ACLs in Multilayer Switches

Multilayer switches, by nature of their design, allow for some security features not available on Layer-2 switches or routers.

The 3750 switch supports IP ACLs and Ethernet (MAC) ACLs. Access lists on a 3750 switch can be applied in the following ways:

Port ACLs

Port ACLs are applied to Layer-2 interfaces on the switch. They cannot be applied to EtherChannels, SVIs, or any other virtual interfaces. Port ACLs can be applied to trunk interfaces, in which case they will filter every VLAN in the trunk. Standard IP, extended IP, and MAC ACLs can be assigned as port ACLs. Port ACLs can be applied only in the inbound direction.

Router ACLs

Router ACLs are applied to Layer-3 interfaces on the switch. SVIs, Layer-3 physical interfaces (configured with no switchport, for example), and Layer-3 EtherChannels can have router ACLs applied to them. Standard IP and extended IP ACLs can be assigned as router ACLs, while MAC ACLs cannot. Router ACLs can be applied in both inbound and outbound directions.

VLAN maps

VLAN maps are similar in design to route maps. They are assigned to VLANs, and can be configured to pass or drop packets based on a number of tests. VLAN maps control all traffic routed into, out of, or within a VLAN. They have no direction.

Configuring Port ACLs

Port ACLs are ACLs attached to a specific physical interface. Port ACLs can be used to deny a host within a VLAN access to any other host within the VLAN. They can also be used to limit access outside the VLAN. ...

Get Network Warrior, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.