C H A P T E R 51 Configuring Network Security With Acls - Cisco Catalyst 4500 Series Configuration Manual

About ACLs
About ACLs
This section includes these topics:
•
•
•
•
•
•
Overview
An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to
verify that the packet has the permissions required to be forwarded, based on the conditions specified in
the access lists. It tests the packets against the conditions in an access list one-by-one. The first match
determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions
after the first match, the order of conditions in the list is critical. If no conditions match, the switch drops
the packet. If no restrictions exist, the switch forwards the packet; otherwise, the switch drops the packet.
Switches traditionally operate at Layer 2, switching traffic within a VLAN. Routers route traffic between
VLANs at Layer 3. The Catalyst 4500 series switch can accelerate packet routing between VLANs by
using Layer 3 switching. The Layer 3 switch bridges the packet, and then routes the packet internally
without going to an external router. The packet is then bridged again and sent to its destination. During
this process, the switch can control all packets, including packets bridged within a VLAN.
You configure access lists on a router or switch to filter traffic and provide basic security for your
network. If you do not configure ACLs, all packets passing using the switch could be allowed on all parts
of the network. You can use ACLs to control which hosts can access different parts of a network or to
decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow
e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic,
outbound traffic, or both. However, on Layer 2 interfaces, you can apply ACLs only in the inbound
direction.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The Catalyst 4500 series switch supports three types of ACLs:
•
•
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-2
Overview, page 51-2
Supported Features That Use ACLs, page 51-3
Router ACLs, page 51-3
Port ACLs, page 51-4
Dynamic ACLs, page 51-5
VLAN Maps, page 51-5
IP ACLs, which filter IP traffic, including TCP, the User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
IPv6 ACLs
MAC ACLs which match based on Ethernet addresses and Ether Type
Chapter 51 Configuring Network Security with ACLs
OL-25340-01