25-5
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Configuring Network Securi t y w it h ACLs Understa nding ACLs
Layer 4 fields:
TCP (You can sp ecify a TCP so urc e, de stinat ion po rt n um ber, or both at the sa me tim e.)
UDP (You can sp eci fy a U DP sourc e, d esti nat ion por t nu mber, or bot h at the same ti me.)
Note A mask can be a combination of eith er multiple La yer 3 and Layer 4 fi elds or of multip le Layer 2 field s.
Layer 2 fields canno t be combi ned with Layer 3 or Lay er 4 fields.
Ther e are t wo ty pe s o f m as ks:
User-define d maskmasks that are defined by the user.
System-defined maskthese masks can be configured on any interface:
Switch (config-ext-nacl)# permit tcp any any
Switch (config-ext-nacl)# deny tcp any any
Switch (config-ext-nacl)# permit udp any any
Switch (config-ext-nacl)# deny udp any any
Switch (config-ext-nacl)# permit ip any any
Switch (config-ext-nacl)# deny ip any any
Switch (config-ext-nacl)# deny any any
Switch (config-ext-nacl)# permit any any
Note In an IP ext ende d ACL (bot h na me d an d num bere d), a La yer 4 sy stem -define d ma sk c anno t
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1 .1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.
The switch ACL config uration is consistent with other Cisco Catalyst switches. However, there are
significant re stricti ons for co nfiguring ACLs on the sw itches .
Only four user-defined masks can be defined for the entire system. These can be used for either security
or quality of ser vi ce (Qo S) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different mas ks
are applied to int erfaces. For more infor mation about error messa ges, see the system message guide for
this release.
Table 25-1 lists a summary of the ACL restrictions on the switches.
Table 25-1 Summary of ACL Restrictions
Restriction Number Permitted
Number of user- def ined ma sks allo wed i n an A CL 1
Numbe r of ACLs allowed on an inte rface 1
Total n umber o f user-defined masks for securi ty
and QoS allowed on a swi tch 4