30-5
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 30 Configuring Network Security with ACLs
Configuring IPv4 ACLs
These sections contain this configuration information:
•
Creating Standard and Extended IPv4 ACLs, page 30-5
•
Applying an IPv4 ACL to a Terminal Line, page 30-16
•
Applying an IPv4 ACL to a VLAN Interface, page 30-16
•
Hardware and Software Treatment of IP ACLs, page 30-17
•
Troubleshooting ACLs, page 30-18
•
IPv4 ACL Configuration Examples, page 30-18
Creating Standard and Extended IPv4 ACLs
This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One
by one, the switch tests packets against the conditions in an access list. The first match determines
whether the switch accepts or rejects the packet. Because the switch stops testing after the first match,
the order of the conditions is critical. If no conditions match, the switch denies the packet.
The software supports these types of ACLs or access lists for IPv4:
•
Standard IP access lists use source addresses for matching operations.
•
Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.
These sections describe access lists and how to create them:
•
Access List Numbers, page 30-5
•
Creating a Numbered Standard ACL, page 30-6
•
Creating a Numbered Extended ACL, page 30-7
•
Resequencing ACEs in an ACL, page 30-12
•
Creating Named Standard and Extended ACLs, page 30-12
•
Using Time Ranges with ACLs, page 30-14
•
Including Comments in ACLs, page 30-15
Access List Numbers
The number you use to denote your ACL shows the type of access list that you are creating.
lists the access-list number and corresponding access list type and shows whether or not they are
supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199
and 1300 to 2699.
Table 30-1
Access List Numbers
Access List Number
Type
Supported
1–99
IP standard access list
Yes
100–199
IP extended access list
Yes
200–299
Protocol type-code access list
No
300–399
DECnet access list
No
400–499
XNS standard access list
No