08-10-2015 10:18 AM - edited 03-08-2019 01:18 AM
Hi Guys,
I've seen something interesting that I wanted to share and seek your thought. We have 3850 switches in our environment which are acting as a layer 2 only with a trunk port configured to the core (6500). The vlan interfaces are defined at the core. The interesting thing is, I see a generic access list has been configured and applied on all the "access ports" inbound direction (to allow tcp/udp to/from certain subnets, dhcp and etc).
My question is does it even make sense to apply an access list to an "access-port"? My understanding is we'd only apply an access-list to a layer 3 interface (whether SVI or a physical interface) to be effective. Applying an ACL to in access port (layer 2 interface) isn't going to be only troublesome with no security advantage?
Cheers,
Ehsan
Solved! Go to Solution.
08-10-2015 10:24 AM
Ehsan
You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.
See this link for more details -
Whether or not there is an advantage depends on what you are trying to achieve.
If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.
Jon
08-10-2015 10:24 AM
Ehsan
You can indeed use acls on L2 ports to filter incoming traffic and these acls can filter on L3 IP addresses, ports etc.
See this link for more details -
Whether or not there is an advantage depends on what you are trying to achieve.
If you only want to allow certain ports from clients to remote vlans/IP subnets then you may as well use an acl on the L3 SVI but if you want to stop clients sending traffic within the vlan on certain ports etc. then it may be a solution.
Jon
08-10-2015 12:28 PM
Jon,
Appreciate quick response! I now understand more about port ACL :)
Ehsan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: