cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
7852
Views
5
Helpful
2
Replies
Ehsan M.
Beginner

ACL on layer 2 interface?

Hi Guys,

I've seen something interesting that I wanted to share and seek your thought. We have 3850 switches in our environment which are acting as a layer 2 only with a trunk port configured to the core (6500). The vlan interfaces are defined at the core. The interesting thing is, I see a generic access list has been configured and applied on all the "access ports" inbound direction (to allow tcp/udp to/from certain subnets, dhcp and etc).

My question is does it even make sense to apply an access list to an "access-port"? My understanding is we'd only apply an access-list to a layer 3 interface (whether SVI or a physical interface) to be effective. Applying an ACL to in access port (layer 2 interface) isn't going to be only troublesome with no security advantage?

 

Cheers,

Ehsan   

1 ACCEPTED SOLUTION

Accepted Solutions
Jon Marshall
Hall of Fame Guru

Ehsan

You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.

See this link for more details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01010.html#ID90

Whether or not there is an advantage depends on what you are trying to achieve.

If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.

Jon

View solution in original post

2 REPLIES 2
Jon Marshall
Hall of Fame Guru

Ehsan

You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.

See this link for more details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01010.html#ID90

Whether or not there is an advantage depends on what you are trying to achieve.

If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.

Jon

View solution in original post

Jon,

Appreciate quick response! I now understand more about port ACL :)

 

Ehsan