Reference Guide
Access Control Lists (ACLs) | 87
6
Access Control Lists (ACLs)
The Access Control Lists (ACLs) chapter also includes prefix lists and route maps.
ACLs are supported on platforms:
e c s z
Ingress IP and MAC ACLs are supported on platforms: e c s z
Egress IP and MAC ACLs are supported on platforms:
e z
Overview
At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based
on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and
Route-maps. For MAC ACLS, refer to Chapter 10, Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, TCP, or UDP packets) and an
action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the
criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the
switch drops or forwards the packet based on the filter’s specified action. If the packet does not match any
of the filters in the ACL, the packet is dropped (implicit deny).
The number of ACLs supported on a system depends on your CAM size. See CAM Profiling, CAM
Allocation, and CAM Optimization in this chapter for more information. Refer to Chapter 10, Content
Addressable Memory (CAM) for complete CAM profiling information.
This chapter covers the following topics:
• IP Access Control Lists (ACLs)
• CAM Profiling, CAM Allocation, and CAM Optimization on page 88
• Implementing ACLs on FTOS
• IP Fragment Handling on page 92
• Configure a standard IP ACL
• Configure an extended IP ACL on page 97
• Configuring Layer 2 and Layer 3 ACLs on an Interface
• Assign an IP ACL to an Interface