10-14
IPv4 Access Control Lists (ACLs)
Overview
• Routed IPv4 traffic having a destination address (DA) on the switch
itself. In figure 10-1 on page 10-15, this is any of the IP addresses
shown in VLANs “A”, “B”, and “C”. (Routing need not be enabled.)
• outbound traffic generated by the switch itself.
■ VLAN ACL (VACL): on a VLAN configured with a VACL, inbound IP
traffic, regardless of whether it is switched or routed. On a multi-
netted VLAN, this includes inbound IPv4 traffic from any subnet.
■ Static port ACL: any inbound IPv4 traffic on that port.
■ RADIUS-assigned ACL: on a port having an ACL assigned by a
RADIUS server to filter an authenticated client’s traffic, filters
inbound IPv4 and IPv6 traffic from that client
(For information on RADIUS-assigned ACLs, refer to chapter 7,
“Configuring RADIUS Server Support for Switch Services”.)
ACL Mirroring: Beginning with software release K.14.01, ACL mirroring per
VLAN, port, and trunk interfaces is deprecated in favor of a classifier-based
rate-limiting feature that does not use ACLs. If ACL mirroring is already
configured in a switch running software version K.13.xx, then downloading
and booting from release K.14.01 or greater automatically modifies the depre-
cated configuration to conform to the classifier-based rate-limiting supported
in release K.14.01 or greater. For more information on this topic, refer to the
chapter titled “Classifier-Based Software Configuration” in the latest
Advanced Traffic Management Guide for your switch.
■ Connection-Rate ACL: An optional feature used with Connection-
Rate filtering based on virus-throttling technology. Refer to chapter
3, “Virus Throttling”.
RACL Applications
RACLs filter routed IPv4 traffic entering or leaving the switch on VLANs
configured with the “in” and/or “out” ACL option
vlan < vid > ip access-group < identifier > < in | out >
For example, in figure 10-1:
■ You would assign either an inbound ACL on VLAN 1 or an outbound
ACL on VLAN 2 to filter a packet routed between subnets on different
VLANs; that is, from the workstation 10.28.10.5 on VLAN 1 to the
server at 10.28.20.99 on VLAN 2. (An outbound ACL on VLAN 1 or an
inbound ACL on VLAN 2 would not filter the packet.)
To Next Page
Loading...
Need help?
General