Support User Manuals

Cisco Systems ME 3400 Switch User Manual

Open as PDF

of 1086

31-3

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

OL-9639-06

Chapter 31 Configuring Network Security with ACLs

Understanding ACLs

• When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming

routed IPv4 packets received on other ports are filtered by both the VLAN map and the router ACL.

Other packets are filtered only by the VLAN map.

• When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing

routed IPv4 packets are filtered by both the VLAN map and the router ACL. Other packets are

filtered only by the VLAN map.

If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IPv4 packets

received on the tunnel port can be filtered by MAC ACLs, but not by IP v4 ACLs. This is because the

switch does not recognize the protocol inside the IEEE 802.1Q header. This restriction applies to router

ACLs, port ACLs, and VLAN maps. For more information about IEEE 802.1Q tunneling, refer to

Chapter 13, “Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling.”

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on

physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the

inbound direction. These access lists are supported on Layer 2 interfaces:

• Standard IP access lists using source addresses

• Extended IP access lists using source and destination addresses and optional protocol type

information

• MAC extended access lists using source and destination MAC addresses and optional protocol type

information

The switch examines ACLs associated with all inbound features configured on a given interface and

permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way,

ACLs are used to control access to a network or to part of a network.

Figure 31-1 is an example of using

port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at

the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from

accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound

direction.

previous next