General steps for planning and configuring ACLs

Procedure
  1. Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to the switch instead of outbound.

    Traffic source

    ACL application

    IPv4 or IPv6 traffic from a specific, authenticated client

    RADIUS-assigned ACL for inbound IP traffic from an authenticated client on a port1

    IPv4 traffic entering the switch on a specific port

    static port ACL (static-port assigned) for any inbound IPv4 traffic on a port from any source

    switched or routed IPv4 traffic entering the switch on a specific VLAN

    VACL (VLAN ACL)

    routed IPv4 traffic entering or leaving the switch on a specific VLAN

    RACL (routed ACL)

    1

    For more on this option, see RADIUS services supported on switches, and see also the documentation for your RADIUS server.

  2. Identify the traffic types to filter. (IPv4 only, unless the ACL is a RADIUS-assigned ACL, which supports IPv4 and IPv6 filtering.
    1. The SA and the DA of traffic you want to permit or deny. This can be a single host, a group of hosts, a subnet, or all hosts.
    2. Traffic of a specific IPv4 protocol type (0-255)
    3. Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed
    4. All UDP traffic or UDP traffic for a specific UDP port
    5. All ICMP

      traffic or ICMP traffic of a specific type and code

    6. All IGMP

      traffic or IGMP traffic of a specific type

    7. Any of the above with specific

      precedence and ToS settings

  3. Design the ACLs for the control points (interfaces) selected. When using explicit "deny" ACEs, optionally use the VACL logging feature for notification that the switch is denying unwanted packets.
  4. Configure the ACLs on the selected switches.
  5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or RACL) appropriate for each assignment.
  6. If using an RACL, ensure thatIPv4 routing is enabled on the switch.
  7. Test for desired results.

For more details on ACL planning considerations, see Configuring named, standard ACLs.

CAUTION: Regarding the Use of Source Routing

Source routing is enabled by default on the switch and can be used to override ACLs. For this reason, if you are using ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch. If source routing is disabled in the running-config file, the show running command includes no ip source-route in the running-config file listing.

NOTE:

To activate a RACL to screen inbound IPv4 traffic for routing between subnets, assign the RACL to the statically configured VLAN on which the traffic enters the switch. Also, ensure that IPv4 routing is enabled. Similarly, to activate a RACL to screen routed, outbound IPv4 traffic, assign the RACL to the statically configured VLAN on which the traffic exits from the switch. A RACL configured to screen inbound IPv4 traffic with a destination address on the switch itself does not require routing to be enabled. (ACLs do not screen outbound IPv4 traffic generated by the switch, itself.)