Configuring Access Control Lists

An Access Control List (ACL) consists of Access List Elements (ACEs), which collectively define the how packets are filtered; that is, which are forwarded and which are dropped. Each ACE contains:

The ACEs in an ACL are matched against a packet in sequence until a matching ACE is found. If no match is found, the packet is denied by default.

To perform any task with ACLs, choose Device > ACL to open the ACL window. In this window you can:

Layer 2 Filtering

An ACE that does Layer 2 filtering is of the MAC extended type. Its mask can identify these packet fields:

Layer 3 Filtering

An ACE that does Layer 3 filtering is of the IP standard or IP extended type. Its mask can identify these packet fields:

Layer 4 Filtering

IP extended ACEs can also do filtering based on TCP, UDP, ICMP, and IGMP. For TCP and UDP filtering, the mask can contain:

Restriction: For Catalyst 2950 switches, only TCP and UDP are supported.

Catalyst 2950 Mask Limitations

These mask limitations apply to Catalyst 2950 switches:

If you have at least one Catalyst 2950 switch in the cluster, CMS provides a report that lets you keep track of masks, their uses, and the interfaces that they affect. The report is in the Resource Monitor window. To open the window, choose Reports > Resource Monitor.


Related Web Links

"Configuring Network Security with ACLs," Catalyst 2950 Desktop Switch Software Configuration Guide
"Configuring Network Security with ACLs," Catalyst 3550 Multilayer Switch Software Configuration Guide