10-22-2009 05:53 AM - edited 03-06-2019 08:15 AM
I work as a network technician and used to have my CCNA (it expired in April) however I recently came across something that was never brought up in any of my CCNA classes. I was always under the impression you could only configure ACL's on layer 3 devices (whether they were switches, routers, firewalls, etc). However I came across the fact that layer 2 devices can have ACL's configured on them.
My question is if you configure an ACL that specifies an IP address (or a range of IP addresses) how is the layer 2 device able to read the IP address of the packet? My understanding is they only read the MAC address and then send the packet on its way.
Thanks in advance!
Solved! Go to Solution.
10-23-2009 10:42 AM
Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.
However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html
All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.
Jon
10-22-2009 06:03 AM
Eric
A layer 2 switch can still check the IP header of a packet eg. a 2960 switch is L2 only ie. it can't route packets between subnets but this does not mean it cannot look into the IP header for QOS classification/ACL checks etc. -
Jon
10-22-2009 06:26 AM
Well that's because what's a L2 device, or L3, or L4, tends to be blurred with modern equipment. Much modern equipment, for Enterprise or Smart L# devices, sometimes offer features not strictly at the device OSI model level. In other words, a pure L2 device wouldn't understanding anything beyond L2 frame but some devices do.
As another example, besides some L2 switches supporting L3 ACLs, Cisco L3 device's that support NBAR or FPM are working with more than pure L3 info.
10-23-2009 10:06 AM
Thanks for the prompt responses!
With that being said I would assume that a switch doing cut-through switching would not be able to read an ACL configured to match an ip address? Is this correct?
10-23-2009 10:37 AM
An interesting question. Don't know the answer, although believe most modern switches no longer do "cut-through". Maybe that's one reason why they don't (other reason, later hardware is fast enough "cut-through" was no longer considered really necessary to reduce switch forwarding latency - recall[?] the new Nexus switches might provide "cut-though" to provide very little switching latency, if they do, wonder what's their ACL support).
10-23-2009 10:42 AM
Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.
However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html
All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.
Jon
10-23-2009 11:37 AM
Thanks again for the quick responses!
That white paper was a tremendous help and answered my questions on the subject. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide