Applying Cisco Ios Acls And Vacls On Vlans; Bridged Packets - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control
In this ACL example, the deny tcp any host 10.1.1.2 fragment entry stops the fragmented traffic going
to all TCP ports on host 10.1.1.2. Later in the ACL, the permit udp any host 10.1.1.2 eq 69 entry allows
the clients to connect to the TFTP server 10.1.1.2. The system automatically installs a permit for all
fragments of udp traffic to host 10.1.1.2 ACE; otherwise, the fragments would be denied by the entry
deny ip any host 10.1.1.2.
1.
2.
3.
4.
5.
6.
If you explicitly want to stop the fragmented UDP traffic to host 10.1.1.2, enter deny udp any host
10.1.1.2 fragment before entry number 3 as shown in this example:
[...]
3.
4.
5.
[...]

Applying Cisco IOS ACLs and VACLs on VLANs

This section describes how to apply the Cisco IOS ACLs and VACLs to the VLAN for the bridged,
routed, and multicast packets.
These sections show how the ACLs and the VACLs are applied:
•
•
•

Bridged Packets

Figure 15-1
Layer 2 ACLs are applied to the input VLAN.
OL-8978-04
deny tcp any host 10.1.1.2 fragment
permit tcp any host 10.1.1.2 eq www
permit udp any host 10.1.1.2 eq 69
permit udp any gt 1023 10.1.1.2 gt 1023
deny ip any host 10.1.1.2
permit ip any any
deny udp any host 10.1.1.2 fragment
permit udp any host 10.1.1.2 eq 69
permit udp any gt 1023 10.1.1.2 gt 1023
Bridged Packets, page 15-7
Routed Packets, page 15-8
Multicast Packets, page 15-8
shows how an ACL is applied on the bridged packets. For the bridged packets, only the
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Applying Cisco IOS ACLs and VACLs on VLANs
15-7