29-5
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter29 Configuring Network Securi ty with ACLs Understanding ACLs
There are two types of masks:
User-defined maskmasks that are defined by the user.
System-defined maskthese masks can be configured on any interface:
Switch (config-ext-nacl)# permit tcp any any
Switch (config-ext-nacl)# deny tcp any any
Switch (config-ext-nacl)# permit udp any any
Switch (config-ext-nacl)# deny udp any any
Switch (config-ext-nacl)# permit ip any any
Switch (config-ext-nacl)# deny ip any any
Switch (config-ext-nacl)# deny any any
Switch (config-ext-nacl)# permit any any
Note In an IP extended ACL (both named and numbered), a Layer 4 system-defined m ask c a nnot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1.1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.
The switch ACL configuration is consistent with other Cisco Catalyst switches. However, there are
significant restrictions for configuring ACLs on the switches.
Only four user-defined masks can be defined for the ent ire system. These can be used for either security
or quality of service (QoS) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different masks
are applied to interfaces. For more information about error messages, see the system me ssage guide for
this release.
Table29-1 lists a summary of the ACL restrictions on the switches.
Guidelines for Applying ACLs to Physical Interfaces
When applying ACLs to physical interfaces, follow these configuration guidelines:
Only one ACL with these limitations can be attached to an interface:
Gigabit Ethernet ports support up to 100 ACEs per 1 ACL per port.
Fast Ethernet ports support up to 75 ACEs per 1 ACL across a range of 8 Fast Ethernet ports.
This means that ports 1 to 8 support a combined total of 75 ACEs, ports 9 to 16 support a
combined total of 75 ACEs, and so on.
For more information, refer to the ip access-group interface command in the command reference
for this release.
Table29-1 Summary of ACL Restrictions
Restriction Number
Number of user-defined masks allowed in an ACL 1
Number of ACLs allowed on an interface 1
Total number of user-defined masks for security and QoS allowed on a switch 4