IPv4 Access Control Lists (ACLs)
Overview
General Steps for Planning and Configuring ACLs
1. Identify the traffic type to filter. Options include:
2. The SA and/or the DA of inbound traffic you want to permit or deny.
3. Determine the best points at which to apply specific ACL controls. For
4. Design the ACLs for the selected control points. Where you are using
5. Create the ACLs in the selected switches.
6. Assign the ACLs to filter the inbound traffic on ports and/or static trunk
7. Test for desired results.
For more details on ACL planning considerations, refer to "Planning an ACL
Application" on page 9-17.
Caution Regarding
Source routing is enabled by default on the switch and can be used to override
the Use of Source
ACLs. For this reason, if you are using ACLs to enhance network security, the
Routing
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running
config file, the show running command includes "no ip source-route" in the
running-config file listing.)
9-12
•
Any inbound IP traffic
•
Inbound TCP traffic only
•
Inbound UDP traffic only
example, you can improve network performance by filtering unwanted
traffic at the edge of the network instead of in the core.
explicit "deny" ACEs, you can optionally use the ACL logging feature to
help verify that the switch is denying unwanted packets where intended.
Remember that excessive ACL logging activity can degrade the switch's
performance. (Refer to "Enable ACL "Deny" Logging" on page 9-68.)
interfaces configured on the switch.