34-6
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter34 Configuring Network Security with ACLs
Understanding ACLs
Some ACEs do not check Layer 4 information and therefore can be applied to all pa cket fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)# access-list 102 permit tcp any host 10.1.1.2
Switch(config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SM TP) and
Telnet, respectively.
Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a
complete packet because all Layer 4 information is present. T he remaining fragments also match the
first ACE, even though they do not contain the SMTP port information, because the first ACE only
checks Layer 3 information when applied to fragments. The information in this example is tha t the
packet is TCP and that the destination is 10.1.1.1.
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on th e Telnet port. If t his pa c ket
is fragmented, the first fragment matches the second ACE (a deny) because a ll Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second A CE beca use
they are missing Layer 4 information. Instead, they match the thir d ACE (a pe rm it).
Because the first fragment was denied, host 10.1.1 .2 cannot r eassemble a complete pa cket, so packe t
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this pa cket
is fragmented, the first fragment matches the fourth ACE (a deny). Al l othe r fr agme nts a lso ma tch
the fourth ACE because that ACE does not check any Layer 4 information an d b eca use Lay er 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
ACLs and Switch Stacks
ACL support is the same for a switch stack as for a standalone switch. ACL configurati on i nfo rmat ion
is propagated to all switches in the stack. All switches in the stack, including the stack master, process
the information and program their hardware. (For more information about switch stacks, see Chapter 5,
“Configuring the Switch Stack.”)
The stack master performs these ACL functions:
It processes the ACL configuration and propagates the information to all stack members.
It distributes the ACL information to any switch that joins the stack.