Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Overview
You can configure ACLs using either the CLI or a text editor. The text-editor
method is recommended when you plan to create or modify an ACL that has
more entries than you can easily enter or edit using the CLI alone. Refer to
“Editing ACLs and Creating an ACL Offline” on page 10-65.
General Steps for Planning and Configuring ACLs
1. Identify the traffic type to filter. Options include:
• Any inbound IP traffic
• Inbound TCP traffic only
• Inbound UDP traffic only
2. The SA and/or the DA of inbound traffic you want to permit or deny.
3. Determine the best points at which to apply specific ACL controls. For
example, you can improve network performance by filtering unwanted
traffic at the edge of the network instead of in the core.
4. Design the ACLs for the selected control points. Where you are using
explicit “deny” ACEs, you can optionally use the ACL logging feature to
help verify that the switch is denying unwanted packets where intended.
Remember that excessive ACL logging activity can degrade the switch's
performance. (Refer to
“Enable ACL “Deny” Logging” on page 10-71.)
5. Create the ACLs in the selected switches.
6. Assign the ACLs to filter the inbound traffic on ports and/or static trunk
interfaces configured on the switch.
7. Test for desired results.
For more details on ACL planning considerations, refer to “Planning an ACL
Application on a Series 3400cl or Series 6400cl Switch” on page 10-16.
Caution Regarding Source routing is enabled by default on the switch and can be used to override
the Use of Source
ACLs. For this reason, if you are using ACLs to enhance network security, the
Routing
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running-
config file, the show running command includes “no ip source-route” in the
running-config file listing.)
10-11
To Next Page
Loading...
