Administrator Guide
Access Control Lists (ACLs)
This chapter describes access control lists (ACLs), prex lists, and route-maps.
• Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system.
At their simplest, access control lists (ACLs), prex lists, and route-maps permit or deny trac based on MAC and/or IP addresses. This
chapter describes implementing IP ACLs, IP prex lists and route-maps. For MAC ACLS, refer to Layer 2.
An ACL is essentially a lter containing some criteria to one of following:
• match (examine IP, transmission control protocol [TCP]
• user datagram protocol [UDP] packets) and an action to take (permit or deny)
ACLs are processed in sequence so that if a packet does not match the criterion in the rst lter, the second lter (if congured) is applied.
When a packet matches a lter, the switch drops or forwards the packet based on the lter’s specied action. If the packet does not match
any of the lters in the ACL, the packet is dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to User
Congurable CAM Allocation and CAM Optimization. For complete CAM proling information, refer to Content Addressable Memory
(CAM).
Topics:
• IP Access Control Lists (ACLs)
• ACL Optimization to Increase Number of Supported IPv4 ACLs
• IP Fragment Handling
• Congure a Standard IP ACL
• Congure an Extended IP ACL
• Congure Layer 2 and Layer 3 ACLs
• Using ACL VLAN Groups
• Applying an IP ACL
• IP Prex Lists
• ACL Remarks
• ACL Resequencing
• Route Maps
• Important Points to Remember
• Conguring a UDF ACL
• Hot-Lock Behavior
IP Access Control Lists (ACLs)
You can create two dierent types of IP ACLs: standard or extended.
A standard ACL lters packets based on the source IP packet. An extended ACL lters trac based on the following criteria:
• IP protocol number
• Source IP address
6
114 Access Control Lists (ACLs)