Users Guide
Access Control Lists (ACLs)
This chapter describes access control lists (ACLs), prefix lists, and route-maps.
• Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system.
At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP
addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to one of following:
• match (examine IP, transmission control protocol [TCP]
• user datagram protocol [UDP] packets) and an action to take (permit or deny)
ACLs are processed in sequence so that if a packet does not match the criterion in the first filter, the second filter (if configured)
is applied. When a packet matches a filter, the switch drops or forwards the packet based on the filter’s specified action. If the
packet does not match any of the filters in the ACL, the packet is dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information,
refer to User Configurable CAM Allocation and CAM Optimization. For complete CAM profiling information, refer to Content
Addressable Memory (CAM).
Topics:
• IP Access Control Lists (ACLs)
• IP Fragment Handling
• Configure a Standard IP ACL
• Configure an Extended IP ACL
• Configure Layer 2 and Layer 3 ACLs
• Using ACL VLAN Groups
• Applying an IP ACL to an Interface
• IP Prefix Lists
• ACL Resequencing
• Route Maps
• Important Points to Remember
• Configuring a UDF ACL
• Hot-Lock Behavior
IP Access Control Lists (ACLs)
You can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria:
• IP protocol number
• Source IP address
• Destination IP address
• Source TCP port number
6
Access Control Lists (ACLs) 107