Table of Contents
Advertisement
This chapter describes the Access Control Lists (ACLs) feature. The following examples are provided:
•
"Set up an IP ACL with Two Rules" on page 12-3
•
"Configure a One-Way Access Using a TCP Flag in an ACL" on page 12-8
•
"Configure Isolated VLANs on a Layer 3 Switch by Using ACLs" on page 12-25
•
"Set up a MAC ACL with Two Rules" on page 12-38
Access Control Lists (ACLs) can control the traffic entering a network. Normally ACLs reside in a firewall
router or in a router connecting two internal networks. When you configure ACLs, you can selectively admit
or reject inbound traffic, thereby controlling access to your network or to specific resources on your
network.
You can set up ACLs to control traffic at Layer 2, or Layer3. MAC ACLs are used for Layer 2. IP ACLs are
used for Layers 3. Each ACL contains a set of rules that apply to inbound traffic. Each rule specifies whether
the contents of a given field should be used to permit or deny access to the network, and may apply to one or
more of the fields within a packet.
The following limitations apply to ACLs. These limitations are platform dependent.
•
Maximum of 100 ACLs
•
Maximum rules per ACL is 8-10
•
Stacking systems do not support redirection
The system does not support MAC ACLs and IP ACLs on the same interface.
The system supports ACLs set up for inbound traffic only.
MAC ACLs
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet
(limited by platform):
•
Source MAC address with mask
•
Destination MAC address with mask
•
VLAN ID (or range of IDs)
•
Class of Service (CoS) (802.1p)
•
Ethertype
–
Secondary CoS (802.1p)
–
Secondary VLAN (or range of IDs)
Access Control Lists (ACLs)
v1.0, November 2008
Chapter 12
12-1
Advertisement
Table of Contents
