Table of Contents
Advertisement
Understanding ACLs
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a router or switch and permit or deny packets crossing specified
interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to
packets. When a packet is received on an interface, the switch compares the fields in the packet against
any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the
criteria specified in the access lists. One by one, it tests packets against the conditions in an access list.
The first match decides whether the switch accepts or rejects the packets. Because the switch stops
testing after the first match, the order of conditions in the list is critical. If no conditions match, the
switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the
switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged
within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If
you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the
network. You can use ACLs to control which hosts can access different parts of a network or to decide
which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail
traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound
traffic, or both.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports IP ACLs and Ethernet (MAC) ACLs:
•
•
This switch also supports quality of service (QoS) classification ACLs. For more information, see the
"Classification Based on QoS ACLs" section on page
These sections contain this conceptual information:
•
•
•
Supported ACLs
The switch supports three applications of ACLs to filter traffic:
•
•
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
35-2
IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
Ethernet ACLs filter non-IP traffic.
Supported ACLs, page 35-2
Handling Fragmented and Unfragmented Traffic, page 35-6
ACLs and Switch Stacks, page 35-7
Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs
in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer
2 interface. For more information, see the
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in
a specific direction (inbound or outbound). For more information, see the
page
35-4.
Chapter 35
Configuring Network Security with ACLs
37-8.
"Port ACLs" section on page
35-3.
"Router ACLs" section on
OL-13270-06
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
