Configuring Access Control Lists

Access Control Lists (ACLs) are supported on Catalyst 3550 switches and on Catalyst 2950 switches that run the enhanced software image.

An ACL consists of Access List Elements (ACEs), which collectively define the how packets are filtered; that is, which are forwarded and which are dropped. Each ACE contains:

The ACEs in an ACL are matched against a packet in sequence until a matching ACE is found. If no match is found, the packet is denied by default.

To perform any task with ACLs, choose Device > ACL to open the ACL window. In this window you can:

Layer 2 Filtering

An ACE that does Layer 2 filtering is of the MAC extended type. Its mask can identify these packet fields:

Layer 3 Filtering

An ACE that does Layer 3 filtering is of the IP standard or IP extended type. Its mask can identify these packet fields:

Layer 4 Filtering

IP extended ACEs can also do filtering based on TCP, UDP, ICMP, and IGMP. For TCP and UDP filtering, the mask can contain:

Restriction: For Catalyst 2950 switches, only TCP and UDP are supported.

Catalyst 2950 Mask Limitations

These mask limitations apply to Catalyst 2950 switches:

If you have at least one Catalyst 2950 switch in the cluster, CMS provides a report that lets you keep track of masks, their uses, and the interfaces that they affect. The report is in the Resource Monitor window. To open the window, choose Reports > Resource Monitor.


Related Web Links

"Configuring Network Security with ACLs," Catalyst 2950 Desktop Switch Software Configuration Guide
"Configuring Network Security with ACLs," Catalyst 3550 Multilayer Switch Software Configuration Guide