CHAPTER
28-1
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
28
Configuring Network Security with ACLs
This chapter describes how to configure network security on the Catalyst 2960 switch by using access
control lists (ACLs), which in commands and tables are also referred to as access lists.
Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, see the “Configuring IP Servi ces” section in the “IP Addressing and Service s”
chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
This chapter consists of these sections:
Understanding ACLs, page 28-1
Configuring IPv4 ACLs, page 28-4
Creating Named MAC Extended ACLs, page 28-20
Displaying IPv4 ACL Configuration, page 28-22

Understanding ACLs

Packet filtering can help limit network traffic and restrict network use by certain users or devices. A CLs
filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces. An
ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is
received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria sp ecified in the access
lists. One by one, it tests packets against the conditions in an access list. The first match decides whether
the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order
of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no
restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use
ACLs on all packets it forwards.