31-38
Catalyst 3750 Switch Software Configuration Guide
78-16180-02
Chapter 31 Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
• Avoid including Layer 4 information in an ACL; adding this information complicates the merging
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to
the filtering of traffic based on IP addresses.
Examples of Router ACLs and VLAN Maps Applied to VLANs
This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged,
routed, and multicast packets. Although the following illustrations show packets being forwarded to their
destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also
possible that the packet might be dropped, rather than forwarded.
ACLs and Switched Packets
Figure 31-6 shows how an ACL is applied on packets that are switched within a VLAN. Packets switched
within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN
map of the input VLAN.
Figure 31-6 Applying ACLs on Switched Packets
ACLs and Bridged Packets
Figure 31-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only
Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged.
VLAN 10
map
Frame
Input
router
ACL
Output
router
ACL
Routing function or
fallback bridge
VLAN 10 VLAN 20
Host C
(VLAN 10)
Host A
(VLAN 10)
VLAN 20
map
Packet
101357
To Next Page
Loading...
Need help?
General