Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Overview
Standard ACL: This type of Access Control List uses layer-3 IP criteria of
source IP address to determine whether there is a match with an inbound
IP packet. You can apply a standard ACL to inbound traffic on a port or
trunk, including any inbound traffic with a DA belonging to the switch
itself. Standard ACLs require an identification number (ID) in the range
of 1 - 99 or an alphanumeric name.
Wildcard: The part of a mask that indicates the bits in a packet’s IP addressing
that do not need to match the corresponding bits specified in an ACL. See
also ACL Mask on page
10-7.
Overview
Types of IP ACLs
Standard ACL: Use a standard ACL when you need to permit or deny traffic
based on source IP address. Standard ACLs are also useful when you need to
quickly control a performance problem by limiting traffic from a subnet, group
of devices, or a single device. (This can block all inbound IP traffic from the
configured source, but does not block traffic from other sources within the
network.) This ACL type uses a numeric ID of 1 through 99 or an alphanumeric
ID string. You can specify a single host, a finite group of hosts, or any host.
Extended ACL: Use extended ACLs whenever simple IP source address
restrictions do not provide the breadth of traffic selection criteria you want
for a port or trunk. Extended ACLs allow use of the following criteria:
■ Source and destination IP addresses
■ TCP application criteria
■ UDP application criteria
ACL Inbound Application Points
You can apply ACL filtering to IP traffic inbound on a physical port or static
trunk with a destination (DA):
■ On another device. (ACLs are not supported on dynamic LACP
trunks.)
■ On the switch itself. In figure 10-2, below, this would be any of the IP
addresses shown in VLANs “A”, “B”, and “C” on the switch. (IP routing
need not be enabled.)
10-9
To Next Page
Loading...
