Switch Security
6-20
For more information, see:
• Router ACLs
• Port ACLs
• Wireless LAN ACLs
• ACL Actions
6.5.1.1 Router ACLs
Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on
an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch
acts as a gateway, and traffic is inbound only.
The switch supports two types of Router ACLs:
• Standard IP ACL—Uses the source IP address as matching criteria.
• Extended IP ACL—Uses the source IP address, destination IP address and IP protocol type as basic
matching criteria. It can also include other parameters specific to a protocol type (like source and
destination port for TCP/UDP protocols).
Router ACLs are stateful and are not applied on every packet routed through the switch. Whenever a packet
is received from a Layer 3 interface, it is examined against existing sessions to determine if it belongs to an
established session. ACLs are applied on the packet in the following manner.
1. If the packet matches an existing session, it is not matched against ACL rules and the session decides
where to send the packet.
2. If no existing sessions match the packet, it is matched against ACL rules to determine whether to accept
or reject it. If ACL rules accept the packet, a new session is created and all further packets belonging to
that session are allowed. If ACL rules reject the packet, no session is established.
A session is computed based on:
• Source IP address
• Destination IP address
• Source Port
• Destination Port
• ICMP identifier
• Incoming interface index
• IP Protocol
Each session has a default idle time-out interval. If no packets are received within this interval, the session is
terminated and a new session must be initiated. These intervals are fixed and cannot be configured by the user.
The default idle time-out intervals for different sessions are:
• ICMP and UDP sessions— 30 seconds
• TCP sessions— 2 hours
To Next Page
Loading...
Need help?
General
