Cisco Catalyst 2960-XR Security Configuration Manual page 128
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Restrictions for Configuring Network Security with ACLs
• You cannot apply named MAC extended ACLs to Layer 3 interfaces.
• Though visible in the command-line help strings, appletalk is not supported as a matching condition
for the deny and permit MAC access-list configuration mode commands.
ACL Filtering
The following are restrictions on ACL filtering:
• If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IP packets
received on the tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the
switch does not recognize the protocol inside the IEEE 802.1Q header. This restriction applies to router
ACLs, port ACLs, and VLAN maps.
IPv4 ACL Network Interfaces
The following restrictions apply to IPv4 ACLs to network interfaces:
• When controlling access to an interface, you can use a named or numbered ACL.
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes
precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the
VLAN.
• If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters
packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
• You do not have to enable routing to apply ACLs to Layer 2 interfaces.
By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
Note
packet is denied by an access group on a Layer 3 interface. These access-group denied packets are not
dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable
message. They do not generate ICMP unreachable messages. ICMP unreachable messages can be disabled
on router ACLs with the no ip unreachables interface command.
MAC ACLs on a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that
interface. When you apply the MAC ACL, consider these guidelines:
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes
precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the
VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
• You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
• A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
106
Configuring IPv4 ACLs
OL-29434-01
Hide quick links:
Advertisement
Table of Contents
