31-4
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Understanding ACLs
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interfac e. If an IP
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.

Router ACLs

You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs.
You apply router ACLs on interfaces for specific directions (inbound or outbound). You can apply one
router ACL in each direction on an interface.
An ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs.
When a single router ACL is used by multiple features, it is examined multiple times.
Supported access lists for IPv4 traffic:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol info rmation for
matching operations.
As with port ACLs, the switch examines ACLs associated with features configured on a given interface.
However, you can apply only inbound port ACLs, while router ACLs are supported in both directions .
As packets enter the switch on an interface, ACLs associated wit h all inbound features configured on
that interface are examined. After packets are routed and before they are forwarded to the next hop, all
ACLs associated with outbound features configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL and can
be used to control access to a network or to part of a network. In Figure 31-1, ACLs applied at the r outer
input allow Host A to access the Human Resources network but prevent Host B from accessing the same
network.
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP po rt
numbers, ICMP type and code, and so on. All other fragm ents are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all pa cket fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)# access-list 102 permit tcp any host 10.1.1.2
Switch(config)# access-list 102 deny tcp any any