25-6
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Con figuring Ne two rk Sec urity with ACLs
Configuring ACLs

Guidelines for Applying ACLs to Physical Interfaces

When ap plyi ng ACLs to physic al in terfaces , f oll ow these configura tion g uide lines:
Only one ACL can be attached to an interface. For more information, refer to the ip access-group
interface command in the command reference for this release.
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different
rules that use the same ma sk. On a given interface, on ly one type of user-defined mask is allowed,
but you can ap pl y any nu mbe r of sys tem- defined m asks. For mor e info rm ati on on sy stem -de fined
masks, see the Und erstand ing Access Control Paramete rs sectio n o n pag e 25-4.
This example shows the same mask in an ACL:
Switch (config)#ip access-list extended acl2
Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80
Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
In this example, the first ACE permits all the TCP packets coming from host 10.1.1.1 with a
destinati on TCP p ort num be r of 80 . T he s econd ACE permi ts a ll TC P pa cket s com ing fro m host
20.1.1. 1 with a de stination TCP port number of 23. Both the ACEs use the same mask; therefore, a
switch supports this ACL.
When you apply an ACL to a physical interface, some keywords are not supported and certain mask
restrict ions a pply to th e ACLs. See the C re atin g a Nu mb er ed Standard ACL section on page 25-9
and th e Creating a Numbered Extended ACL section on page 25-10 for creating these ACLs.
Note You can also appl y ACLs to a management interface without the abov e limitations. For information, refer
to the Configuring IP Ser vices section of the Cisco IOS IP and IP Routing Configuration Gui de and
the Command Ref erence for IO S Releas e 12.1.

Configuring ACLs

This s e cti on i nc l ud e s th ese to p ics:
Unsupp orted Feat ures section on page 25-7
Creat ing Sta nda rd a nd Ex tend ed IP ACLs section on page 25-7
Creating N ame d MAC Extended ACLs section o n p age 25-18
Creating MAC Access Groups secti on on page 25-19
Configuring ACLs on a Layer 2 interface is the same as configuring ACLs on Cisco routers. The process
is bri efly d esc rib ed he re. For mo re d etai led info rmat ion a bout co nfigurin g route r ACLs, refer to th e
Configuring IP Ser vices chapter in the Cisco IP and IP R outing C onfiguratio n Gu ide f or IO S
Release 12.1. For detailed information about the commands, refer to the Cisco IOS IP and IP Routing
Comm and Re fer e nce fo r IOS Rel ease 12.1. For a list of IOS features not supported on the switch, see the
Unsupp orted Feat ures section on page 25-7.