Cisco NME-16ES-1G User Guide - Page 78

Configuring Network Security with ACLs, Unsupported Features, Creating Standard and Extended IP ACLs - p configuration guide

Page 78 highlights

Configuration Tasks 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuring Network Security with ACLs Configuring ACLs on Layer 2 interfaces is the same as configuring ACLs on Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the "Configuring IP Services" chapter in the Cisco IP Configuration Guide for Cisco IOS Release 12.2. For detailed information about the commands, refer to Cisco IOS IP Command Reference for Cisco IOS Release 12.2. For a list of Cisco IOS features not supported on the Ethernet switch network module, see the following section. Unsupported Features The Ethernet switch network module does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 11 on page 79). • Bridge-group ACLs. • IP accounting. • ACL support on the outbound direction. • Inbound and outbound rate limiting (except with QoS ACLs). • IP packets with a header length of less than five are not be access-controlled. • Reflexive ACLs. • Dynamic ACLs. • ICMP-based filtering. • IGMP-based filtering. Creating Standard and Extended IP ACLs This section describes how to create switch IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet. An ACL must first be created by specifying an access list number or name and access conditions. The ACL can then be applied to interfaces or terminal lines. The software supports these styles of ACLs or IP access lists: • Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control. The next sections describe access lists and the steps for using them. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 78

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series
Configuration Tasks
78
Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ
Configuring Network Security with ACLs
Configuring ACLs on Layer 2 interfaces is the same as configuring ACLs on Cisco routers. The process
is briefly described here. For more detailed information on configuring router ACLs, refer to the
“Configuring IP Services” chapter in the
Cisco IP Configuration Guide
for Cisco IOS Release 12.2
.
For
detailed information about the commands, refer to
Cisco IOS IP Command Reference
for Cisco IOS
Release 12.2
.
For a list of Cisco IOS features not supported on the Ethernet switch network module, see
the following section.
Unsupported Features
The Ethernet switch network module does not support these Cisco IOS router ACL-related features:
Non-IP protocol ACLs (see
Table 11 on page 79
).
Bridge-group ACLs.
IP accounting.
ACL support on the outbound direction.
Inbound and outbound rate limiting (except with QoS ACLs).
IP packets with a header length of less than five are not be access-controlled.
Reflexive ACLs.
Dynamic ACLs.
ICMP-based filtering.
IGMP-based filtering.
Creating Standard and Extended IP ACLs
This section describes how to create switch IP ACLs. An ACL is a sequential collection of permit and
deny conditions. The switch tests packets against the conditions in an access list one by one. The first
match determines whether the switch accepts or rejects the packet. Because the switch stops testing
conditions after the first match, the order of the conditions is critical. If no conditions match, the switch
denies the packet.
An ACL must first be created by specifying an access list number or name and access conditions. The
ACL can then be applied to interfaces or terminal lines.
The software supports these styles of ACLs or IP access lists:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.
The next sections describe access lists and the steps for using them.