28-4
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 28 Configuring Network Security with ACLs
Understanding ACLs
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and
Telnet, respectively.
Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a
complete packet because all Layer 4 information is present. The remaining fragments also match the
first ACE, even though they do not contain the SMTP port information because the first ACE only
checks Layer 3 information when applied to fragments. (The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.)
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information.
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so
packet B is effectively denied. However, the later fragments that are permitted will consume
bandwidth on the network and the resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the third ACE (a deny). All other fragments also match the
third ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Understanding Access Control Parameters
Before configuring ACLs on the switches, you must have a thorough understanding of the access control
parameters (ACPs). ACPs are referred to as masks in the switch CLI commands output.
Each ACE has a mask and a rule. The Classification Field or mask is the field of interest on which you
want to perform an action. The specific values associated with a given mask are called rules.
Packets can be classified on these Layer 2, Layer 3, and Layer 4 fields:
Layer 2 fields:
Source MAC address (Specify all 48 bits.)
Destination MAC address (Specify all 48 bits.)
Ethertype (16-bit ethertype field)
You can use any combination or all of these fields simultaneously to define a flow.
Layer 3 fields:
IP source address (Specify all 32 IP source address bits to define the flow, or specify an user-
defined subnet. There are no restrictions on the IP subnet to be specified.)
IP destination address (Specify all 32 IP destination address bits to define the flow, or specify
an user-defined subnet. There are no restrictions on the IP subnet to be specified.)
You can use any combination or all of these fields simultaneously to define a flow.
Layer 4 fields:
TCP (You can specify a TCP source, destination port number, or both at the same time.)