Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
6
Replies

Layer 2 devies and ACL's

Go to solution
ejrein
Level 1
Level 1

‎10-22-2009 05:53 AM - edited ‎03-06-2019 08:15 AM

I work as a network technician and used to have my CCNA (it expired in April) however I recently came across something that was never brought up in any of my CCNA classes. I was always under the impression you could only configure ACL's on layer 3 devices (whether they were switches, routers, firewalls, etc). However I came across the fact that layer 2 devices can have ACL's configured on them.

My question is if you configure an ACL that specifies an IP address (or a range of IP addresses) how is the layer 2 device able to read the IP address of the packet? My understanding is they only read the MAC address and then send the packet on its way.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ejrein

‎10-23-2009 10:42 AM

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.

However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html

All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-22-2009 06:03 AM

Eric

A layer 2 switch can still check the IP header of a packet eg. a 2960 switch is L2 only ie. it can't route packets between subnets but this does not mean it cannot look into the IP header for QOS classification/ACL checks etc. -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swacl.html

Jon

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-22-2009 06:26 AM

Well that's because what's a L2 device, or L3, or L4, tends to be blurred with modern equipment. Much modern equipment, for Enterprise or Smart L# devices, sometimes offer features not strictly at the device OSI model level. In other words, a pure L2 device wouldn't understanding anything beyond L2 frame but some devices do.

As another example, besides some L2 switches supporting L3 ACLs, Cisco L3 device's that support NBAR or FPM are working with more than pure L3 info.

0 Helpful

Go to solution
ejrein
Level 1
Level 1
In response to Joseph W. Doherty

‎10-23-2009 10:06 AM

Thanks for the prompt responses!

With that being said I would assume that a switch doing cut-through switching would not be able to read an ACL configured to match an ip address? Is this correct?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ejrein

‎10-23-2009 10:37 AM

An interesting question. Don't know the answer, although believe most modern switches no longer do "cut-through". Maybe that's one reason why they don't (other reason, later hardware is fast enough "cut-through" was no longer considered really necessary to reduce switch forwarding latency - recall[?] the new Nexus switches might provide "cut-though" to provide very little switching latency, if they do, wonder what's their ACL support).

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ejrein

‎10-23-2009 10:42 AM

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.

However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html

All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.

Jon

0 Helpful

Go to solution
ejrein
Level 1
Level 1
In response to Jon Marshall

‎10-23-2009 11:37 AM

Thanks again for the quick responses!

That white paper was a tremendous help and answered my questions on the subject. Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card