[c-nsp] function of access-list in switch?
Saku Ytti
saku+cisco-nsp at ytti.fi
Sat Feb 28 03:11:35 EST 2009
On (2009-02-27 07:15 -0500), Deric Kwok wrote:
> Could you explain to me what is function of access-list in switch?
>
> It looks like to do prevent access to switch only?
>
> Am I right?
No. You can in many CSCO switches use L3 access-lists in L2, althought
typically only on inbound direction.
Some usage cases:
a) rudimentary anti-spoofing
b) stopping infected machine from spreading infection, while allowing
machine administration to reach it and fix it
c) for server aggregation style, on uplink you could protect the
servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
providing wire-rate protection of DoS.
As not just IP match is allowed, but also MAC and ethertype, you
could allow only IPv4, IPv6 and ARP frames, to avoid unwanted
traffic entering.
--
++ytti
More information about the cisco-nsp
mailing list