30-3
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 30 Configuring Network Security with ACLs
Understanding ACLs
Figure 30-1
Using ACLs to Control Traffic to a Network
Note
You cannot apply more than one IP access list to a VLAN interface. If an IP access list is already
configured on a VLAN and you apply a new IP access list to the VLAN, the new ACL replaces the
previously configured one.
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port
numbers, ICMP type and code, and so on. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
•
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
•
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)#
access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)#
access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)#
access-list 102 permit tcp any host 10.1.1.2
Switch(config)#
access-list 102 deny tcp any any
Host A
Host B
101365
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Human
Resources
network