30-4
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 30 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Note
In the first and second ACEs in the examples, the
eq
keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and
Telnet, respectively.
•
Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a
complete packet because all Layer 4 information is present. The remaining fragments also match the
first ACE, even though they do not contain the SMTP port information, because the first ACE only
checks Layer 3 information when applied to fragments. The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.
•
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
•
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Configuring IPv4 ACLs
Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and
routers. The process is briefly described here. For more detailed information on configuring ACLs, see
the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the
Cisco IOS IP
Configuration Guide, Release 12.2.
For detailed information about the commands, see the
Cisco IOS IP
Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
The Cisco IOS
documentation is available from the Cisco.com page under
Documentation
>
Cisco IOS Software
>
12.2 Mainline
>
Configuration Guides
or
Command References
.
The switch does not support these Cisco IOS router ACL-related features:
•
Non-IP protocol ACLs (see
) or bridge-group ACLs
•
IP accounting
•
Inbound and outbound rate limiting (except with QoS ACLs)
•
Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch
clustering feature)
•
ACL logging
These are the steps to use IP ACLs on the switch:
Step 1
Create an ACL by specifying an access list number or name and the access conditions.
Step 2
Apply the ACL to VLAN interfaces or terminal lines.
Содержание Catalyst 2928
Страница 28: ...Contents xxviii Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...
Страница 32: ...xxx Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Preface ...
Страница 496: ...26 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 26 Configuring SPAN Displaying SPAN Status ...
Страница 534: ...29 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 29 Configuring SNMP Displaying SNMP Status ...
Страница 700: ...Index IN 36 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...