Port Acls - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 54
Configuring Network Security with ACLs
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
With port ACLs, you can filter IPv4 traffic with IPv4 access lists, IPv6 traffic with IPv6 access lists, and
non-IP traffic with MAC access lists. You can filter multiple types of traffic simultaneously by applying
ACLs of the appropriate type to the Layer 2 interface simultaneously.
You cannot simultaneously apply more than one access list of a given type to a Layer 2 interface. If an
Note
IPv4, IPv6, or MAC access list is already configured on a Layer 2 interface, and you apply a new IPv4,
IPv6 or MAC access list to the interface, the new ACL replaces the previously configured ACL of the
same type.
Dynamic ACLs
Various security features, such as 802.1X, NAC and Web Authentication, are capable of downloading
ACLs from a central server and applying them to interfaces. Prior to Cisco IOS Release 12.2(54)SG,
these features required the explicit configuration of a standard port ACL
Starting with Cisco IOS Release 12.2(54)SG, a port ACL does not require configuration. For more
details refer to the
VLAN Maps
VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch
to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are not
defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. Access of all non-IP protocols
is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not
controlled by MAC ACLs in VLAN maps.) You can enforce VLAN maps only on packets heading to the
switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding packets is permitted or denied, based on the action specified in the map.
Figure 54-2
VLAN 10 from being forwarded.
Figure 54-2
Host A
(VLAN 10)
OL_28731-01
"Removing the Requirement for a Port ACL" section on page
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in
Using VLAN Maps to Control Traffic
Si
Catalyst 4500 series switch
= VLAN map denying specific type
of traffic from Host A
= Packet
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Host B
(VLAN 10)
About ACLs
54-29.
54-5
Advertisement
Chapters
Table of Contents
Troubleshooting
