Archive for June, 2011

June 27, 2011

ACLs Supported on 3560 & 3750 Switches – Part II (VLAN Maps)

by costiser

This is the second part of a long post about ACL types that are supported on 3560 & 3750 series switches. If you missed the first part, take a look here:

ACLs Supported on 3560 & 3750 Switches – Part I (Port ACL and Router ACL)
 

In this post we will discuss about the VLAN ACLs also known as VACL or VLAN Maps.

Advertisements
June 26, 2011

ACLs Supported on 3560 & 3750 Switches – Part I (Port ACL & Router ACL)

by costiser

After a nice vacation, here I come again with a new post, this time about several ACL types that are supported on 3560 and 3750 series switches.

As you can see in the above chart, there are 3 types of ACLs supported on these switches:

  • Port ACLs
  • Router ACLs
  • VLAN ACLs (VLAN Maps)

Let’s take them one by one.


1.Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch.
Port ACLs are supported only on physical interfaces (not on EtherChannel interfaces) and can be applied only in the inbound direction.
For example, if you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
If you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

YOu should have in mind that there are more access-lists that can be used as Port ACL. Here is how you can use them:

Numbered Standard IP ACL (ACL numbers 1-99, 1300-1999)

(config)# access-list 5 deny host 192.168.1.1
(config)# access-list 5 permit any

Numbered Extended IP ACL (ACL numbers 100-199, 2000-2699)

(config)# access-list 105 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
(config)# access-list 105 deny udp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
(config)# access-list 105 permit ip any any

Named Standard and Extended ACLs

(config)# ip access-list standard Stnd_ACL
(config-ext-nacl)# permit 192.168.1.1
(config)# ip access-list extended Extd_ACL
(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
(config-ext-nacl)# deny udp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
(config-ext-nacl)# permit ip any any

Named MAC Extended ACLs
You can filter non-IPv4 traffic on a VLAN (VLAN Maps) or on a Layer 2 interface (Port ACL) by using MAC addresses and named MAC extended ACLs.
The procedure is similar to that of configuring other extended named ACLs.
– You cannot apply named MAC extended ACLs to Layer 3 interfaces.
– You cannot use mac access-group command on EtherChannel ports

(config)# mac access-list extended ACL_MAC
(config-ext-macl)# permit any host 00c0.00a0.03fa netbios
(config-ext-macl)# deny any any 0x4321 0

(config)# interface gigabitethernet1/0/2
(config-if)# mac access-group ACL_MAC in

2. Router ACLs

There are not so many things to be said about the Router ACLs. Take a look to the above section and you’ll see how to create standard and extended, numbered and named ACLs.

The important differences that you need to remember are: Router ACLs control traffic that is routed between VLANs (SVIs) or L3 interfaces and they may be applied in both direction (inbound and outbound).

 

The last section, VLAN ACLs, will be discussed in next post:

ACLs Supported on 3560 & 3750 Switches – Part II (VLAN Maps)