Product guide
10-4
Access Control Lists (ACLs)
Introduction
Introduction
An Access Control List (ACL) is a list of one or more Access Control Entries
(ACEs) specifying the criteria the switch uses to either permit (forward) or
deny (drop) IP packets traversing the switch’s interfaces. This chapter
describes how to configure, apply, and edit ACLs in a network populated with
the switches covered by this guide, and how to monitor ACL actions.
.
IP filtering with ACLs can help improve network performance and restrict
network use by creating policies for:
■ Switch Management Access: Permits or denies in-band manage-
ment access. This includes limiting and/or preventing the use of
designated protocols that ride on top of IP, such as TCP, UDP, IGMP,
ICMP, and others. Also included are the use of precedence and ToS
criteria, and control for application transactions based on source and
destination IP addresses and transport layer port numbers.
■ Application Access Security: Eliminates unwanted IP traffic in a
path by filtering IP packets where they enter or leave the switch on
specific VLAN interfaces.
ACLs can filter IP traffic to or from a host, a group of hosts, or entire subnets.
Notes ACLs can enhance network security by blocking selected IP traffic, and can
serve as part of your network security program. However, because ACLs do
not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
ACLs on the switches covered by this manual do not screen non-IP traffic such
as AppleTalk and IPX.
Feature Default CLI
Standard ACLs None 10-51
Extended ACLs None 10-60
Enable or Disable an ACL n/a 10-81
Display ACL Data n/a 10-96
Delete an ACL n/a 10-85
Configure an ACL from a TFTP Server n/a 10-104
Enable ACL Logging n/a 10-111