Specifications
CHAPTER
26-1
Catalyst 2970 Switch Software Configuration Guide
78-15462-03
26
Configuring Network Security with ACLs
This chapter describes how to configure network security on the Catalyst 2970 switch by using access
control lists (ACLs), which are also referred to in commands and tables as access lists.
Note For complete syntax and usage information for the commands used in this chapter, refer to the command
reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing
Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
This chapter consists of these sections:
• Understanding ACLs, page 26-1
• Configuring IP ACLs, page 26-5
• Creating Named MAC Extended ACLs, page 26-20
• Configuring VLAN Maps, page 26-22
• Displaying ACL Configuration, page 26-29
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs
can filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a
packet is received on an interface, the switch compares the fields in the packet against any applied ACLs
to verify that the packet has the required permissions to be forwarded, based on the criteria specified in
the access lists. It tests packets against the conditions in an access list one by one. The first match
determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions
after the first match, the order of conditions in the list is critical. If no conditions match, the switch
rejects the packets. If there are no restrictions, the switch forwards the packet; otherwise, the switch
drops the packet. The switch can access-control all packets it switches, including packets bridged within
a VLAN.