10-5
Access Control Lists (ACLs)
Overview of Options for Applying ACLs on the Switch
Overview of Options for Applying ACLs
on the Switch
To apply ACL filtering, assign a configured ACL to the interface on which you
want the IP traffic filtering to occur. VLAN and routed IP traffic ACLs can be
applied statically using the switch configuration. Port traffic ACLs can be
applied either statically or dynamically (using a RADIUS server).
Static ACLS
Static ACLs are configured on the switch. To apply a static ACL, you must
assign it to an interface (VLAN or port). The switch supports three static ACL
applications:
Routed IP Traffic ACL (RACL). An RACL is an ACL configured on a VLAN
to filter routed IP traffic entering or leaving the switch on that interface, as
well as IP traffic having a destination on the switch itself. (Except for filtering
IP traffic to an IP address on the switch itself, RACLs can operate only while
IP routing is enabled. Refer to “Notes on IP Routing” on page 10-25.)
VLAN ACL (VACL). A VACL is an ACL configured on a VLAN to filter IP
traffic entering the switch on that VLAN interface and having a destination on
the same VLAN.
Static Port ACL. A static port ACL is an ACL configured on a port to filter
IP traffic entering the switch on that port, regardless of whether the IP traffic
is routed, switched, or addressed to a destination on the switch itself.
Dynamic Port ACLs
A dynamic port ACL is configured on a RADIUS server for assignment to a
given port when the server authenticates a specific client on that port. When
the client is authenticated, the ACL configured for that client on the server is
assigned to the port and applied to the IP traffic received inbound on that port
from the authenticated client. When the client session ends, the ACL is
removed from the port. The switch allows as many dynamic port ACLs on a
port as it allows authenticated clients.
Comments to this Manuals