Administrator Guide
640 Access Control Lists
ACL, enter a sequence number less than the following rule and greater than
the preceding rule. Use the no [
sequence-number
] command in ACL
Configuration mode to remove rules from an ACL.
Preventing False ACL Matches
Be sure to specify ACL access-list, permit, and deny rule criteria as fully as
possible to avoid false matches. This is especially important in networks with
protocols that have different frame or EtherType values. For example, layer-3
ACL rules that specify a TCP or UDP port value should also specify the TCP
or UDP protocol. MAC ACL rules that specify an EtherType value for the
frame should also specify a source or destination MAC address wherever
possible. Likewise, MAC ACLs that specify a source MAC address should
specify an Ethertype to avoid interfering with control-plane traffic.
In general, any rule that specifies matching on an upper-layer protocol field
should also include matching constraints for as many of the lower-layer as
where possible. For example, a rule to match packets directed to the well-
known UDP port number 22 (SSH) should also include matching constraints
on the IP protocol field (protocol=0x11 or UDP) and the source or
destination IP address. Table 20-2 lists commonly-used EtherTypes numbers:
NOTE: When configuring access lists, complete checks are made only when the
access list is applied to an active interface. It is recommended that you configure
and test an access list on an active (up) interface prior to deploying it on links in
the production network. If an ACL is configured on an interface that is not up,
error messages regarding ACL resource allocation may be logged when the
interface is brought up.
Table 20-2. Common EtherType Numbers
EtherType Protocol
0x0800 Internet Protocol version 4 (IPv4)
0x0806 Address Resolution Protocol (ARP)
0x0842 Wake-on LAN Packet
0x8035 Reverse Address Resolution Protocol (RARP)
0x8100 VLAN tagged frame (IEEE 802.1Q)
0x86DD Internet Protocol version 6 (IPv6)