Table of Contents
Advertisement
Configuring IP ACLs
•
ACLs and Switch Stacks
ACL support is the same for a switch stack as for a standalone switch. ACL configuration information
is propagated to all switches in the stack. All switches in the stack, including the stack master, process
the information and program their hardware. (For more information about switch stacks, see
"Managing Switch
The stack master performs these ACL functions:
•
•
•
•
Stack members perform these ACL functions:
•
•
When a stack master fails and a new stack master is elected, the newly elected master reparses the backed
up running configuration. (See
part of the running configuration is also reparsed during this step. The new stack master distributes the
ACL information to all switches in the stack.
Configuring IP ACLs
Configuring IP ACLs on the switch is the same as configuring IP ACLs on other Cisco switches and
routers. The process is briefly described here. For more detailed information on configuring ACLs, refer
to the "Configuring IP Services" section in the "IP Addressing and Services" chapter of the Cisco IOS
IP Configuration Guide, Release 12.2. For detailed information about the commands, refer to these
documents:
•
•
•
The switch does not support these Cisco IOS router ACL-related features:
•
•
Catalyst 3750 Switch Software Configuration Guide
31-6
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Stacks.")
It processes the ACL configuration and propagates the information to all stack members.
It distributes the ACL information to any switch that joins the stack.
If packets must be forwarded by software for any reason (for example, not enough hardware
resources), the master switch forwards the packets only after applying ACLs on the packets.
It programs its hardware with the ACL information it processes.
They receive the ACL information from the master switch and program their hardware.
They act as standby switches, ready to take over the role of the stack master if the existing master
were to fail and they were to be elected as the new stack master.
Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2
Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.2
Non-IP protocol ACLs (see
IP accounting
Chapter 5, "Managing Switch
Table 31-1 on page
31-8) or bridge-group ACLs
Chapter 31
Configuring Network Security with ACLs
Stacks.") The ACL configuration that is
Chapter 5,
78-16180-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
