Access Control List Overview - Cisco Catalyst 6500 Series Configuration Manual

Controlling Network Access with
Access Control Lists
This chapter tells how to control network access through the Firewall Services Module (FWSM) using
access control lists (ACLs). You can also use ACLs for other purposes, for example, to identify addresses
for NAT, AAA, or OSPF route redistribution. This chapter describes how to create ACLs for these
purposes as well as for network access, but this chapter only describes how to apply the ACLs for
network access. Refer to the NAT, AAA, or IP chapters for information about applying ACLs for these
other purposes.
You use ACLs to control network access in both routed and transparent firewall modes. In transparent
Note
mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
This chapter contains the following sections:
•
•
•
•
•
•
•
•

Access Control List Overview

ACLs are made up of one or more Access Control Entries (ACEs). An ACE is a single entry in an ACL
that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or
network, and optionally the source and destination ports.
This section includes the following topics:
•
•
OL-6392-01
Access Control List Overview, page 10-1
Adding an Extended Access Control List, page 10-13
Adding an EtherType Access Control List, page 10-16
Adding a Standard Access Control List, page 10-17
Simplifying Access Control Lists with Object Grouping, page 10-18
Manually Committing Access Control Lists and Rules, page 10-24
Adding Remarks to Access Control Lists, page 10-25
Logging Extended Access Control List Activity, page 10-26
Access Control List Types and Uses, page 10-2
Access Control List Guidelines, page 10-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
C H A P T E R
10
10-1