Configuring Access Control Lists
Access Control Lists (ACLs) are supported on Catalyst 3550 switches and on
Catalyst 2950 switches that run the enhanced software
image.
An ACL consists of Access List Elements (ACEs), which collectively define the
how packets are filtered; that is, which are forwarded and which are dropped.
Each ACE contains:
- A mask, which identifies the fields in a packet header that the ACE
is matched against. Depending on its mask, an ACE can do Layer
2, Layer 3, or Layer 4 filtering.
Note: The number of different masks that you can use is limited on
Catalyst 2950 switches. For more information, see Catalyst
2950 Mask Limitations.
- Rules, the contents of a mask that are used for matching.
- An action, permit or deny, that occurs when a match is found.
A permitted packet is forwarded; a denied packed is dropped.
The ACEs in an ACL are matched against a packet in sequence until a matching
ACE is found. If no match is found, the packet is denied by default.
To perform any task with ACLs, choose Device > ACL to open the ACL
window. In this window you can:
- Create and delete ACLs
- View ACL details and edit them
- Put ACLs into use by attaching them to device interfaces or terminal lines
An ACE that does Layer 2 filtering is of the MAC extended type. Its
mask can identify these packet fields:
- Source MAC address of 48 bits.
- Destination MAC address of 48 bits.
- Ethertype. You can specify a well-known ethertype or any 16-bit value.
An ACE that does Layer 3 filtering is of the IP standard or IP extended
type. Its mask can identify these packet fields:
- IP source address. The mask can be matched against all 32 bits of the address,
or it can can contain a wildcard that specifies the bits to match against.
- IP destination source address. Here too the mask can be matched against
all or part of the address.
IP extended ACEs can also do filtering based on TCP, UDP, ICMP, and IGMP. For
TCP and UDP filtering, the mask can contain:
- A TCP source port number, destination port number, or both
- A UDP source port number, destination port number, or both
- Well-known application names in place of port numbers
Restriction: For Catalyst 2950 switches, only TCP and UDP are supported.
These mask limitations apply to Catalyst 2950 switches:
- All the ACEs in an ACL must use the same mask, although the rules within
each mask can differ.
Exception: An ACE whose mask matches any source address and any destination
address can be included in an ACL that has an ACE with a different mask.
- You can use no more than four different masks (besides the exception) across
all your ACLs.
- You can attach only one ACL to an interface.
If you have at least one Catalyst 2950 switch in the cluster, CMS provides
a report that lets you keep track of masks, their uses, and the interfaces that
they affect. The report is in the Resource
Monitor window. To open the window, choose Reports > Resource Monitor.
Related Web Links
"Configuring
Network Security with ACLs," Catalyst 2950 Desktop Switch Software Configuration
Guide
"Configuring
Network Security with ACLs," Catalyst 3550 Multilayer Switch Software
Configuration Guide