31-3
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Understanding ACLs
Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on
physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the
inbound direction. These access lists are supported:
Standard IP access lists using source addresses
Extended IP access lists using source and destination addre sses and optional protocol type
information
MAC extended access lists using source and destination MAC addresses and optional protocol type
information
Note MAC ACLs are supported only when the switch is running the LAN base image.
The switch examines ACLs associated with all inbound features co nfigured on a given interface and
permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way,
ACLs control access to a network or to part of a network. Figure 31-1 is an example of using port ACLs
to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer
2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing
the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
Figure 31-1 Using ACLs to Control Traffic to a Network
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both da ta and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
Host A
Host B
101365
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Human
Resources
network