Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Overview
The switch can apply ACL filtering to traffic entering the switch on ports and/
or trunks configured to apply ACL filters. For example, in figure 10-2 you
would assign an inbound ACL on port 1 to filter a packet from the workstation
10.28.10.5 to the server at 10.28.20.99. Note that all ACL filtering is performed
on the inbound port or trunk. Routing may be enabled or disabled on the
switch, and any permitted inbound traffic may have any valid destination.
Port 4
Port 3
VLAN A
10.28.10.1
(One Subnet)
VLAN C
10.28.40.1 10.28.30.1
(Multiple Subnets)
VLAN B
10.28.20.1
(One Subnet)
3400cl Switch with IP
Routing Enabled
10.28.10.5
10.28.20.99
10.28.30.33
18.28.40.17
Because of multinetting,
traffic routed from
10.28.40.17 to 10.28.30.33
remains in VLAN C. To
filter inbound traffic from
10.28.40.17, the ACL must
configured on port 3.
The subnet mask for this
example is 255.255.255.0.
Port 1
Port 2
Figure 10-2. Example of Filter Applications
Features Common to All ACLs
■ On any port or static trunk you can apply one ACL to inbound traffic.
■ Any ACL can have multiple entries (ACEs).
■ You can apply any one ACL to multiple ports and trunks.
■ A source or destination IP address and a mask, together, can define a
single host, a range of hosts, or all hosts.
■ Before changing the content of an ACL assigned to one or more ports
or trunks, you must first remove the ACL from those ports or trunks.
■ Every standard ACL includes an implied “deny any” as the last entry,
and every extended ACL includes an implied “deny IP any any” as the
last entry. The switch applies this action to any packets that do not
match other criteria in the ACL.
■ In any ACL, you can apply an ACL log function to ACEs that have a
“deny” action. The logging occurs when there is a match on a “deny”
ACE. (The switch sends ACL logging output to Syslog and, optionally,
to a console session.)
■ Standard and Extended ACL features cannot be combined in one ACL.
10-10
To Next Page
Loading...
