CHAPT ER
34-1
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
34
Configuring Network Security with ACLs
This chapter describes how to configure network security on the Catalyst 3750 switch by using access
control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a
standalone switch and a switch stack.
In this chapter, references to IP ACLs are specific to IP Version 4 (IPv4) ACLs. For information about
IPv6 ACLs, see Chapter41 , “Configuring IPv6 ACLs.”
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, the “Configuring IP Services” section in the “IP Addressing and Services”
chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2. The Cisco IOS documentation is
available from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >
Configuration Guides or Command References.
The switch also supports Cisco TrustSec Security Group Tag (SCT) Exchange Protocol (SXP). This
feature supports security group access control lists (SGACLs), which define ACL policies for a group of
devices instead of an IP address. The SXP control protocol allows tagging packets with SCTs without a
hardware upgrade, and runs between access layer devices at the Cisco TrustSec domain edge and
distribution layer devices within the Cisco TrustSec domain. Catalyst 3750 switches operate as access
layer switches in the Cisco TrustSec network.
For more information about Cisco TrustSec, see the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
The sections on SXP define the capabilities supported on the Catalyst 3750 switch.
Understanding ACLs, page34-1
Configuring IPv4 ACLs, page34-7
Creating Named MAC Extended ACLs, page34-28
Configuring VLAN Maps, page34-30
Using VLAN Maps with Router ACLs, page34-37
Displaying IPv4 ACL Configuration, page34-42

Understanding ACLs

Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a router or switch and permit or deny packets crossing specified
interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to
packets. When a packet is received on an interface, the switch compares the fields in the packet against