Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
12345678910
8
OL-11615-01
Router ACL
Router ACLs, also known as Cisco IOS ACLs, are the standard and extended IP ACLs available on Cisco
IOS Software. These ACLs are applied to Layer 3 interfaces and to VLAN interfaces, and affect only
routed traffic. In addition, router ACLs can be applied in a specific inbound or outbound direction. As
with IOS routers, standard IP access lists are based on source addresses, while extended IP ACLs can be
based on source and destination addresses, and optionally on protocol type information.
Catalyst 6500 Series switches require the following hardware in order to run Router ACLs:
Supervisor Engine 1 with a Policy Feature Card (PFC) and MSFC or MSFC2
Supervisor Engine 2 with a PFC2 and MSFC2
Supervisor Engine 720 with a PFC3A/PFC3B/PFC3BXL and MSFC3
Supervisor Engine 32 with a PFC3B and MSFC2A
Catalyst 4500 Series switches require Cisco IOS Software in order to run Router ACLs.
The following example shows a router ACL configured to filter IP packets with source IP addresses
falling within the private address space (as defined in RFC 1918):
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!
access-list 110 permit ip any any
!
Note Catalyst 6500 Series switches equipped with PFC3 support Optimized ACL Logging (OAL), a feature
that provides hardware support for ACL logging. Unless you configure OAL, packets that require
logging are processed entirely in software on the MSFC. OAL permits or drops packets in hardware on
the PFC3 and uses an optimized routine to send information to the MSFC3 to generate the logging
messages. For more information on OAL, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/acl.htm
For more information about configuring Cisco IOS ACLs, refer to “Traffic Filtering and Firewalls” in
the Cisco IOS Security Configuration Guide, Release 12.2, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htm
More information on ACLs on the Catalyst 6500 is available at the following URL:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/65acl_wp.pdf
For more information on ACLs on the Catalyst 4500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/secure.htm
VLAN ACL(VACL)
VLAN ACLs (VACLs), also known as VLAN maps, are access lists that are applied to VLANs. Unlike
router ACLs that are configured on Layer 3 interfaces and that affect routed packets only, VACLs affect
all packets, bridged and routed, and can be applied to any VLAN. In addition, VACLs are not defined by
direction (input or output) as router ACLs are. After a VACL is configured on a switch, the filtering rules
apply to all packets that are routed in to or out of the associated VLAN or are bridged within the VLAN.