Cisco Systems 3560 Configuring IPv4 ACLs

33-6

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 33 Configuring Network Security with ACLs

Configuring IPv4 ACLs

• Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as

TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4

information might have been.

• Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains

Layer 4 information.

Consider access list 102, configured with these commands, applied to three fragmented packets:

Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp

Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet

Switch(config)# access-list 102 permit tcp any host 10.1.1.2

Switch(config)# access-list 102 deny tcp any any

Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test

for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and

Telnet, respectively.

• Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.

If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a

complete packet because all Layer 4 information is present. The remaining fragments also match the

first ACE, even though they do not contain the SMTP port information, because the first ACE only

checks Layer 3 information when applied to fragments. The information in this example is that the

packet is TCP and that the destination is 10.1.1.1.

• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet

is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4

information is present. The remaining fragments in the packet do not match the second ACE because

they are missing Layer 4 information. Instead, they match the third ACE (a permit).

Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet

B is effectively denied. However, the later fragments that are permitted will consume bandwidth on

the network and resources of host 10.1.1.2 as it tries to reassemble the packet.

• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet

is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match

the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3

information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit

ACEs were checking different hosts.

Configuring IPv4 ACLs

Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches

and routers. The process is briefly described here. For more detailed information on configuring ACLs,

see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS

IP Configuration Guide, Release 12.2. For detailed information about the commands, see the Cisco IOS

IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. The Cisco IOS

documentation is available from the Cisco.com page under Documentation > Cisco IOS Software >

12.2 Mainline > Configuration Guides or Command References.

The switch does not support these Cisco IOS router ACL-related features:

• Non-IP protocol ACLs (see Table 33-1 on page 33-8) or bridge-group ACLs

• IP accounting