Cisco Systems IE 2000 Switch User Manual


 
37-5
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 37 Configuring Network Security with ACLs
Information About Network Security with ACLs
Standard and Extended IPv4 ACLs
This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One
by one, the switch tests packets against the conditions in an access list. The first match determines
whether the switch accepts or rejects the packet. Because the switch stops testing after the first match,
the order of the conditions is critical. If no conditions match, the switch denies the packet.
The software supports these types of ACLs or access lists for IPv4:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs
do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines (see the “Applying an
IPv4 ACL to a Terminal Line” section on page 37-17), to interfaces (see the “Applying an IPv4 ACL to
an Interface” section on page 37-17), or to VLANs (see the “Monitoring and Maintaining Network
Security with ACLs” section on page 37-19).
Access List Numbers
The number you use to denote your ACL shows the type of access list that you are creating. Table 37-1
lists the access-list number and corresponding access list type and shows whether or not they are
supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to
199
and 1300 to 2699.
Table 37-1 Access List Numbers
Access List Number Type Supported
1–99 IP standard access list Yes
100–199 IP extended access list Yes
200–299 Protocol type-code access list No
300–399 DECnet access list No
400–499 XNS standard access list No
500–599 XNS extended access list No
600–699 AppleTalk access list No
700–799 48-bit MAC address access list No
800–899 IPX standard access list No
900–999 IPX extended access list No
1000–1099 IPX SAP access list No
1100–1199 Extended 48-bit MAC address access list No
1200–1299 IPX summary address access list No
1300–1999 IP standard access list (expanded range) Yes
2000–2699 IP extended access list (expanded range) Yes