Reference Guide
Access Control Lists (ACL) | 217
Most ACL rules require one entry in the CAM. However, rules with TCP and UDP
port operators (
gt, lt, range) may require more than one entry. The range of ports is
configured in the CAM based on bit mask boundaries; the space required depends on
exactly what ports are included in the range.
For example, an ACL rule with TCP port range 4000 - 8000 will use 8 entries in the
CAM:
Rule# Data Mask From To #Covered
1 0000111110100000 1111111111100000 4000 4031 32
2 0000111111000000 1111111111000000 4032 4095 64
3 0001000000000000 1111100000000000 4096 6143 2048
4 0001100000000000 1111110000000000 6144 7167 1024
5 0001110000000000 1111111000000000 7168 7679 512
6 0001111000000000 1111111100000000 7680 7935 256
7 0001111100000000 1111111111000000 7936 7999 64
8 0001111101000000 1111111111111111 8000 8000 1
Total Ports: 4001
But an ACL rule with TCP port lt 1023 takes only one entry in the CAM:
Rule# Data Mask From To #Covered
1 0000000000000000 1111110000000000 0 1023 1024
Total Ports: 1024
Related
Commands
ip access-list extended
c e s
Name (or select) an extended IP access list (IP ACL) based on IP addresses or
protocols.
Syntax
ip access-list extended access-list-name
To delete an access list, use the
no ip access-list extended access-list-name command.
Parameters
Defaults
All access lists contain an implicit “deny any”; that is, if no match occurs, the packet
is dropped.
Command Modes
CONFIGURATION
deny Assign a deny filter for IP traffic.
deny tcp Assign a deny filter for TCP traffic.
access-list-name Enter a string up to 140 characters long as the access list name.