Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Layer 2 devies and ACL's

I work as a network technician and used to have my CCNA (it expired in April) however I recently came across something that was never brought up in any of my CCNA classes. I was always under the impression you could only configure ACL's on layer 3 devices (whether they were switches, routers, firewalls, etc). However I came across the fact that layer 2 devices can have ACL's configured on them.

My question is if you configure an ACL that specifies an IP address (or a range of IP addresses) how is the layer 2 device able to read the IP address of the packet? My understanding is they only read the MAC address and then send the packet on its way.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Layer 2 devies and ACL's

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.

However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html

All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.

Jon

6 REPLIES
Hall of Fame Super Blue

Re: Layer 2 devies and ACL's

Eric

A layer 2 switch can still check the IP header of a packet eg. a 2960 switch is L2 only ie. it can't route packets between subnets but this does not mean it cannot look into the IP header for QOS classification/ACL checks etc. -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swacl.html

Jon

Super Bronze

Re: Layer 2 devies and ACL's

Well that's because what's a L2 device, or L3, or L4, tends to be blurred with modern equipment. Much modern equipment, for Enterprise or Smart L# devices, sometimes offer features not strictly at the device OSI model level. In other words, a pure L2 device wouldn't understanding anything beyond L2 frame but some devices do.

As another example, besides some L2 switches supporting L3 ACLs, Cisco L3 device's that support NBAR or FPM are working with more than pure L3 info.

Community Member

Re: Layer 2 devies and ACL's

Thanks for the prompt responses!

With that being said I would assume that a switch doing cut-through switching would not be able to read an ACL configured to match an ip address? Is this correct?

Super Bronze

Re: Layer 2 devies and ACL's

An interesting question. Don't know the answer, although believe most modern switches no longer do "cut-through". Maybe that's one reason why they don't (other reason, later hardware is fast enough "cut-through" was no longer considered really necessary to reduce switch forwarding latency - recall[?] the new Nexus switches might provide "cut-though" to provide very little switching latency, if they do, wonder what's their ACL support).

Hall of Fame Super Blue

Re: Layer 2 devies and ACL's

Yes and no. If the switch was a pure cut-through switch then what you say is correct ie. once the destination mac-address has been read the frame is forwarded.

However even with modern cut-through switches they will still read addition information from the frame (such as the IP header) if it is needed to make a forwarding decision. See this doc for more details -

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-465436.html

All current Cisco switches are store and forward with the exception i believe of some of the Nexus switches which use cut-through to decrease latency.

Jon

Community Member

Re: Layer 2 devies and ACL's

Thanks again for the quick responses!

That white paper was a tremendous help and answered my questions on the subject. Thanks again!

428
Views
0
Helpful
6
Replies
CreatePlease to create content