Loved Cat Diary

ACLs

*The switch supports two types of ACLs:*

1) IP ACLs filter IP traffic, including TCP, User Datagram Protocol(UDP), Internet Group Management Protocol(IGMP), and Internet Control Message Protocol(ICMP).

2) Ethernet or MAC ACLs filter non-IP traffic.

The switch supports three applications of ACLs to filter traffic:

1) Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces. You can apply one router ACL in each direction on an interface.

2) Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound direction. You can apply only one IP access and one MAC access list to a Layer 2 interface.

3) VLAN ACLs or VLAN maps access-control all packets(bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled through MAC addresses by using Ethernet ACLs. After a VLAN map is applied to a VLAN, all packets(routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch port or through a routed port after being routed.

You can use both router acls and vlan maps on the same switch. However, you can not use port ACLs on a switch that contains input router ACLs or VLAN maps.

1) When a switch has a layer 2 interface with an applied IP access list or MAC access list, you can create IP access lists and VLAN maps, but you can not apply an IP access list to an input layer 3 interface on that switch , and you can not apply a VLAN map to any of the switch VLANs. An error message is generated if you attempt to do so. You can still apply an IP access list to an outbound layer 3 interface on a switch with port ACLs.

2) When a switch has an input layer 3 acl or a vlan map applied to it, you can not apply an ip access list or mac access list to a layer 2 interface on that switch. An error message is generated if you attempt to do so. You can apply a port ACL if the switch has an ACL applied to an output layer 3 interface.

3) 在dot1Q的端口上不支持IP acl, vlan maps, port acl.只能應用mac acl.是因為不能識別dot1Q的包頭.

You can also apply acls to layer 2 interfaces on a switch, port acls are supported on physical interfaces only and not on EtherChannel interfaces. Port ACLs are applied on interfaces for inbound traffic only. These access lists are supported on layer 2 interfaces:

Standard IP access lists using source address

Extended IP access lists using source and destination addresses and optional protocol type information

MAC extended access lists using source and destination MAC addresses and optional protocol type information

When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Note an output ACL cannot log multicast packets. logging is not supported for acls applied to layer 2 interfaces.

ACL apply rules.

After you create an IP acl, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on either outbound or inbound layer 3 interfaces, but only to inbound layer 2 interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines:

When controlling access to a line, you must use a number. Only numbered acls can be applied to lines.

When controlling access to an interface, you can use a name or number.

Set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them

If you apply an acl to a layer 3 interface and routing is not enabled on your switch, the acl only filters packets that are intended for the CPU, such as SNMP, telnet, or web traffic. You do not have to enable routing to apply acls to layer 2 interfaces.

Port acls are not supported on the same switch with input router acls and vlan maps.

- If you try to apply an acl to a layer 2 interface on a switch that has an input layer 3 acl or a vlan map applied to it, a conflict error message is generated. you can apply an acl to a layer 2 interface if the switch has output layer 3 acls applied.
- If you try to apply an acl to an input layer 3 interface on a switch that has a layer 2 acl applied to it, a conflict error message is generated. You can apply an acl to an output layer 3 interface if the switch has layer 2 acls applied.
- A layer 2 interface can have one IP access list applied to the input, a layer 3 interface can have on ip access list applied to the input and one ip access list applied to the output. if you apply an IP acl to an interface that already has an ip acl configured (in that direction), the new acl replaces the previously configured one.

You can apply a port acl only to a physical layer 2 interface, you can not aplly port acls to etherchannel Interfaces.