General steps for planning and configuring ACLs
Procedure
- Identify the ACL action
to apply. As part of this step, determine the
best points at which to apply specific ACL controls. For example,
you can improve network performance by filtering unwanted IPv4 traffic
at the edge of the network instead of in the core. Also, on the switch
itself, you can improve performance by filtering unwanted IPv4 traffic
where it is inbound to the switch instead of outbound.
Traffic source
ACL application
IPv4 traffic entering the switch on a specific port
static port ACL (static-port assigned) for any inbound IPv4 traffic on a port from any source
switched or routed IPv4 traffic entering the switch on a specific VLAN
VACL (VLAN ACL)
- Identify the traffic types
to filter.
- The SA and/or the DA of traffic you want to permit or deny. This can be a single host, a group of hosts, a subnet, or all hosts.
- Traffic of a specific IPv4 protocol type (0-255)
- Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed
- All UDP traffic or UDP traffic for a specific UDP port
- All ICMP
traffic or ICMP traffic of a specific type and code
- All IGMP
traffic or IGMP traffic of a specific type
- Design the ACLs for the control points (interfaces) selected. When using explicit "deny" ACEs, optionally use the VACL logging feature for notification that the switch is denying unwanted packets.
- Configure the ACLs on the selected switches.
- Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL) appropriate for each assignment.
- Test for desired results.