Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
You can also enhance switch management security by using ACLs to block
inbound IP traffic that has the switch itself as the destination address (DA).
Caution ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
Note ACLs in the 3400cl/6400cl switches do not screen non-IP traffic such as
AppleTalk and IPX.
Guidelines for Planning the Structure of an ACL
The first step in planning a specific ACL is to determine where you will apply
it. (Refer to “ACL Inbound Application Points” on page 10-9.) You must then
determine the order in which you want the individual ACEs in the ACL to filter
traffic. Some applications require high usage of the per-port resources the
switch uses to support ACLs (as well as the rules used by QoS and Rate-
Limiting applications). In these cases it is important to order the individual
ACEs in a list to avoid unnecessarily using resources. For more on this topic,
refer to
“Planning an ACL Application on a Series 3400cl or Series 6400cl
Switch” on page 10-16.
■ The first match dictates the action on a packet. possible, subsequent
matches are ignored.
■ On any ACL, the switch implicitly denies packets that are not explic-
itly permitted or denied by the ACEs configured in the ACL. If you
want the switch to forward a packet for which there is not a match in
an ACL, add permit any as the last ACE in an ACL. This ensures that
no packets reach the implicit deny any case.
■ Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits traffic that you want dropped. For example, an ACE
allowing a small group of workstations to use a specialized printer
should occur earlier in an ACL than an entry used to block widespread
access to the same printer.
10-27
To Next Page
Loading...
