Security

ACLs can enhance security by blocking traffic carrying an unauthorized source IPv4 address (SA). This can include:

Blocking access from specific devices or interfaces (port or VLAN)
Blocking access to or from subnets in your network
Blocking access to or from the internet
Blocking access to sensitive data storage or restricted equipment
Preventing specific IPv4, TCP, UDP, IGMP, and ICMP traffic types, including unauthorized access using functions such as Telnet, SSH, and web browser

You can also enhance switch management security by using ACLs to block IPv4 traffic that has the switch itself as the destination address (DA).

CAUTION:

IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

NOTE:

Static ACLs for the switches covered by this guide do not filter non-IPv4 traffic such as IPv6, AppleTalk, and IPX. Dynamic port ACLs assigned by a RADIUS server can be configured on the server to filter IPv4 traffic, but do not filter non-IP traffic.