Layer 2 devies and ACL's

Answered Question

I work as a network technician and used to have my CCNA (it expired in April) however I recently came across something that was never brought up in any of my CCNA classes. I was always under the impression you could only configure ACL's on layer 3 devices (whether they were switches, routers, firewalls, etc). However I came across the fact that layer 2 devices can have ACL's configured on them.


My question is if you configure an ACL that specifies an IP address (or a range of IP addresses) how is the layer 2 device able to read the IP address of the packet? My understanding is they only read the MAC address and then send the packet on its way.


Thanks in advance!

Correct Answer by Jon Marshall about 7 years 4 months ago

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.


However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -


http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html


All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joseph W. Doherty Thu, 10/22/2009 - 06:26

Well that's because what's a L2 device, or L3, or L4, tends to be blurred with modern equipment. Much modern equipment, for Enterprise or Smart L# devices, sometimes offer features not strictly at the device OSI model level. In other words, a pure L2 device wouldn't understanding anything beyond L2 frame but some devices do.


As another example, besides some L2 switches supporting L3 ACLs, Cisco L3 device's that support NBAR or FPM are working with more than pure L3 info.

Joseph W. Doherty Fri, 10/23/2009 - 10:37

An interesting question. Don't know the answer, although believe most modern switches no longer do "cut-through". Maybe that's one reason why they don't (other reason, later hardware is fast enough "cut-through" was no longer considered really necessary to reduce switch forwarding latency - recall[?] the new Nexus switches might provide "cut-though" to provide very little switching latency, if they do, wonder what's their ACL support).

Correct Answer
Jon Marshall Fri, 10/23/2009 - 10:42

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.


However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -


http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html


All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.


Jon

Actions

This Discussion