Caution ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
Note ACLs in the Series 5300XL switches do not screen non-IP traffic such as
AppleTalk and IPX.
9-17
To Next Page
Loading...
