Supported Acls; Router Acls - Cisco WS-C3550-12G Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for WS-C3550-12G:
- User manual (436 pages) ,
- Manual (278 pages) ,
- Datasheet (19 pages)
Table of Contents
Advertisement
Understanding ACLs
Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route
traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer software image installed
can accelerate packet routing between VLANs by using Layer 3 switching. The switch bridges the
packet, the packet is then routed internally without going to an external router, and then the packet is
bridged again to send it to its destination. During this process, the switch can access-control all packets
it switches, including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If
you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the
network. You can use ACLs to control which hosts can access different parts of a network or to decide
which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail
traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound
traffic, or both.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports two types of ACLs:
•
•
Supported ACLs
The switch supports two applications of ACLs to filter traffic:
•
•
This switch also supports Quality of Service (QoS) classification ACLs. For more information, see the
"Classification Based on QoS ACLs" section on page
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs;
on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. Router ACLs are applied on
interfaces for specific directions (inbound or outbound).
Catalyst 3550 Multilayer Switch Software Configuration Guide
19-2
IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
Ethernet ACLs filter non-IP traffic.
Router ACLs access-control routed traffic between VLANs. All Catalyst 3550 switches can create
router ACLs, but you must have the enhanced multilayer software image on your switch to filter
packets routed between VLANs.
VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN
maps to filter traffic between devices in the same VLAN. You do not need the enhanced image to
create or apply VLAN maps. VLAN maps are configured to provide access-control based on Layer 3
addresses for IP. Unsupported protocols are access-controlled through MAC addresses using
Ethernet ACEs.
After a VLAN map is applied to a VLAN, all packets (routed or bridged) entering the VLAN are
checked against the VLAN map. Packets can either enter the VLAN through a switch port or through
a routed port after being routed.
Chapter 19
Configuring Network Security with ACLs
20-7.
78-11194-03
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
