Table of Contents
Advertisement
Chapter 35
Configuring Network Security with ACLs
One ACL can be used with multiple features for a given interface, and one feature can use multiple
ACLs. When a single router ACL is used by multiple features, it is examined multiple times.
The switch supports these access lists for IPv4 traffic:
•
•
As with port ACLs, the switch examines ACLs associated with features configured on a given interface.
However, router ACLs are supported in both directions. As packets enter the switch on an interface,
ACLs associated with all inbound features configured on that interface are examined. After packets are
routed and before they are forwarded to the next hop, all ACLs associated with outbound features
configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and
can be used to control access to a network or to part of a network. In
router input allow Host A to access the Human Resources network, but prevent Host B from accessing
the same network.
VLAN Maps
Use VLAN ACLs or VLAN maps to access-control all traffic. You can apply VLAN maps to all packets
that are routed into or out of a VLAN or are bridged within a VLAN in the switch or switch stack.
Use VLAN maps for security packet filtering. VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IPv4 traffic.
All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN
maps. (IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on
packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or
on another switch connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the
map.
VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN.
Figure 35-2
Host A
(VLAN 10)
OL-13270-06
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
Figure 35-2
shows how a VLAN map is applied to prevent a specific type of traffic from Host A in
Using VLAN Maps to Control Traffic
Blade
switch
= VLAN map denying specific type
of traffic from Host A
= Packet
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
Figure
Host B
(VLAN 10)
Understanding ACLs
35-1, ACLs applied at the
35-5
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
