Cisco Systems 3560 Port ACLs

33-3

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 33 Configuring Network Security with ACLs

Understanding ACLs

• When an output router ACL and input port ACL exist in an SVI, incoming packets received on the

ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are

filtered by the router ACL. Other packets are not filtered.

• When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming

routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.

Other packets are filtered only by the VLAN map.

• When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing

routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered

only by the VLAN map.

If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IP packets

received on the tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the switch

does not recognize the protocol inside the IEEE 802.1Q header. This restriction applies to router ACLs,

port ACLs, and VLAN maps. For more information about IEEE 802.1Q tunneling, see Chapter 16,

“Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling.”

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only

on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the

inbound direction. These access lists are supported:

• Standard IP access lists using source addresses

• Extended IP access lists using source and destination addresses and optional protocol type

information

• MAC extended access lists using source and destination MAC addresses and optional protocol type

information

The switch examines ACLs associated with all inbound features configured on a given interface and

permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this

way, ACLs control access to a network or to part of a network. Figure 33-1 is an example of using port

ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the

Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from

accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound

direction.