Configuring IPv4 ACLs
The mac access-group interface configuration command is only valid when applied to a physical Layer 2
Note
interface. You cannot use the command on EtherChannel port channels.
IP Access List Entry Sequence Numbering
• This feature does not support dynamic, reflexive, or firewall access lists.
Related Topics
Applying an IPv4 ACL to an Interface, on page 167
IPv4 ACL Interface Considerations, on page 153
Creating Named MAC Extended ACLs, on page 168
Applying a MAC ACL to a Layer 2 Interface, on page 170
Information about Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists (ACLs),
which in commands and tables are also referred to as access lists.
Cisco TrustSec and ACLs
Catalyst 3850 switches running the IP base or IP services feature set also support Cisco TrustSec Security
Group Tag (SCT) Exchange Protocol (SXP). This feature supports security group access control lists (SGACLs),
which define ACL policies for a group of devices instead of an IP address. The SXP control protocol allows
tagging packets with SCTs without a hardware upgrade, and runs between access layer devices at the Cisco
TrustSec domain edge and distribution layer devices within the Cisco TrustSec domain. Catalyst 3850 switches
operate as access layer switches in the Cisco TrustSec network.
The sections on SXP define the capabilities supported on the Catalyst 3850 switches.
ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the switch
accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions
in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards,
including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do
not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types of
OL-29048-01
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Information about Network Security with ACLs
141