Chapter 34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Creating Standard and Extended IPv4 ACLs

This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.

The software supports these types of ACLs or access lists for IPv4:

Standard IP access lists use source addresses for matching operations.

Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control.

These sections describe access lists and how to create them:

Access List Numbers, page 34-8

ACL Logging, page 34-9

Creating a Numbered Standard ACL, page 34-10

Creating a Numbered Extended ACL, page 34-11

Resequencing ACEs in an ACL, page 34-15

Creating Named Standard and Extended ACLs, page 34-15

Using Time Ranges with ACLs, page 34-17

Including Comments in ACLs, page 34-19

Access List Numbers

The number you use to denote your ACL shows the type of access list that you are creating. Table 34-1lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.

 

 

 

 

Table 34-1

Access List Numbers

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Access List Number

Type

Supported

 

 

 

 

 

 

 

 

 

 

 

 

 

1–99

 

IP standard access list

Yes

 

 

 

 

 

 

 

 

 

 

 

 

 

100–199

 

IP extended access list

Yes

 

 

 

 

 

 

 

 

 

 

 

 

 

200–299

 

Protocol type-code access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

300–399

 

DECnet access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

400–499

 

XNS standard access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

500–599

 

XNS extended access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

600–699

 

AppleTalk access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

700–799

 

48-bit MAC address access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

800–899

 

IPX standard access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

900–999

 

IPX extended access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

1000–1099

 

IPX SAP access list

No

 

 

 

 

 

 

 

 

 

 

 

 

 

1100–1199

 

Extended 48-bit MAC address access list

No

 

 

 

 

 

 

 

 

 

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

34-8

 

 

 

 

 

 

OL-9775-02

 

 

 

 

 

 

 

 

Page 706
Image 706
Cisco Systems 3750E Creating Standard and Extended IPv4 ACLs, Access List Numbers, Access List Number Type Supported, 34-8