Table of Contents
Advertisement
Feature Overview
first ACE, even though they do not contain the SMTP port information because the first ACE only
checks Layer 3 information when applied to fragments. (The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.)
•
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information.
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
•
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
•
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port FTP. If this
packet is fragmented, the first fragment matches the third ACE (a deny). All other fragments also
match the third ACE because that ACE does not check any Layer 4 information and because Layer
3 information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Understanding Access Control Parameters
Before configuring ACLs on the Ethernet switch network module, you must have a thorough
understanding of the Access Control Parameters (ACPs). ACPs are referred to as masks in the switch
CLI commands, and output.
Each ACE has a mask and a rule. The Classification Field or mask is the field of interest on which you
want to perform an action. The specific values associated with a given mask are called rules.
Packets can be classified on these Layer 3 and Layer 4 fields.
Layer 3 fields:
•
–
–
Layer 4 fields:
•
–
–
A mask can be a combination of multiple Layer 3 and Layer 4 fields.
Note
There are two types of masks:
User-defined mask—masks that are defined by the user.
•
•
System-defined mask—these masks can be configured on any interface:
Switch (config-ext-nacl)# permit tcp any any
Switch (config-ext-nacl)# deny tcp any any
Switch (config-ext-nacl)# permit udp any any
Switch (config-ext-nacl)# deny udp any any
Switch (config-ext-nacl)# permit ip any any
Switch (config-ext-nacl)# deny ip any any
Switch (config-ext-nacl)# deny any any
Switch (config-ext-nacl)# permit any any
Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ
28
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series
IP source address (Specify all 32 IP source address bits to define the flow, or specify a
user-defined subnet. There are no restrictions on the IP subnet to be specified.)
IP destination address (Specify all 32 IP destination address bits to define the flow, or specify
a user-defined subnet. There are no restrictions on the IP subnet to be specified.)
You can use any combination or all of these fields simultaneously to define a flow.
TCP (You can specify a TCP source, destination port number, or both at the same time.)
UDP (You can specify a UDP source, destination port number, or both at the same time.)
Hide quick links:
Advertisement
Chapters
Table of Contents
