27-4
Catalyst 3560 Switch Software Configuration Guide
78-16156-01
Chapter 27 Configuring Network Security with ACLs
Understanding ACLs
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
Note
You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs;
on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on
interfaces for specific directions (inbound or outbound). You can apply one router ACL in each direction
on an interface.
One ACL can be used with multiple features for a given interface, and one feature can use multiple
ACLs. When a single router ACL is used by multiple features, it is examined multiple times.
•
Standard IP access lists use source addresses for matching operations.
•
Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
As with port ACLs, the switch examines ACLs associated with features configured on a given interface.
However, router ACLs are supported in both directions. As packets enter the switch on an interface,
ACLs associated with all inbound features configured on that interface are examined. After packets are
routed and before they are forwarded to the next hop, all ACLs associated with outbound features
configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and
can be used to control access to a network or to part of a network. In
Figure 27-1
, ACLs applied at the
router input allow Host A to access the Human Resources network, but prevent Host B from accessing
the same network.
VLAN Maps
VLAN ACLs or VLAN maps can access-control all traffic. You can apply VLAN maps to all packets
that are routed into or out of a VLAN or are bridged within a VLAN in the switch. VLAN maps are used
for security packet filtering. VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All non-IP protocols are
access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not
access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through
the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the
map.
Figure 27-2
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A
in VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN.