Problem solve Get help with specific problems with your technologies, process and projects.

LAN edge switch security functions: Switch ACLs; filtering port traffic

LAN edge switch security functions enable network administrators to use switch access control lists (ACLs) to filter incoming and outgoing traffic, as well as port-level traffic filtering and VLAN management for a more in-depth approach to LAN security.

Organizations large and small spend a lot of money buying intelligent edge switches that can do a lot more than...

provide base connectivity, but then they use these switches for little more than the basics. Among the functions often overlooked are LAN edge switch security features, including port-level security and switch-level access control lists (ACLs).

LAN edge switch ACLs can be an important part of in-depth defense. Just like ACLs on routers and firewalls, switch-level ACLs can filter traffic, permitting or denying access through the port. But pushing that function to the edge spreads the work out, potentially decreasing the number of rules required in other locations and the amount of traffic processed there, thus improving performance. Also, LAN edge switch ACLs can do something ACLs elsewhere can't: help protect edge devices from one another.

More on intelligent edge switches
LAN edge switch security functions are an integral part of what makes edge switches intelligent.

Intelligent edge switches: Complexity drives a smarter LAN

Intelligent edge switches on the rise as more is expected of the network

Integrating edge assets into the network can cut costs

How LAN edge switch ACLs work

ACLs work in a straightforward way: They can be used to identify an action, which kind of traffic will be affected (the object of the action), and the sources and destinations involved.

  • Action: Options are usually limited to forwarding packets ("permit"), or blocking them from passing ("deny").
  • Object: If a switch has ACLs, it usually has at least three possibilities: all IP traffic, all TCP traffic, and all UDP traffic. Many switches offer per-port filtering for TCP and UDP as well, so that you can, for example, permit SSL traffic but block NFS.
  • Source and destination: These can always be specified with IP addresses, or ranges of IP addresses (as with an address base and mask). You may also be able to use MAC addresses and the EtherType data.

Note the melding of information from layers 2 (MAC address), 3 (IP address) and 4 (TCP/UDP ports) in ACLs. This ability to pay attention to and act on multiple layers of traffic is part of what makes intelligent switches intelligent.

Testing LAN switches
Testing LAN switch power consumption

Testing LAN switch interoperability

Testing 10 Gigabit Ethernet switch latency

ACLs are processed sequentially: Traffic is compared to each rule in turn, from top to bottom, until it hits a rule that applies to it, and then that action is taken.So, for example, to make ports on a switch useful only as thin clients running against a Citrix XenApp/XenDesktop farm, one might apply an ACL similar to this (assuming the data center net is on, mask

  • Permit TCP any port 1494
  • Permit TCP any port 2598
  • Permit TCP any port 1494
  • Permit TCP any port 2598
  • Deny any any

Ports 1494 and 2598 are the primary ports used by ICA, Citrix's thin client protocol. Traffic bound to the data center from any IP node attached to the switch, or from the data center to any node attached to the switch, and traveling across the specified TCP ports will be permitted to pass through the switch to the edge ports or to the uplink port.

Intelligent edge switch security features: Supporting VLANs; port management

ACLs are not the only intelligent edge switch security feature. Any smart switch supports VLANs. Where ACLs are great for managing access to specific addresses or applications, VLANs are a more robust way of handling groupings of ports and controlling traffic among these groups. Also, many other security settings are available (varying by vendor and line) to perform such functions as controlling broadcast storms and limiting the MAC addresses a port will talk to.

Suppose, for example, that in your offices there is no business reason for PCs (or Macs) to talk directly to one another because, for instance, services are all provided out of the data center. To help prevent rapid spread of viruses from machine to machine, you might configure the edge switches to prevent ports from talking to one another. There are several ways to do so:

  • You can manage it with ACLs:
  • Permit IP Any
  • Permit IP Any
  • Deny IP Any
  • Deny IP Any
  • Permit IP Any any
  • You can manage it with VLANs by putting every port on a unique VLAN and not propagating VLANs off the switch.
  • You can also manage it with other settings, such as making all the edge ports on a Cisco switch "protected" or using the "port-isolation" function on HP ProCurve switches.

Managing ACLs manually (like the rest of the security settings on your switches) is easy enough if you have only a few switches. The more you have, the more important it becomes to maintain a standard "golden" configuration and use automated configuration tools to maintain and audit configuration.

About the author: John Burke is a principal research analyst with Nemertes Research, where he focuses on software-oriented architectures and management. As an analyst, John draws on his experiences as a practitioner and director of IT to better understand the needs of IT executives and the challenges facing vendors trying to sell to them. A frequent speaker, his career began at The Johns Hopkins University, where he supported the engineering faculty in its use of computers in research and teaching. He moved on to systems and network administration at The College of St. Catherine, in St. Paul, MN, and then to directing staff in voice, data, desktop and systems management at the University of St. Thomas, also in St. Paul.


This was last published in March 2010

Dig Deeper on Campus area network