Supported Acls - Cisco Catalyst 3750 Software Configuration Manual
Metro switch
Hide thumbs
Also See for Catalyst 3750:
- Command reference manual (1154 pages) ,
- Hardware installation manual (231 pages) ,
- Message manual (120 pages)
Table of Contents
Advertisement
Understanding ACLs
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports IP ACLs and Ethernet (MAC) ACLs:
•
•
This switch also supports quality of service (QoS) classification ACLs. For more information, see the
"Ingress Classification Based on QoS ACLs" section on page
This section includes information on these topics:
•
•
Supported ACLs
The switch supports three applications of ACLs to filter traffic:
•
•
•
You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL
takes precedence over a router ACL or VLAN map.
•
•
•
•
•
Catalyst 3750 Metro Switch Software Configuration Guide
25-2
IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
Ethernet ACLs filter non-IPv4 traffic.
Supported ACLs, page 25-2
Handling Fragmented and Unfragmented Traffic, page 25-5
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces.
Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port
ACLs in the outbound direction. You can apply only one IP access list and one MAC access list to
a Layer 2 interface.
VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN
maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide
access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled
through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets
(routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter
the VLAN through a switch port or through a routed port after being routed.
When both an input port ACL and a VLAN map are applied, incoming packets received on ports
with a port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map
When an input router ACL and input port ACL exist in an switch virtual interface (SVI), incoming
packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming
routed IP packets received on other ports are filtered by the router ACL. Other packets are not
filtered.
When an output router ACL and input port ACL exist in an SVI, incoming packets received on the
ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are
filtered by the router ACL. Other packets are not filtered.
When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets
received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming
routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.
Other packets are filtered only by the VLAN map.
When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets
received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing
routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered
only by the VLAN map.
Chapter 25
Configuring Network Security with ACLs
26-8.
78-15870-01
Advertisement
Table of Contents
Troubleshooting
