31-2
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Understanding ACLs
of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no
restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use
ACLs on all packets it forwards.
You configure access lists on a switch to provide basic security for your network. If you do not configure
ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use
ACLs to control which hosts can access different parts of a network or to decide which types of traffic
are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet
traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The switch supports IP ACLs and Ethernet (MAC) ACLs:
• IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).
• Ethernet ACLs filter non-IP traffic.
Note MAC ACLs are supported only when the switch is running the LAN base image.
This switch also supports quality of service (QoS) classification ACLs. For more information, see the
“Classification Based on QoS ACLs” section on page 33-8.
These sections contain this conceptual information:
• Supported ACLs, page 31-2
• Handling Fragmented and Unfragmented Traffic, page 31-4
• ACLs and Switch Stacks, page 31-5
Supported ACLs
• Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs
in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2
interface. For more information, see the “Port ACLs” section on page 31-3.
• Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in
a specific direction (inbound or outbound). For more information, see the “Router ACLs” section on
page 31-4.
Note Router ACLs are supported only on SVIs.
You can use input port ACLs and router ACLs on the same switch. However, a port ACL takes
precedence over a router ACL.
• When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming
packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming
routed IP packets received on other ports are filtered by the router ACL. Other packets are not
filtered.
• When an output router ACL and input port ACL exist in an SVI, incoming packets received on the
ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are
filtered by the router ACL. Other packets are not filtered.