Router Acls - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 35
Configuring Network Security with ACLs
•
You can use both router ACLs and VLAN maps on the same switch.
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs;
on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. Router ACLs are applied on
interfaces for specific directions (inbound or outbound). You can apply one IP access list in each
direction.
Multiple features can use one ACL for a given interface, and one feature can use multiple ACLs. When
a single router ACL is used by multiple features, it is examined multiple times. The access list type
determines the input to the matching operation:
•
•
The switch examines ACLs associated with features configured on a given interface and a direction. As
packets enter the switch on an interface, ACLs associated with all inbound features configured on that
interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs
associated with outbound features configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL. For
example, you can use access lists to allow one host to access a part of a network, but prevent another
host from accessing the same part. In
access the Human Resources network, but prevent Host B from accessing the same network.
OL-6696-01
You can apply only one IP access list and one MAC access list to a Layer 2 interface.
VLAN ACLs or VLAN maps control the access of all packets (bridged and routed). You can use
VLAN maps to filter traffic between devices in the same VLAN. You do not need the enhanced
image to create or apply VLAN maps. VLAN maps are configured to control access based on
Layer 3 addresses for IP. MAC addresses using Ethernet ACEs control the access of unsupported
protocols. After you apply a VLAN map to a VLAN, all packets (routed or bridged) entering the
VLAN are checked against that map. Packets can either enter the VLAN through a switch port or
through a routed port after being routed.
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
Figure
35-1, ACLs applied at the router input allow Host A to
Software Configuration Guide—Release 12.2(25)EW
Understanding ACLs
35-3
Advertisement
Table of Contents
