Port Acls - Cisco Catalyst 3550 series Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for Catalyst 3550 series:
- Reference manual (58 pages) ,
- Datasheet (21 pages) ,
- Manual (19 pages)
Table of Contents
Advertisement
Understanding ACLs
Port ACLs
You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical
interfaces only and not on EtherChannel interfaces. Port ACLs are applied on interfaces for inbound
traffic only. These access lists are supported on Layer 2 interfaces:
•
•
•
As with router ACLs, the switch examines ACLs associated with features configured on a given interface
and permits or denies packet forwarding based on how the packet matches the entries in the ACL.
However, ACLs can only be applied to Layer 2 interfaces in the inbound direction. In the example in
Figure
Host A to access the Human Resources network, but prevent Host B from accessing the same network.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
Note
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.
VLAN Maps
VLAN maps can access-control all traffic. You can apply VLAN maps on the switch to all packets that
are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for
security packet filtering. Unlike router ACLs, VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All non-IP protocols are
access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not
access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through
the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the
map.
in VLAN 10 from being forwarded.
Catalyst 3550 Multilayer Switch Software Configuration Guide
28-4
Standard IP access lists using source addresses
Extended IP access lists using source and destination addresses and optional protocol type
information
MAC extended access lists using source and destination MAC addresses and optional protocol type
information
28-1, if all workstations were in the same VLAN, ACLs applied at the Layer 2 input would allow
Figure 28-2
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A
Chapter 28
Configuring Network Security with ACLs
78-11194-09
Advertisement
Table of Contents
Troubleshooting
