Users Guide
Access Control Lists (ACLs)
This chapter describes access control lists (ACLs), prex lists, and route-maps.
At their simplest, access control lists (ACLs), prex lists, and route-maps permit or deny trac based on MAC and/or IP addresses. This
chapter describes implementing IP ACLs, IP prex lists and route-maps. For MAC ACLS, refer to Layer 2.
An ACL is essentially a lter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram protocol
[UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the criterion in
the rst lter, the second lter (if congured) is applied. When a packet matches a lter, the switch drops or forwards the packet based on
the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet is dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to User
Congurable CAM Allocation and CAM Optimization. For complete CAM proling information, refer to Content Addressable Memory
(CAM).
You can congure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of
the parameters. Using this new capability, you can also congure VRF based ACLs on interfaces.
NOTE
: You can apply Layer 3 VRF-aware ACLs only at the ingress level.
You can apply VRF-aware ACLs on:
• VRF Instances
• Interfaces
In order to congure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl command
for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now includes the following
new parameter that enables you to allocate a CAM region:
vrfv4acl.
The order of priority for conguring user-dened ACL CAM regions is as follows:
• V4 ACL CAM
• VRF V4 ACL CAM
• L2 ACL CAM
With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:
• Port/VLAN based PERMIT/DENY Rules
• Port/VLAN based IMPLICIT DENY Rules
• VRF based PERMIT/DENY Rules
• VRF based IMPLICIT DENY Rules
NOTE
: In order for the VRF ACLs to take eect, ACLs congured in the Layer 3 CAM region must have an implicit-permit
option.
You can use the ip access-group command to congure VRF-aware ACLs on interfaces. Using the ip access-group command, in
addition to a range of VLANs, you can also specify a range of VRFs as input for conguring ACLs on interfaces. The VRF range is from 1 to
63. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not require you to carve out a separate
CAM region.
NOTE
: You can congure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs but not both.
7
Access Control Lists (ACLs) 99