Table of Contents
Advertisement
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series
Note
The Ethernet switch network module ACL configuration is consistent with Cisco Catalyst switches.
However, there are significant restrictions as well as differences for ACL configurations on the Ethernet
switch network module.
Guidelines for Configuring ACLs on the Ethernet Switch Network Module
These configuration guidelines apply to ACL filters:
•
•
•
Table 5
Table 5
Restriction
Number of user-defined masks allowed in an ACL 1
Number of ACLs allowed on an interface
Total number of user-defined masks for security
and QoS allowed on a switch
Quality of Service
Quality of service (QoS) can be implemented on your Ethernet switch network module. With this feature,
you can provide preferential treatment to certain types of traffic. Without QoS, the switch offers
best-effort service to each packet, regardless of the packet contents or size. It transmits the packets
without any assurance of reliability, delay bounds, or throughput.
In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such
as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All
other combinations of system-defined and user-defined masks are allowed in security ACLs.
Only one ACL can be attached to an interface. For more information, refer to the
interface command.
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the
"Understanding Access Control Parameters" section on page
The following example shows the same mask in an ACL:
Switch (config)#ip access-list extended acl2
Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80
Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
In this example, the first ACE permits all the TCP packets coming from the host 10.1.1.1 with a
destination TCP port number of 80. The second ACE permits all TCP packets coming from the host
20.1.1.1 with a destination TCP port number of 23. Both the ACEs use the same mask; therefore, a
Ethernet switch network module supports this ACL.
Only four user-defined masks can be defined for the entire system. These can be used for either
security or quality of service (QoS) but cannot be shared by QoS and security. You can configure as
many ACLs as you require. However, a system error message appears if ACLs with more than four
different masks are applied to interfaces.
lists a summary of the ACL restrictions on Ethernet switch network modules.
Summary of ACL Restrictions
28.
Number Permitted
1
4
Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ
Feature Overview
ip access-group
29
Hide quick links:
Advertisement
Chapters
Table of Contents
