Introduction
An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). The information below describes how to configure, apply, and edit static IPv4 ACLs in a network populated with the switches, and how to monitor IPv4 ACL actions.
-
IPv4 and IPv6 ACEs cannot be combined in the same static ACL.
-
IPv4 and IPv6 static ACLs do not filter each other’s traffic.
-
The term “ACL” refers to static IPv4 ACLs.
-
Descriptions of ACL operation apply only to static IPv4 ACLs.
See “IPv6 Access Control Lists (ACLs)” in the IPv6 configuration guide for your switch.
IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for:
- Switch Management Access
-
Permits or denies in-band management access. This includes limiting and preventing the use of designated protocols that run on top of IPv4, such as TCP, UDP, IGMP, ICMP, and others. Also included are the use of precedence and ToS criteria, and control for application transactions based on source and destination IPv4 addresses and transport layer port numbers.
- Application Access Security
-
Eliminates unwanted traffic in a path by filtering IPv4 packets where they enter or leave the switch on specific VLAN interfaces.
IPv4 ACLs can filter traffic to or from a host, a group of hosts, or entire subnets.
IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv4 packet transmissions, they should not be relied upon for a complete security solution. IPv4 ACLs on the switches covered by this manual do not filter non-IPv4 traffic such as IPv6, AppleTalk, and IPX packets.
In the information provided here, unless otherwise noted, the term "ACL" refers to static IPv4 ACLs.
Descriptions of ACL operation apply only to static IPv4 ACLs.
-
IPv4 and IPv6 ACEs cannot be combined in the same static ACL.
-
IPv4 and IPv6 static ACLs do not filter each other's traffic.
See the chapter titled "IPv6 Access Control Lists (ACLs)" in the IPv6 configuration guide for your switch.
Interface |
ACL application |
Application point |
Filter action |
---|---|---|---|
Port |
Static Port ACL (switch configured) |
inbound on the switch port |
inbound IPv4 traffic |
RADIUS-Assigned ACL 1 |
inbound on the switch port used by authenticated client |
inbound IPv4 and IPv6 traffic from the authenticated client |
|
VLAN |
VACL |
entering the switch on the VLAN |
inbound IPv4 traffic |
RACL2 |
entering the switch on the VLAN |
routed IPv4 traffic entering the switch and any IPv4 traffic with a destination on the switch itself |
|
exiting from the switch on the VLAN |
routed IPv4 traffic exiting from the switch |
The information provided here describes ACLs statically configured on the switch. See RADIUS services supported on switches.
Supports one inbound and one outbound RACL. When both are used, one RACL can be assigned to filter both inbound and outbound, or different RACLs can be assigned to filter inbound and outbound.
After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. This applies only in the direction of traffic flow filtered by the ACL.