Cisco Systems 2950 Understanding Access Control Parameters

24-4

Catalyst2950 Desktop Switch Software Configuration Guide

78-11380-05

Chapter24 Configuring Network Security with ACLs

Understanding ACLs

•Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP por t.

If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a

complete packet because all Layer 4 information is present. T he remaining fragments also match the

first ACE, even though they do not contain the SMTP port information because the first ACE only

checks Layer 3 information when applied to fragments. (The information in this example is that t he

packet is TCP and that the destination is 10.1.1.1.)

•Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on th e Telnet port. If t his pa c ket

is fragmented, the first fragment matches the second ACE (a deny) because a ll Layer 3 and Layer 4

information is present. The remaining fragments in the packet do not match the second A CE beca use

they are missing Layer 4 information.

•Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so

packetB is effectively denied. However, the later fragments that are permitted will consume

bandwidth on the network and the resources of host 10.1.1.2 as it tries to reassemble the packet.

•Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this pa cket

is fragmented, the first fragment matches the third ACE (a deny). All o ther fragments also match t he

third ACE because that ACE does not check any Layer 4 information and bec au se L ayer 3

information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit

ACEs were checking different hosts.

Understanding Access Control Parameters

Before configuring ACLs on the switches, yo u must ha ve a thorough underst anding of the access c ontrol

parameters (ACPs). ACPs are referred to as masks in the switch CLI commands, output, and CMS.

Each ACE has a mask and a rule. The Classification Field or mask is the field of interest on which you

want to perform an action. The specific values associated with a given mask are called rules.

Packets can be classified on these Layer 2, Layer 3, and Layer 4 fields:

•Layer 2 fields:

–

Source MAC address (Specify all 48 bits.)

–

Destination MAC address (Specify all 48 bits.)

–

Ethertype (16-bit ethertype field)

You can use any combination or all of these fields simultaneously to define a flow.

•Layer 3 fields:

–

IP source address (Specify all 32 IP source address bits to define t he f low, or specify an use r-

defined subnet. There are no restrictions on the IP subnet to be specified.)

–

IP destination address (Specify all 32 IP destination address bit s to d efine the f l ow, or specify

an user-defined subnet. There are no restrictions on the IP subnet to be specified.)

You can use any combination or all of these fields simultaneously to define a flow.