Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10890
Views
5
Helpful
2
Replies

ACL on layer 2 interface?

Go to solution
Ehsan M.
Level 1
Level 1

‎08-10-2015 10:18 AM - edited ‎03-08-2019 01:18 AM

Hi Guys,

I've seen something interesting that I wanted to share and seek your thought. We have 3850 switches in our environment which are acting as a layer 2 only with a trunk port configured to the core (6500). The vlan interfaces are defined at the core. The interesting thing is, I see a generic access list has been configured and applied on all the "access ports" inbound direction (to allow tcp/udp to/from certain subnets, dhcp and etc).

My question is does it even make sense to apply an access list to an "access-port"? My understanding is we'd only apply an access-list to a layer 3 interface (whether SVI or a physical interface) to be effective. Applying an ACL to in access port (layer 2 interface) isn't going to be only troublesome with no security advantage?

 

Cheers,

Ehsan   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-10-2015 10:24 AM

Ehsan

You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.

See this link for more details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01010.html#ID90

Whether or not there is an advantage depends on what you are trying to achieve.

If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-10-2015 10:24 AM

Ehsan

You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.

See this link for more details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01010.html#ID90

Whether or not there is an advantage depends on what you are trying to achieve.

If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.

Jon

Go to solution
Ehsan M.
Level 1
Level 1
In response to Jon Marshall

‎08-10-2015 12:28 PM

Jon,

Appreciate quick response! I now understand more about port ACL :)

 

Ehsan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card