IBM 12.1(22)EA6 사용자 설명서
22-5
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 22 Configuring Network Security with ACLs
Understanding ACLs
Switch (config-ext-nacl)# permit udp any any
Switch (config-ext-nacl)# deny udp any any
Switch (config-ext-nacl)# permit ip any any
Switch (config-ext-nacl)# deny ip any any
Switch (config-ext-nacl)# deny any any
Switch (config-ext-nacl)# permit any any
Note
In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1.1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as
permit ip 10.1.1.1 any. If you configure this combination, the ACL is not allowed on a Layer 2
interface. All other combinations of system-defined and user-defined masks are allowed in
security ACLs.
The switch ACL configuration is consistent with other Cisco Catalyst switches and Cisco Systems
Intelligent Gigabit Ethernet Switch Modules. However, there are significant restrictions for configuring
ACLs on the switches.
Intelligent Gigabit Ethernet Switch Modules. However, there are significant restrictions for configuring
ACLs on the switches.
Only four user-defined masks can be defined for the entire system. These can be used for either security
or quality of service (QoS) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different masks
are applied to interfaces. For more information about error messages, see the system message guide for
this release.
or quality of service (QoS) but cannot be shared by QoS and security. You can configure as many ACLs
as you require. However, a system error message appears if ACLs with more than four different masks
are applied to interfaces. For more information about error messages, see the system message guide for
this release.
Guidelines for Applying ACLs to Physical Interfaces
When applying ACLs to physical interfaces, follow these configuration guidelines:
•
Only one ACL with this limitation can be attached to an interface: Gigabit Ethernet ports support up
to 100 ACEs per 1 ACL per port.
to 100 ACEs per 1 ACL per port.
For more information, see the ip access-group interface command in the command reference for
this release.
this release.
•
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the
that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks. For more information on system-defined masks, see
the
.
This example shows the same mask in an ACL:
Switch (config)# ip access-list extended acl2
Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80
Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
Table 22-1
Summary of ACL Restrictions
Restriction
Number
Number of user-defined masks allowed in an ACL
1
Number of ACLs allowed on an interface
1
Total number of user-defined masks for security and QoS allowed on a switch
4
Number of rules allowed per mask
16