28-2
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 28 Configuring Network Security with ACLs
Understanding ACLs
Understanding ACLs
Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can
filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is
a sequential collection of permit and deny conditions that apply to packets. When a packet is received
on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the
packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
The switch tests the packet against the conditions in an access list one by one. The first match determines
whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the
first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the
packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the
packet.
You configure access lists on a Layer 2 switch to provide basic security for your network. If you do not
configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types
of traffic are forwarded or blocked at switch interfaces. For example, you can allow e-mail traffic to be
forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports these types of ACLs on physical interfaces in the inbound direction:
IP ACLs filter IP, TCP, and UDP traffic.
Ethernet or MAC ACLs filter Layer 2 traffic.
MAC extended access lists use source and destination MAC addresses and optional protocol type
information for matching operations.
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
The switch examines access lists associated with features configured on a given interface. As packets
enter the switch on an interface, ACLs associated with all inbound features configured on that interface
are examined.