[c-nsp] ACL does not work??
Bruce Pinsky
bep at whack.org
Fri Jul 14 15:49:48 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Zubkavich wrote:
> Actually, if you review the examples from the document you posted, say
> here:
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225sed/scg/swacl.htm#wp1285654
>
>
> you will note that the examples list the ACLs being applied to the
> physical interface only (in this case gi0/1), not to the Virtual
> Interface in the VLAN.
>
So they're poor examples. It quite clearly states:
"You can apply router ACLs on switch virtual interfaces (SVIs), which are
Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3
EtherChannel interfaces. You apply router ACLs on interfaces for specific
directions (inbound or outbound). You can apply one router ACL in each
direction on an interface.
One ACL can be used with multiple features for a given interface, and one
feature can use multiple ACLs. When a single router ACL is used by multiple
features, it is examined multiple times.
The switch supports these access lists for IPv4 traffic:
?Standard IP access lists use source addresses for matching operations.
?Extended IP access lists use source and destination addresses and optional
protocol type information for matching operations.
As with port ACLs, the switch examines ACLs associated with features
configured on a given interface. However, router ACLs are supported in both
directions. As packets enter the switch on an interface, ACLs associated
with all inbound features configured on that interface are examined. After
packets are routed and before they are forwarded to the next hop, all ACLs
associated with outbound features configured on the egress interface are
examined.
ACLs permit or deny packet forwarding based on how the packet matches the
entries in the ACL, and can be used to control access to a network or to
part of a network. In Figure 31-1, ACLs applied at the router input allow
Host A to access the Human Resources network, but prevent Host B from
accessing the same network."
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEt/VcE1XcgMgrtyYRAqAFAKCjMwV79f3qGLPwF57t/J6zaH3sFQCg/O/O
xLLpqChA1Q76kUuEGG+FEqs=
=2i7A
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list