Manualshelf

User's Manual

ManualsBrandsCisco Systems ManualsNetwork RouterCisco Systems OL-8550-09
781782783784785786787788789790
CHAPTER
34-1
Catalyst 3750 Switch Software Configuration Guide
OL-8550-09
34
Configuring Network Security with ACLs
This chapter describes how to configure network security on the Catalyst 3750 switch by using access
control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a
standalone switch and a switch stack.
In this chapter, references to IP ACLs are specific to IP Version 4 (IPv4) ACLs. For information about
IPv6 ACLs, see Chapter 41, “Configuring IPv6 ACLs.
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, the “Configuring IP Services” section in the “IP Addressing and Services”
chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2. The Cisco IOS documentation is
available from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >
Configuration Guides or Command References.
The switch also supports Cisco TrustSec Security Group Tag (SCT) Exchange Protocol (SXP). This
feature supports security group access control lists (SGACLs), which define ACL policies for a group of
devices instead of an IP address. The SXP control protocol allows tagging packets with SCTs without a
hardware upgrade, and runs between access layer devices at the Cisco TrustSec domain edge and
distribution layer devices within the Cisco TrustSec domain. Catalyst 3750 switches operate as access
layer switches in the Cisco TrustSec network.
For more information about Cisco TrustSec, see the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
The sections on SXP define the capabilities supported on the Catalyst 3750 switch.
Understanding ACLs, page 34-1
Configuring IPv4 ACLs, page 34-7
Creating Named MAC Extended ACLs, page 34-28
Configuring VLAN Maps, page 34-30
Using VLAN Maps with Router ACLs, page 34-37
Displaying IPv4 ACL Configuration, page 34-42
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a router or switch and permit or deny packets crossing specified
interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to
packets. When a packet is received on an interface, the switch compares the fields in the packet against