Cisco Systems 2960 Port ACLs

28-2

Catalyst 2960 Switch SoftwareConfiguration Guide

78-16881-01

Chapter28 Configuring Network Security with ACLs

Understanding ACLs

You configure access lists on a switch to provide basic security for your network. If you do not configure

ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use

ACLs to control which hosts can access different parts of a network or to deci de which types of traffic

are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet

traffic.

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny

and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny

depends on the context in which the ACL is used.

The switch supports IP ACLs and Ethernet (MAC) ACLs:

•IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group

Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

•Ethernet ACLs filter non-IP traffic.

This switch also supports quality of service (QoS) classification ACLs. For more information, see the

“Classification Based on QoS ACLs” section on page 29-7.

These sections contain this conceptual information:

•Port ACLs, page 28-2

•Handling Fragmented and Unfragmented Traffic, page 28-3

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on

physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the

inbound direction. These access lists are supported:

•Standard IP access lists using source addresses

•Extended IP access lists using source and destination addre sses and optional protocol type

information

•MAC extended access lists using source and destination MAC addresses and optional protocol type

information

The switch examines ACLs associated with all inbound features co nfigured on a given interface and

permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way,

ACLs control access to a network or to part of a network. Figure 28-1 is an example of using port ACLs

to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer

2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing

the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.