19-9
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter19 Configuring Network Securi ty with ACLs Configuring Router ACLs
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed
to be the mask.
This example shows how to create a standard ACL to deny acce ss to IP hos t 171 .69.1 98. 102 , perm it
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
deny 171.69.198.102
permit any
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
The switch software can provide logging messages about packets permitted or denied by a standard IP
access list. That is, any packet that matches the ACL causes an informational log ging messa ge about th e
packet to be sent to the console. The level of messages logged to the console is controlled by the logging
console commands controlling the syslog messages.
Note Because routing is done in hardware and logging is don e in s oft wa re, if a l arge n umb er of pac ke ts
match a permit or deny ACE containing a log keyword, the software might not be able to mat ch the
hardware processing rate, and not all packets will be logg ed .
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are
collected over 5-minute intervals before they are displ ayed or logged. The logging message includes the
access list number, whether the packet was permitted or denied, the source IP address of the packet, and
the number of packets from that source permitted or denied in the prior 5-minute interval.
Note An output ACL cannot log multicast packets.
After creating an ACL, you must apply it to a line or interface, as described in the Applying the ACL
to an Interface or Terminal Line section on page19-18.
Creating a Numbered Extended ACL
Although standard ACLs use only source addresses for matching, you can use ext ended ACL source and
destination addresses for matching operations and optional prot ocol ty pe inf orm ation f or fine r
granularity of control. Some protocols also have specific parameters and keywords that apply to th at
protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold):
Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp),
Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control
Message Protocol (icmp), Internet Group Management Protocol (igmp), Interior Gateway Routi ng