[c-nsp] function of access-list in switch?

Saku Ytti saku+cisco-nsp at ytti.fi
Sat Feb 28 14:33:19 EST 2009


On (2009-02-28 12:54 -0500), Deric Kwok wrote:

Hey,

>  One more question, I add one line access rule in cisco router (r700 CPU at
> 240MHz with  with 252928K/9216K bytes of memory.)
> 
> the cpu graph raises from 70% to 80%.
> 
> ls the switch also having this problem?

If the switch can do port acl it'll be done in ASIC. So as long as you
stay within ASIC limits (finite number of rules, typically port ranges
not possible or very limited amount available and no log statement) 
you're go.

> 
> Thank you
> 
> 
> 
> 
> On Sat, Feb 28, 2009 at 3:11 AM, Saku Ytti
> <saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> > wrote:
> 
> > On (2009-02-27 07:15 -0500), Deric Kwok wrote:
> >
> > > Could you explain to me what is function of access-list in switch?
> > >
> > > It looks like to do prevent access to switch only?
> > >
> > > Am I right?
> >
> > No. You can in many CSCO switches use  L3 access-lists in L2, althought
> > typically only on inbound  direction.
> >
> > Some usage cases:
> > a) rudimentary anti-spoofing
> > b) stopping infected machine from spreading infection, while allowing
> > machine administration to reach it and fix it
> > c) for server aggregation style, on uplink you could protect the
> > servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
> > providing wire-rate protection of DoS.
> >
> > As not just IP match is allowed, but also MAC and ethertype, you
> > could allow only IPv4, IPv6 and  ARP frames, to avoid unwanted
> > traffic entering.
> >
> > --
> >  ++ytti
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

-- 
  ++ytti


More information about the cisco-nsp mailing list