Network Security With Acls - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 1 Product Overview

Network Security with ACLs

An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
The Catalyst 4500 series switch supports three types of ACLs:
•
•
•
The switch supports the following applications of ACLs to filter traffic:
•
•
•
•
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Chapter 62, "Configuring Network Security with ACLs."
Port Security
Port security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
Sticky port security extends port security by saving the dynamically learned MAC addresses in the
running configuration to survive port link down and switch reset. It enables a network administrator to
restrict the MAC addresses allowed or the maximum number of MAC addresses on each port.
Voice VLAN sticky port security further extends the sticky port security to the voice-over-IP
deployment. Voice VLAN sticky port security locks a port and blocks access from a station with a MAC
address different from the IP phone and the workstation behind the IP phone.
For information on port security, see
PPPoE Intermediate Agent
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service
provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the
access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet
frames of different users. (The tag contains specific information such as which subscriber is connected
to the switch and VLAN.) PPPoE IA acts as mini-security firewall between host and BRAS by
intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-VLAN basis. It provides
IP ACLs, which filter IP traffic, including TCP, the User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
IPv6 ACLs
MAC ACLs which match based on Ethernet addresses and Ether Type
MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
Router ACLs, which are applied to Layer 3 interfaces to control the access of routed traffic between
VLANs.
VLAN ACLs or VLAN maps to control the access of all packets (bridged and routed).
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 55, "Configuring Port Security."
Security Features
1-41