C H A P T E R
30-1
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
30
Configuring Network Security with ACLs
This chapter describes how to configure network security on the Catalyst 2928 switch by using access
control lists (ACLs), also referred to as access lists.
In this chapter, references to IP ACLs are specific to IP Version 4 (IPv4) ACLs.
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release, the “Configuring IP Services” section in the “IP Addressing and Services”
chapter of the
Cisco IOS IP Configuration Guide, Release 12.2
, and the
Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
The Cisco IOS documentation is
available from the Cisco.com page under
Documentation
>
Cisco IOS Software
>
12.2 Mainline
>
Configuration Guides
or
Command References
.
This chapter consists of these sections:
•
•
Configuring IPv4 ACLs, page 30-4
•
Displaying IPv4 ACL Configuration, page 30-21
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
filter traffic as it passes through a switch and permit or deny packets crossing specified VLANs. An ACL
is a sequential collection of permit and deny conditions that apply to packets. When a packet is received
on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the
packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the
switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of
conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no
restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use
ACLs on all packets it forwards.
On the Catalyst 2928 switch, you attach ACLs to VLAN interfaces to filter traffic to and from the CPU.
You configure access lists to provide basic security for your network. If you do not configure ACLs, all
packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to
control which hosts can access different parts of a network or to decide which types of traffic are
forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies
permit
or
deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of
permit
or
deny
depends on the context in which the ACL is used.