Users Guide
682 Access Control Lists
ACL Configuration Details
How Are ACLs Configured?
To configure ACLs, follow these steps:
1
Create a IP or MAC ACL by specifying a name.
2
Add new rules to the ACL.
3
Configure the match criteria for the rules.
4
Apply the ACL to one or more interfaces.
Editing Access Lists
When editing access lists, entries are added in the order specified by the rule
sequence number. It is recommended that rule sequence number indices be
separated by a fixed offset (e.g., 10). The ACL sequence number can range
from 1 to 2147483647.
If no sequence number is specified, new entries are added to the end of the
list. There is an implicit deny all statement at the end of the last access-group
that is not shown and is not editable. To insert a rule in the middle of an
ACL, enter a sequence number less than the following rule and greater than
the preceding rule. Use the no [sequence-number] command in ACL
Configuration mode to remove rules from an ACL.
Preventing False ACL Matches
Be sure to specify ACL access-list, permit, and deny rule criteria as fully as
possible to avoid false matches. This is especially important in networks with
protocols that have different frame or EtherType values. For example, Layer-3
ACL rules that specify a TCP or UDP port value should also specify the TCP
or UDP protocol. MAC ACL rules that specify an EtherType value for the
NOTE: When configuring access lists, complete checks are made only when the
access list is applied to an active interface. It is recommended that you configure
and test an access list on an active (up) interface prior to deploying it on links in
the production network. If an ACL is configured on an interface that is not up,
error messages regarding ACL resource allocation may be logged when the
interface is brought up.