25-7
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Configuring Network Security with ACLs
Configuring ACLs
Unsupported Features
The switch does not support these IOS router ACL-related features:
• Non-IP protocol ACLs (see Table 25-2 on page 25-8)
• Bridge-group ACLs
• IP accounting
• ACL support on the outbound direction
• Inbound and outbound rate limiting (except with QoS ACLs)
• IP packets that have a header length of less than 5 bytes
• Reflexive ACLs
• Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)
• ICMP-based filtering
• Interior Gateway Routing Protocol (IGMP)-based filtering
Creating Standard and Extended IP ACLs
This section describes how to create switch IP ACLs. The switch tests packets against the conditions in
an access list one by one. The first match determines whether the switch accepts or rejects the packet.
Because the switch stops testing conditions after the first match, the order of the conditions is critical.
If no conditions match, the switch denies the packet.
Follow these steps to use ACLs:
Step 1 Create an ACL by specifying an access list number or name and access conditions.
Step 2 Apply the ACL to interfaces or terminal lines.
The software supports these kinds of IP access lists:
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.
Note MAC extended access list use source and destination MAC addresses and optional protocol type
information for matching operations. For more information, see the “Creating Named MAC Extended
ACLs” section on page 25-18.
The next sections describe access lists and the steps for using them.