KB.15.15

Figure 240 Displayed extended ACL configuration

ACL configuration factors

The sequence of entries in an ACL is significant

When the switch uses an ACL to determine whether to permit or deny a packet, it compares the

packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in

the list and proceeding sequentially until a match is found. When a match is found, the switch

applies the indicated action (permit or deny) to the packet. This is significant because, once a

match is found for a packet, subsequent ACEs in the same ACL will not be applied to that packet,

regardless of whether they match the packet.

For example, suppose that you have applied the ACL shown in to inbound IPv4 traffic on VLAN 1

(the default VLAN):

Figure 241 A standard ACL that permits all IPv4 traffic not implicitly denied

Table 34 Effect of the above ACL on inbound IPv4 traffic in the assigned VLAN

ActionLine #

Shows type (extended) and ID (Sample-List-2).n/a

A packet from SA 10.28.235.10 will be denied (dropped). This ACE filters out all packets received

from 10.28.235.10. As a result, IPv4 traffic from that device will not be allowed and packets from

that device will not be compared against any later entries in the list.

A packet from SA 10.28.245.89 will be denied (dropped). This ACE filters out all packets received

from 10.28.245.89. As the result, IPv4 traffic from that device will not be allowed and packets from

that device will not be compared against any later entries in the list.

330 IPv4 Access Control Lists (ACLs)