Cisco Systems OL-8550-09 Supported ACLs

34-2

Catalyst 3750 SwitchSoftware Configuration Guide

OL-8550-09

Chapter34 Configuring Network Security with ACLs

Understanding ACLs

any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the

criteria specified in the access lists. One by one, it tests packets against the conditions in an access list.

The first match decides whether the switch accepts or rejects the packets. Because the switch stops

testing after the first match, the order of conditions in the list is critical. If no conditions match, the

switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the

switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged

within a VLAN.

You configure access lists on a router or Layer 3 switch to provide basic security for your network. If

you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the

network. You can use ACLs to control which hosts can access different parts of a network or to decide

which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail

traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound

traffic, or both.

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny

and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny

depends on the context in which the ACL is used.

The switch supports IP ACLs and Ethernet (MAC) ACLs:

•IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group

Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

•Ethernet ACLs filter non-IP traffic.

This switch also supports quality of service (QoS) classification ACLs. For more information, see the

“Classification Based on QoS ACLs” section on page35-8.

These sections contain this conceptual information:

•Supported ACLs, page34-2

•Handling Fragmented and Unfragmented Traffic, page34-5

•ACLs and Switch Stacks, page34-6

Supported ACLs

•Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs

in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer2

interface. For more information, see the “Port ACLs” section on page34-3.

•Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in

a specific direction (inbound or outbound). For more information, see the “Router ACLs” section on

page 34-4.

•VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN

maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide

access control based on Layer3 addresses for IPv4. Unsupported protocols are access-controlled

through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets

(routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter

the VLAN through a switch port or through a routed port after being routed. For more information,

see the “VLAN Maps” section on page 34-5.

You can use input port ACLs, router ACLs, and VLAN maps on the same switch. However, a port ACL

takes precedence over a router ACL or VLAN map.

•When both an input port ACL and a VLAN map are applied, incoming packets received on ports

with a port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map