Access Control Lists (ACLs) for the Series 5300xl Switches
Overview
Overview
Types of IP ACLs
Standard ACL: Use a standard ACL when you need to permit or deny traffic
based on source IP address only. Standard ACLs are also useful when you need
to quickly control a performance problem by limiting traffic from a subnet,
group of devices, or a single device. (This can block all IP traffic from the
configured source, but does not hamper traffic from other sources within the
network.) This ACL type uses a numeric ID of 1 through 99 or an alphanumeric
ID string. You can specify a single host, a finite group of hosts, or any host.
Extended ACL: Extended ACLs are useful whenever simple IP source
address restrictions do not provide the breadth of traffic selection criteria you
want to exercise on a VLAN interface. Extended ACLs allow use of the
following criteria:
■ Source and destination IP addresses
■ TCP application criteria
■ UDP application criteria
Connection-Rate ACL. An optional feature used with Connection-Rate fil-
tering based on virus-throttling technology, and available in 5300xl switches
running software release E.09.xx or greater. For more information, refer to
the chapter titled “Virus Throttling” in the Access Security Guide for your
5300xl switch.
ACL Inbound and Outbound Application Points
You can apply ACL filtering to the following types of traffic:
■ IP traffic routed between different subnets. (IP routing must be
enabled.)
■ IP traffic carrying a destination address (DA) on the switch itself. In
figure
9-1, below, this is any of the IP addresses shown in VLANs “A”,
“B”, and “C” on the switch. (IP routing need not be enabled.)
The switch can apply ACL filtering to traffic entering or leaving the switch
on VLANs configured to apply ACL filters. (When you assign an ACL to a VLAN,
you must specify whether the ACL will filter inbound or outbound traffic. For
example, in figure
9-1:
9-8
To Next Page
Loading...
Need help?
General