25-4
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Con figuring Ne two rk Sec urity with ACLs
Understanding ACLs
Packet A is a TCP packet from host 10.2. 2.2, port 65000, go ing to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a
compl ete packe t because all Layer 4 inf ormation is pr esent. T he remaining fragments also match the
first ACE, even though t hey do not co nt ain the SM TP po rt inf or ma tion b ec ause the firs t ACE only
checks La yer 3 inf ormatio n when a pplie d to f ragmen ts. ( The inform ati on i n this example is that the
packet is TCP and that the destination is 10.1.1.1.)
Packet B is fro m h ost 10 .2.2. 2, por t 650 01, go in g to host 10.1 .1. 2 o n the Telnet p ort. If t his pac ket
is fragmented, the f irst fragment matches the second A CE (a deny) because all Layer 3 and Layer 4
informatio n is present. The remaining frag ments in the pack et do not match the second A CE beca use
they are missing Laye r 4 informa tion.
Because the first fragment was denied, host 10.1.1.2 cannot re assembl e a complete packet, so
packet B is effectively denied. However, the later fragments that are permitted will consume
bandwidt h on the network an d the resour ces of host 10. 1.1.2 as it tri es to reassemb le the pac ket.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragment ed, the f irst fragment matches the third ACE (a den y). A ll other fragmen ts also match t he
third ACE beca use t h at ACE d oe s no t c heck a ny Laye r 4 in for mat ion an d b eca use L ay er 3
information in all fragments show s that they are being sent to host 10.1.1.3, and the earlier permit
ACE s were ch ecking different hosts.

Understanding Access Control Parameters

Befo re conf igur ing A CL s on t he switc hes, yo u must h av e a th orough u ndersta nding of the acces s c ontrol
parameters (ACPs). ACPs are referred to as masks in the switch CLI commands , output, and CMS.
Each ACE has a mask and a rule. The Classification Field or mask is the field of interest on which you
want to perform an action. The specific values associated with a given mask are called rules.
Packets can be classified on these Layer 2, Layer 3, and Layer 4 fields:
Layer 2 fields:
Source MAC address (Specify all 48 bits.)
Destination MAC address (Specify all 48 bits.)
Ether type (16- bit eth ert ype field )
You can use any combinat ion or all of these fields simulta neou sly to define a flow.
Layer 3 fields:
IP source ad dress ( Spe cif y al l 3 2 I P so urc e a ddress bi ts to define t he f low, or sp eci fy a n user-
defined subnet. There are no restrictions on th e IP subnet to be specified.)
IP dest inati on addr ess (Spec ify all 32 IP dest inati on addr es s bit s to d efine the f l ow, or spec ify
an user-defined subnet. There are no restrictions on the IP subnet to be specified.)
You can use any combinat ion or all of these fields simulta neou sly to define a flow.