Configuring ACLs
Guidelines for Applying ACLs to Physical Interfaces
When applying ACLs to physical interfaces, follow these configuration guidelines:
•
•
•
You can also apply ACLs to a management interface without the above limitations. For information, see
Note
the "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide, Cisco
IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1.
Configuring ACLs
This section includes these topics:
•
•
•
•
Configuring ACLs on a Layer 2 interface is the same as configuring ACLs on Cisco routers. The process
is briefly described here. For more detailed information about configuring router ACLs, see the
"Configuring IP Services" chapter in the Cisco IP and IP Routing Configuration Guide, Cisco IOS
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
28-6
Only one ACL with these limitations can be attached to an interface:
Gigabit Ethernet ports support up to 100 ACEs per 1 ACL per port.
–
–
Fast Ethernet ports support up to 75 ACEs per 1 ACL across a range of 8 Fast Ethernet ports.
This means that ports 1 to 8 support a combined total of 75 ACEs, ports 9 to 16 support a
combined total of 75 ACEs, and so on.
If you exceed the limit of ACEs over the range of ports, the switch will return an
message.
Rule Resources
For more information, see the ip access-group interface command in the command reference for
this release.
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the
"Understanding Access Control Parameters" section on page
This example shows the same mask in an ACL:
Switch (config)# ip access-list extended acl2
Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80
Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
In this example, the first ACE permits all the TCP packets coming from host 10.1.1.1 with a
destination TCP port number of 80. The second ACE permits all TCP packets coming from host
20.1.1.1 with a destination TCP port number of 23. Both the ACEs use the same mask; therefore, a
switch supports this ACL.
When you apply an ACL to a physical interface, some keywords are not supported and certain mask
restrictions apply to the ACLs. See the
and the
"Creating a Numbered Extended ACL" section on page 28-10
"Unsupported Features" section on page 28-7
"Creating Standard and Extended IP ACLs" section on page 28-7
"Creating Named MAC Extended ACLs" section on page 28-17
"Creating MAC Access Groups" section on page 28-18
Chapter 28
"Creating a Numbered Standard ACL" section on page 28-8
Configuring Network Security with ACLs
Error:Out of
28-4.
for creating these ACLs.
78-11380-12