Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

461

462

463

464

465

466

467

468

469

470

26-2

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Understanding ACLs

You configure access lists on a switch to provide basic security for your network. If you do not configure

ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use

ACLs to control which hosts can access different parts of a network or to decide which types of traffic

are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet

traffic.

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny

and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny

depends on the context in which the ACL is used.

The switch supports IP ACLs and Ethernet (MAC) ACLs:

• IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP), Internet Group

Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

• Ethernet ACLs filter non-IP traffic.

This switch also supports quality of service (QoS) classification ACLs. For more information, see the

“Classification Based on QoS ACLs” section on page 27-7.

This section includes information on these topics:

• Supported ACLs, page 26-2

• Handling Fragmented and Unfragmented Traffic, page 26-4

Supported ACLs

The switch supports two applications of ACLs to filter traffic:

• Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs

in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer

2 interface.

• VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN

maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide

access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled

through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets

(routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter

the VLAN through a switch port or through a routed port after being routed.

You can use input port ACLs and VLAN maps on the same switch. However, a port ACL takes

precedence over a VLAN map. When an input port ACL is applied to an interface that belongs to a

VLAN that has a VLAN map applied, incoming packets received on the interface with the port ACL

applied are filtered by the port ACL. Other packets are filtered by the VLAN map.

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only

on physical interfaces and not on EtherChannel interfaces. Port ACLs are applied only on interfaces for

inbound traffic. These access lists are supported on Layer 2 interfaces:

• Standard IP access lists using source addresses

• Extended IP access lists using source and destination addresses and optional protocol type

information

• MAC extended access lists using source and destination MAC addresses and optional protocol type

information