↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Port ACLs
  • Router ACLs
  • VLAN Maps

Was this helpful?

  1. Security
  2. Switch Security

Switch ACLs

Port ACLs

Can only be applied on physical L2 interfaces on a switch (not on etherchannels). They can only be applied on the inbound direction. A port ACL can be either a Standard ACL, an Extended ACL or an Extended MAC ACL. Only one standard or extended ACL and one Extended MAC ACL can be applied on a port. It will filter packets regardless of the VLAN they come on. To configure a MAC Extended ACL, use:

Sw(config)# mac access-list extended MAC-ACL-NAME
Sw(config-ext-macl)# {deny|permit} SRC-MAC MAC-MASK DST-MAC DST-MASK [ETHERTYTPE ETHERTYPE-MASK]
! You can Replace MAC MASK with any or host MAC
! ETHERTYPE identifies the type of Layer 2 frame
! No IP traffic is matched by MAC ACLs

To apply a MAC ACL to a port, use:

Sw(config-if)# mac access-group {MAC-ACL-NAME} in

To apply an IP ACL to a port, use:

Sw(config-if)# ip access-group {ACL-NUMBER|ACL-NAME} {in|out}

Router ACLs

A router ACL can be applied on L3 SVIs, and can be applied in both inbound and outbound directions. Only one Standard ACL or Extended ACL is allowed on each direction To set a rotuer ACL, use:

Sw(config-if)# ip access-group {ACL-NUMBER|ACL-NAME} {in|out}

VLAN Maps

A VLAN Map can filter all traffic inside a VLAN, regardless of the direction. But then, things get complicated. VLAN maps can filter traffic IP traffic (based on L3/L4 information) and non-IP traffic (based on L2 information – MAC Addresses). A VLAN Map can have several entries (identified by SEQ-NUMBER) and when a packet is checked, it is checked against the match commands of the entries, in the order of SEQ-NUMBER until the first match occurs. When the match occurs, it will drop or forward the packet based on the information in that entry. If there is no match, but there are entries for that kind of traffic (IP or non-IP) then the packet is dropped. If there is no match, but there are no entries for that kind of traffic (IP or non-IP), then the packet is forwarded. To be more preceise:

  • An IP packet enters a VLAN

    • Are there any entries that match ip?

      • No. The packet is forwarded

      • Yes. Are there any entries that match the packet?

        • Yes. Do what the entry says (drop or forward)

        • No. Drop the packet

  • A non-IP packet enters a VLAN

    • Are there any entries that match mac?

      • No. The packet is forwarded

      • Yes. Are there any entries that match the packet?

        • Yes. Do what the entry says (drop or forward)

        • No. Drop the packet

To configure a VLAN Map, follow these steps:

Sw(config)# vlan access-map VLAN-MAP-NAME [SEQ-NUMBER]
Sw(config-access-map)# action {drop|forward}
Sw(config-access-map)# match {ip address IP-ACL | mac address MAC-ACL-NAME}
Sw(config-access-map)# exit
Sw(config)# vlan filter VLAN-MAP-NAME vlan-list VLAN-LIST
Previous802.1xNextIPSec VPN 101

Last updated 3 years ago

Was this helpful?