Router Acls - Cisco Catalyst 3550 series Software Configuration Manual

Multilayer switch
Hide thumbs Also See for Catalyst 3550 series:
Table of Contents

Advertisement

Chapter 28
Configuring Network Security with ACLs
If 802.1Q tunneling is configured on an interface, any 802.1Q encapsulated IP packets received on the
tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the switch does not
recognize the protocol inside the 802.1Q header. This restriction applies to router ACLs, port ACLs, and
VLAN maps. For more information about 802.1Q tunneling, refer to
and Layer 2 Protocol Tunneling."
This switch also supports Quality of Service (QoS) classification ACLs. For more information, see the
"Classification Based on QoS ACLs" section on page

Router ACLs

You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs;
on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. Router ACLs are applied on
interfaces for specific directions (inbound or outbound). You can apply one IP access list in each
direction.
One ACL can be used with multiple features for a given interface, and one feature can use multiple
ACLs. When a single router ACL is used by multiple features, it is examined multiple times.
The switch examines ACLs associated with features configured on a given interface and a direction. As
packets enter the switch on an interface, ACLs associated with all inbound features configured on that
interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs
associated with outbound features configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL. For
example, you can use access lists to allow one host to access a part of a network, but prevent another
host from accessing the same part. In
access the Human Resources network, but prevent Host B from accessing the same network.
Figure 28-1 Using ACLs to Control Traffic to a Network
78-11194-09
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
Si
Catalyst 3550 switch
Human
Resources
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
29-7.
Figure
28-1, ACLs applied at the router input allow Host A to
Host A
Host B
Research &
Development
network
Catalyst 3550 Multilayer Switch Software Configuration Guide
Understanding ACLs
Chapter 15, "Configuring 802.1Q
28-3

Advertisement

Table of Contents
loading

Table of Contents