beautypg.com

IBM 12.1(22)EA6 User Manual

Page 389

background image

22-5

Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide

24R9746

Chapter 22 Configuring Network Security with ACLs

Understanding ACLs

Switch (config-ext-nacl)# permit udp any any

Switch (config-ext-nacl)# deny udp any any

Switch (config-ext-nacl)# permit ip any any

Switch (config-ext-nacl)# deny ip any any

Switch (config-ext-nacl)# deny any any

Switch (config-ext-nacl)# permit any any

Note

In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1.1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.

The switch ACL configuration is consistent with other Cisco Catalyst switches and Cisco Systems
Intelligent Gigabit Ethernet Switch Modules. However, there are significant restrictions for configuring
ACLs on the switches.

Only four user-defined masks can be defined for the entire system. These can be used for either security
or quality of service (QoS) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different masks
are applied to interfaces. For more information about error messages, see the system message guide for
this release.

Table 22-1

lists a summary of the ACL restrictions on the switches.

Guidelines for Applying ACLs to Physical Interfaces

When applying ACLs to physical interfaces, follow these configuration guidelines:

Only one ACL with this limitation can be attached to an interface: Gigabit Ethernet ports support up
to 100 ACEs per 1 ACL per port.

For more information, see the ip access-group interface command in the command reference for
this release.

All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the

“Understanding Access Control Parameters” section on page 22-4

.

This example shows the same mask in an ACL:

Switch (config)# ip access-list extended acl2

Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23

Table 22-1

Summary of ACL Restrictions

Restriction

Number

Number of user-defined masks allowed in an ACL

1

Number of ACLs allowed on an interface

1

Total number of user-defined masks for security and QoS allowed on a switch

4

Number of rules allowed per mask

16

See also other documents in the category IBM Computer Accessories: