Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
Traffic Management and Improved Network
Performance
You can use ACLs to block unnecessary traffic caused by individual hosts,
workgroups, or subnets, and to block user access to subnets, devices, and
services. Answering the following questions can help you to design and
properly position ACLs for optimum network usage.
■ What are the logical points for minimizing unwanted traffic? In many
cases it makes sense to block unwanted traffic from the core of your
network by configuring ACLs to drop such traffic at or close to the
edge of the network. (The earlier in the network path you block
unwanted traffic, the greater the benefit for network performance.)
■ What traffic should you explicitly block? Depending on your network
size and the access requirements of individual hosts, this can involve
creating a large number of ACEs in a given ACL (or a large number of
ACLs), which increases the complexity of your solution and rapidly
consumes the per-port rule and mask resources.
■ What traffic can you implicitly block by taking advantage of the
implicit deny any to deny traffic that you have not explicitly permitted?
This can reduce the number of entries needed in an ACL and make
more economical use of switch resources.
■ What traffic should you permit? In some cases you will need to
explicitly identify permitted traffic. In other cases, depending on your
policies, you can insert a permit any (standard ACL) or permit ip any
any (extended ACL) entry at the end of an ACL. This means that all IP
traffic not specifically matched by earlier entries in the list will be
permitted.
Security
ACLs can enhance security by blocking inbound IP traffic carrying an unau-
thorized source IP address (SA). This can include:
■ Blocking access to or from subnets in your network
■ Blocking access to or from the internet
■ Blocking access to sensitive data storage or restricted equipment
■ Preventing the use of specific TCP or UDP functions (such as Telnet,
SSH, web browser) for unauthorized access
10-26
To Next Page
Loading...
