On (2009-02-27 07:15 -0500), Deric Kwok wrote: > Could you explain to me what is function of access-list in switch? > > It looks like to do prevent access to switch only? > > Am I right?
No. You can in many CSCO switches use L3 access-lists in L2, althought typically only on inbound direction. Some usage cases: a) rudimentary anti-spoofing b) stopping infected machine from spreading infection, while allowing machine administration to reach it and fix it c) for server aggregation style, on uplink you could protect the servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET, providing wire-rate protection of DoS. As not just IP match is allowed, but also MAC and ethertype, you could allow only IPv4, IPv6 and ARP frames, to avoid unwanted traffic entering. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
