ACLs

You can apply ACLs on management VLANs, and on physical Layer 2 interfaces. ACLs
are applied on interfaces for inbound directions.
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses and optional
protocol type information for matching operations.
• MAC extended access list use source and destination mac addresses and optional
protocol type information for matching operations.
The switch examines access lists associated with features configured on a given interface
and a direction. As packets enter the switch on an interface, ACLs associated with all
inbound features configured on that interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in
the ACL. For example, you can use ACLs to allow one host to access a part of a network,
but to prevent another host from accessing the same part. In Figure 12-1, ACLs applied at
the switch input allow Host A to access the Human Resources network, but prevent Host
B from accessing the same network.
Figure 12-1 Using ACLs to Control Traffic to a Network
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the
fragment containing the beginning of the packet contains the Layer 4 information, such as
TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are
missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet
fragments. ACEs that do test Layer 4 information cannot be applied in the standard
manner to most of the fragments in a fragmented IP packet. When the fragment contains
no Layer 4 information and the ACE tests some Layer 4 information, the matching rules
are modified:
• Permit ACEs that check the Layer 3 information in the fragment (including
protocol type, such as TCP, UDP, and so on) are considered to match the
fragment regardless of what the missing Layer 4 information might have been.
• Deny ACEs that check Layer 4 information never match a fragment unless the
fragment contains Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented
packets:
Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch (config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch (config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the
destination address means to test for the TCP-destination-port well-known numbers
equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively.
• Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1
on the SMTP port. If this packet is fragmented, the first fragment matches the first
ACE (a permit), as if it were a complete packet because all Layer 4 information is
present. The remaining fragments also match the first ACE, even though they do
not contain the SMTP port information because the first ACE only checks Layer 3
information when applied to fragments. (The information in this example is that
the packet is TCP and that the destination is 10.1.1.1.)
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet
port. If this packet is fragmented, the first fragment matches the second ACE (a
deny) because all Layer 3 and Layer 4 information is present. The remaining
fragments in the packet do not match the second ACE because they are missing
Layer 4 information.
• Because the first fragment was denied, host 10.1.1.2 cannot reassemble a
complete packet, so packet B is effectively denied. However, the later fragments
that are permitted will consume bandwidth on the network and resources of host
10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3,
port ftp. If this packet is fragmented, the first fragment matches the third ACE (a
deny). All other fragments also match the third ACE because that ACE does not
check any Layer 4 information and because Layer 3 information in all fragments
shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were
checking different hosts.