Router Acls; Port Acls - Cisco Catalyst 3750 Software Configuration Manual

Metro switch

Hide thumbs Also See for Catalyst 3750:

Table of Contents

Configuring Network Security with ACLs

Router ACLs

You can apply router ACLs on SVIs, which are Layer 3 interfaces to VLANs; on physical Layer 3

interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces for specific

directions (inbound or outbound). You can apply one router ACL in each direction on an interface.

One ACL can be used with multiple features for a given interface, and one feature can use multiple

ACLs. When a single router ACL is used by multiple features, it is examined multiple times.

The switch examines ACLs associated with features configured on a given interface and a direction. As

packets enter the switch on an interface, ACLs associated with all inbound features configured on that

interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs

associated with outbound features configured on the egress interface are examined.

ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and

can be used to control access to a network or to part of a network. In

switch input allow Host A to access the Human Resources network, but prevent Host B from accessing

the same network.

Figure 25-1 Using ACLs to Control Traffic to a Network

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on

physical interfaces and not on EtherChannel interfaces. Port ACLs are applied only on interfaces for

inbound traffic.

Standard IP access lists use source addresses for matching operations.

Extended IP access lists use source and destination addresses and optional protocol type information

for matching operations.

= ACL denying traffic from Host B

and permitting traffic from Host A

Catalyst 3750 Metro Switch Software Configuration Guide

Understanding ACLs

25-1, ACLs applied at the