62-5
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
About ACLs
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
With port ACLs, you can filter IPv4 traffic with IPv4 access lists, IPv6 traffic with IPv6 access lists, and
non-IP traffic with MAC access lists. You can filter multiple types of traffic simultaneously by applying
ACLs of the appropriate type to the Layer 2 interface simultaneously.
Note
You cannot simultaneously apply more than one access list of a given type to a Layer 2 interface. If an
IPv4, IPv6, or MAC access list is already configured on a Layer 2 interface, and you apply a new IPv4,
IPv6 or MAC access list to the interface, the new ACL replaces the previously configured ACL of the
same type.
Dynamic ACLs
Various security features, such as 802.1X, NAC and Web Authentication, are capable of downloading
ACLs from a central server and applying them to interfaces. Prior to Cisco IOS Release 12.2(54)SG,
these features required the explicit configuration of a standard port ACL
Starting with Cisco IOS Release 12.2(54)SG, a port ACL does not require configuration. For more
details refer to the
“Removing the Requirement for a Port ACL” section on page 62-32
VLAN Maps
VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch
to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are not
defined by direction (input or output).
Note
Negative TCP flags such as -syn, -psh or -fin in ACEs are not considered when you apply VLAN ACLs,
We recommend that you use positive TCP flags in ACEs.
You can configure VLAN maps to match Layer 3 addresses for IP traffic. Access of all non-IP protocols
is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic
is not
controlled by MAC ACLs in VLAN maps.) You can enforce VLAN maps only on packets heading to the
switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding packets is permitted or denied, based on the action specified in the map.
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in
VLAN 10 from being forwarded.
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...