本帖最后由 SOMING 于 2011-12-1 11:04 编辑
sdwchow 发表于 2011-12-1 10:28
但是我认为bridged VLAN是2层MAC的ACL
MAC Address Filtering
我认为题目所指的bridged 联系整个题目应该就是指vlan map
Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a router and permit or deny packets from crossing specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. It tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packets. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer software image installed can accelerate packet routing between VLANs by using Layer 3 switching. The switch bridges the packet, the packet is then routed internally without going to an external router, and then the packet is bridged again to send it to its destination. During this process, the switch can access-control all packets it switches, including packets bridged within a VLAN. You configure access lists on a router or switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both. However, on Layer 2 interfaces, you can only apply ACLs in the inbound direction. An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used. The switch supports two types of ACLs: • IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP). • Ethernet or MAC ACLs filter non-IP traffic. The switch supports three applications of ACLs to filter traffic: • Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces. All Catalyst 3550 switches can create router ACLs, but you must have the enhanced multilayer software image on your switch to apply an ACL to a Layer 3 interface and filter packets routed between VLANs. • Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound direction. You do not need the enhanced image to apply an ACL to a Layer 2 interface. You can apply only one IP access list and one MAC access list to a Layer 2 interface. • VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. You do not need the enhanced image to create or apply VLAN maps. VLAN maps are configured to provide access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled through MAC addresses by using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch port or through a routed port after being routed.You can use both router ACLs and VLAN maps on the same switch. However, you cannot use port ACLs on a switch that contains input router ACLs or VLAN maps. • When a switch has a Layer 2 interface with an applied IP access list or MAC access list, you can create IP access lists and VLAN maps, but you cannot apply an IP access list to an input Layer 3 interface on that switch, and you cannot apply a VLAN map to any of the switch VLANs. An error message is generated if you attempt to do so. You can still apply an IP access list to an output Layer 3 interface on a switch with port ACLs. • When a switch has an input Layer 3 ACL or a VLAN map applied to it, you cannot apply an IP access list or MAC access list to a Layer 2 interface on that switch. An error message is generated if you attempt to do so. You can apply a port ACL if the switch has an ACL applied to an output Layer 3 interface.
| 
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
[复制链接]
发表于 2011-11-23 09:44:03
置顶卡
喧嚣卡
变色卡
千斤顶
楼主
