Users Guide
NOTE: In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must have an
implicit-permit option.
You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip
access-group command, in addition to a range of VLANs, you can also specify a range of VRFs as input for
configuring ACLs on interfaces. The VRF range is from 1 to 63. These ACLs use the existing V4 ACL CAM
region to populate the entries in the hardware and do not require you to carve out a separate CAM region.
NOTE: You can configure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs
but not both.
Topics:
• IP Access Control Lists (ACLs)
• Important Points to Remember
• IP Fragment Handling
• Configure a Standard IP ACL
• Configure an Extended IP ACL
• Configure Layer 2 and Layer 3 ACLs
• Assign an IP ACL to an Interface
• Applying an IP ACL
• Configure Ingress ACLs
• Configure Egress ACLs
• IP Prefix Lists
• ACL Resequencing
• Route Maps
• Flow-Based Monitoring Support for ACLs
IP Access Control Lists (ACLs)
In Dell Networking switch/routers, you can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria:
• IP protocol number
• Source IP address
• Destination IP address
• Source TCP port number
• Destination TCP port number
• Source UDP port number
• Destination UDP port number
For more information about ACL options, refer to the Dell Networking OS Command Reference Guide.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For
extended ACL TCP filters, you can also match criteria on established TCP sessions.
Access Control Lists (ACLs) 107