34-3
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 34 Configuring Network Security with ACLs
Understanding ACLs
•
When an output router ACL and input port ACL exist in an SVI, incoming packets received on the
ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are
filtered by the router ACL. Other packets are not filtered.
•
When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets
received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming
routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.
Other packets are filtered only by the VLAN map.
•
When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets
received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing
routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered
only by the VLAN map.
If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IP packets
received on the tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the switch
does not recognize the protocol inside the IEEE 802.1Q header. This restriction applies to router ACLs,
port ACLs, and VLAN maps. For more information about IEEE 802.1Q tunneling, see
“Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling”
Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only
on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the
inbound direction. These access lists are supported:
•
Standard IP access lists using source addresses
•
Extended IP access lists using source and destination addresses and optional protocol type
information
•
MAC extended access lists using source and destination MAC addresses and optional protocol type
information
The switch examines ACLs associated with all inbound features configured on a given interface and
permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this
way, ACLs control access to a network or to part of a network.
is an example of using port
ACLs to control access to a network when all servers are in the same VLAN. ACLs applied at the Layer 2
input would allow Blade Server A to access the Human Resources network, but prevent Blade Server B
from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound
direction.