ACLs in Multilayer Switches
Multilayer switches, by nature of their design, allow for some security features not available on layer-2 switches or routers.
The 3750 switch supports IP ACLs and Ethernet (MAC) ACLs. Access lists on a 3750 switch can be applied in the following ways:
- Port ACLs
Port ACLs are applied to layer-2 interfaces on the switch. They cannot be applied to EtherChannels, SVIs, or any other virtual interfaces. Port ACLs can be applied to trunk interfaces, in which case they will filter every VLAN in the trunk. Standard IP, extended IP, or MAC ACLs can be assigned as port ACLs. Port ACLs can be applied only in the inbound direction.
- Router ACLs
Router ACLs are applied to layer-3 interfaces on the switch. SVIs, layer-3 physical interfaces (configured with
no switchport, for example), and layer-3 EtherChannels can have router ACLs applied to them. Standard IP and extended IP ACLs can be assigned as router ACLs, while MAC ACLs cannot. Router ACLs can be applied in both inbound and outbound directions.- VLAN maps
VLAN maps are similar in design to route maps. VLAN maps are assigned to VLANs, and can be configured to pass or drop packets based on a number of tests. VLAN maps control all traffic routed into, out of, or within a VLAN. VLAN maps have no direction.
Configuring Port ACLs
Port ACLs are ACLs attached to a specific physical interface. Port ACLs can be used to deny a host within a VLAN access to any other host within the VLAN. They can also be used to limit access outside ...
Get Network Warrior now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
