C H A P T E R
34-1
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
34
Configuring Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists
(ACLs). Unless otherwise noted, the term
switch
refers to a standalone switch and to a switch stack.
Note
Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4). For information about IPv6
ACLs, see
Chapter 35, “Configuring IPv6 ACLs.”
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, see the “Configuring IP Services” section in the “IP Addressing and Services”
chapter of the
Cisco IOS IP Configuration Guide, Release 12.2
, and the
Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
This chapter consists of these sections:
•
•
Configuring IPv4 ACLs, page 34-7
•
Creating Named MAC Extended ACLs, page 34-28
•
Configuring VLAN Maps, page 34-30
•
Using VLAN Maps with Router ACLs, page 34-36
•
Displaying IPv4 ACL Configuration, page 34-40
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a router or switch and permit or deny packets crossing specified
interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to
packets. When a packet is received on an interface, the switch compares the fields in the packet against
any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the
criteria specified in the access lists. One by one, it tests packets against the conditions in an access list.
The first match decides whether the switch accepts or rejects the packets. Because the switch stops
testing after the first match, the order of conditions in the list is critical. If no conditions match, the
switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the
switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged
within a VLAN.