25-2
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Con figuring Ne two rk Sec urity with ACLs
Understanding ACLs

Understandin g ACLs

Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can
filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is
a sequenti al col lectio n of permit an d deny conditio ns that app ly to pac kets. When a pa cket is rece ived
on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the
packet has the re quired perm issions to be fo rwarded, based on t he criteri a specified in the access list s.
The switch t ests the packet aga inst the conditions in a n access list one by o ne. The first ma tch determines
whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the
first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the
packet. If th ere are no restricti ons, the swit ch forwar ds the packet; ot herwi se, the switc h drops th e
packet.
You configure access lis ts on a Layer 2 switch to provide basic securi t y for your network. If you do not
configure ACLs, all p ackets p assin g thr oug h the s witc h co uld be a ll owed onto a ll part s of t he n etwor k.
You can use A CLs to control which hosts can access different parts of a network or to decide which types
of traffic are forwarded or blocked at switch interfaces. For example, you can allow e-mail traffic to be
forwarde d but not Telnet traffic. ACLs can be configured to bloc k inbound traffic.
An ACL contains an orde red list of ac cess cont rol ent rie s (ACEs). Each ACE specifies permit or deny
and a set of condition s the packe t must satisfy in order to match the ACE. The meanin g of permit or deny
depends on the con text in w hic h th e ACL i s used.
The switc h supports t hese type s of ACLs on physic al interfaces in the inbou nd direc tion:
IP ACLs filter IP, TCP, and UDP traffic.
Ethernet or MAC ACLs filter Layer 2 traffic.
MAC extended acce ss lists use source and destina tion MAC addresses and optio nal prot ocol type
inform ation fo r matchin g opera tions.
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses and optional protocol type information
for m atc hing o per atio ns .
The switch examines access lists associated with features configured on a given interface. As packets
enter the switch on an interface, ACLs associ ated with all inbound features configure d on that interface
are exam ine d.
ACLs permit or deny packet for warding based on how the packet mat ches the entries in the ACL. For
example, you ca n use ACLs t o al low one host t o acc ess a pa r t of a n etwor k, but to prevent another host
from acc essing th e same part. In Figure 25-1, ACLs applied at the switch input allow Host A to access
the Human Resources network , but prevent Host B from access ing the sam e network.