ACLs in Multilayer Switches
Multilayer switches, by nature of their design, allow for some security features not available on Layer-2 switches or routers.
The 3750 switch supports IP ACLs and Ethernet (MAC) ACLs. Access lists on a 3750 switch can be applied in the following ways:
- Port ACLs
Port ACLs are applied to Layer-2 interfaces on the switch. They cannot be applied to EtherChannels, SVIs, or any other virtual interfaces. Port ACLs can be applied to trunk interfaces, in which case they will filter every VLAN in the trunk. Standard IP, extended IP, and MAC ACLs can be assigned as port ACLs. Port ACLs can be applied only in the inbound direction.
- Router ACLs
Router ACLs are applied to Layer-3 interfaces on the switch. SVIs, Layer-3 physical interfaces (configured with
no switchport, for example), and Layer-3 EtherChannels can have router ACLs applied to them. Standard IP and extended IP ACLs can be assigned as router ACLs, while MAC ACLs cannot. Router ACLs can be applied in both inbound and outbound directions.
- VLAN maps
VLAN maps are similar in design to route maps. They are assigned to VLANs, and can be configured to pass or drop packets based on a number of tests. VLAN maps control all traffic routed into, out of, or within a VLAN. They have no direction.
Configuring Port ACLs
Port ACLs are ACLs attached to a specific physical interface. Port ACLs can be used to deny a host within a VLAN access to any other host within the VLAN. They can also be used to limit access outside the VLAN. ...