Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
26-5
Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
380261-003
Chapter 26 Configuring Network Security with ACLs
Configuring IPv4 ACLs
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Configuring IPv4 ACLs
Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches
and routers. The process is briefly described here. For more detailed information on configuring ACLs,
see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS
IP Configuration Guide, Release 12.2. For detailed information about the commands, see the Cisco IOS
IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
The switch does not support these Cisco IOS router ACL-related features:
• Non-IP protocol ACLs (see Table 26-1 on page 26-6) or bridge-group ACLs
• IP accounting
• Inbound and outbound rate limiting (except with QoS ACLs)
• Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch
clustering feature)
• ACL logging
These are the steps to use IP ACLs on the switch:
Step 1 Create an ACL by specifying an access list number or name and the access conditions.
Step 2 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to
VLAN maps.
These sections contain this configuration information:
• Creating Standard and Extended IPv4 ACLs, page 26-6
• Applying an IPv4 ACL to a Terminal Line, page 26-16
• Applying an IPv4 ACL to an Interface, page 26-17
• Hardware and Software Treatment of IP ACLs, page 26-18
• IPv4 ACL Configuration Examples, page 26-18