Dynamic Acls - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 62 Configuring Network Security with ACLs
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
With port ACLs, you can filter IPv4 traffic with IPv4 access lists, IPv6 traffic with IPv6 access lists, and
non-IP traffic with MAC access lists. You can filter multiple types of traffic simultaneously by applying
ACLs of the appropriate type to the Layer 2 interface simultaneously.
You cannot simultaneously apply more than one access list of a given type to a Layer 2 interface. If an
Note
IPv4, IPv6, or MAC access list is already configured on a Layer 2 interface, and you apply a new IPv4,
IPv6 or MAC access list to the interface, the new ACL replaces the previously configured ACL of the
same type.

Dynamic ACLs

Various security features, such as 802.1X, NAC and Web Authentication, are capable of downloading
ACLs from a central server and applying them to interfaces. Prior to Cisco IOS Release 12.2(54)SG,
these features required the explicit configuration of a standard port ACL
Starting with Cisco IOS Release 12.2(54)SG, a port ACL does not require configuration. For more
details refer to the
VLAN Maps
VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch
to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are not
defined by direction (input or output).
Negative TCP flags such as -syn, -psh or -fin in ACEs are not considered when you apply VLAN ACLs,
Note
We recommend that you use positive TCP flags in ACEs.
You can configure VLAN maps to match Layer 3 addresses for IP traffic. Access of all non-IP protocols
is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not
controlled by MAC ACLs in VLAN maps.) You can enforce VLAN maps only on packets heading to the
switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding packets is permitted or denied, based on the action specified in the map.
Figure 62-2
VLAN 10 from being forwarded.
"Removing the Requirement for a Port ACL" section on page
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About ACLs
62-32.
62-5