29-4
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter29 Configuring Network Security with ACLs
Understanding ACLs
Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP por t.
If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a
complete packet because all Layer 4 information is present. T he remaining fragments also match the
first ACE, even though they do not contain the SMTP port information because the first ACE only
checks Layer 3 information when applied to fragments. (The information in this example is that t he
packet is TCP and that the destination is 10.1.1.1.)
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on th e Telnet port. If t his pa c ket
is fragmented, the first fragment matches the second ACE (a deny) because a ll Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second A CE beca use
they are missing Layer 4 information.
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so
packetB is effectively denied. However, the later fragments that are permitted will consume
bandwidth on the network and the resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this pa cket
is fragmented, the first fragment matches the third ACE (a deny). All o ther fragments also match t he
third ACE because that ACE does not check any Layer 4 information and bec au se L ayer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Understanding Access Control Parameters
Before configuring ACLs on the switches, you must have a thorough understanding of the access control
parameters (ACPs). ACPs are referred to as masks in the switch CLI commands, output, and CMS.
Each ACE has a mask and a rule. The Classification Field or mask is the field of interest on which you
want to perform an action. The specific values associated with a given mask are called rules.
Packets can be classified on these Layer 2, Layer 3, and Layer 4 fields:
Layer 2 fields:
Source MAC address (Specify all 48 bits.)
Destination MAC address (Specify all 48 bits.)
Ethertype (16-bit ethertype field)
You can use any combination or all of these fields simultaneously to define a flow.
Layer 3 fields:
IP source address (Specify all 32 IP source address bits to define t he f low, or specify an use r-
defined subnet. There are no restrictions on the IP subnet to be specified.)
IP destination address (Specify all 32 IP destination address bit s to d efine the f l ow, or specify
an user-defined subnet. There are no restrictions on the IP subnet to be specified.)
You can use any combination or all of these fields simultaneously to define a flow.
Layer 4 fields:
TCP (You can specify a TCP source, destination port number, or both at the same time.)
UDP (You can specify a UDP source, destination port number, or both at the same time.)
Note A mask can be a combination of either multiple Layer 3 and Layer 4 fields or of multiple Layer 2 fields.
Layer 2 fields cannot be combined with Layer 3 or Layer 4 fields.