C H A P T E R 28 Configuring Network Security With Acls - Cisco Catalyst 3550 series Software Configuration Manual

Understanding ACLs
the switch accepts or rejects the packets. Because the switch stops testing conditions after the first match,
the order of conditions in the list is critical. If no conditions match, the switch rejects the packets. If there
are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet.
Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route
traffic between VLANs. The Catalyst 3550 switch can accelerate packet routing between VLANs by
using Layer 3 switching. The switch bridges the packet, the packet is then routed internally without
going to an external router, and then the packet is bridged again to send it to its destination. During this
process, the switch can access-control all packets it switches, including packets bridged within a VLAN.
You configure access lists on a router or switch to provide basic security for your network. If you do not
configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types
of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be
forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or
both. However, on Layer 2 interfaces, you can only apply ACLs in the inbound direction.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports two types of ACLs:
•
•
Supported ACLs
The switch supports three applications of ACLs to filter traffic:
•
•
•
You can use both router ACLs and VLAN maps on the same switch. However, you cannot use port ACLs
on a switch that contains input router ACLs or VLAN maps.
•
•
Catalyst 3550 Multilayer Switch Software Configuration Guide
28-2
IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
Ethernet or MAC ACLs filter non-IP traffic.
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces.
You can apply one router ACL in each direction on an interface.
Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs
in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2
interface.
VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN
maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide
access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled
through MAC addresses by using Ethernet ACEs. After a VLAN map is applied to a VLAN, all
packets (routed or bridged) entering the VLAN are checked against the VLAN map. Packets can
either enter the VLAN through a switch port or through a routed port after being routed.
When a switch has a Layer 2 interface with an applied IP access list or MAC access list, you can
create IP access lists and VLAN maps, but you cannot apply an IP access list to an input Layer 3
interface on that switch, and you cannot apply a VLAN map to any of the switch VLANs. An error
message is generated if you attempt to do so. You can still apply an IP access list to an output Layer 3
interface on a switch with port ACLs.
When a switch has an input Layer 3 ACL or a VLAN map applied to it, you cannot apply an IP access
list or MAC access list to a Layer 2 interface on that switch. An error message is generated if you
attempt to do so. You can apply a port ACL if the switch has an ACL applied to an output Layer 3
interface.
Chapter 28 Configuring Network Security with ACLs
78-11194-09