22-5
Cisco Systems IntelligentGigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter22 Configuring Network Securi ty with ACLs
Understanding ACLs
Switch (config-ext-nacl)# permit udp any any
Switch (config-ext-nacl)# deny udp any any
Switch (config-ext-nacl)# permit ip any any
Switch (config-ext-nacl)# deny ip any any
Switch (config-ext-nacl)# deny any any
Switch (config-ext-nacl)# permit any any
Note In an IP extended ACL (both named and numbered), a Layer 4 system-defined m ask cannot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1.1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.
The switch ACL configuration is consistent with other Cisco Catalyst switches and Cisco Systems
Intelligent Gigabit Ethernet Switch Modules. However, there are significant restrictions for configuring
ACLs on the switches.
Only four user-defined masks can be defined for the ent ire system. These can be used for either security
or quality of service (QoS) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different masks
are applied to interfaces. For more information about error messages, see the system me ssage guide for
this release.
Table22-1 lists a summary of the ACL restrictions on the switches.
Guidelines for Applying ACLs to Physical Interfaces
When applying ACLs to physical interfaces, follow these configuration guidelines:
Only one ACL with this limitation can be attached to an interface: Gigabit Ethernet ports support up
to 100 ACEs per 1 ACL per port.
For more information, see the ip access-group interface command in the command reference for
this release.
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the “Understanding Access Control Parameters” section on page 22-4.
This example shows the same mask in an ACL:
Switch (config)# ip access-list extended acl2
Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80
Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
Table22-1 Summary of ACL Restrictions
Restriction Number
Number of user-defined masks allowed in an ACL 1
Number of ACLs allowed on an interface 1
Total number of user-defined masks for security and QoS allowed on a switch 4
Number of rules allowed per mask 16