Owner's Manual
Chapter 13. ACLs | 299
13
13. ACLs
This chapter includes the following sections:
• Overview on page 299
• ACL Rule Syntax on page 300
• Layer-2 Protocol Tunneling ACLs on page 312
• Dynamic ACLs on page 313
• ACL Evaluation Precedence on page 319
• Applying ACL Policy Files on page 321
• ACL Mechanisms on page 325
• Policy-Based Routing on page 337
• ACL Troubleshooting on page 344
Overview
Access Control Lists (ACLs) are used to perform packet filtering and forwarding decisions on
traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN is compared to
the access list applied to that interface and is either permitted or denied. On NETGEAR 8800
series switches, packets egressing an interface can also be filtered. However, only a subset of
the filtering conditions available for ingress filtering are available for egress filtering.
In addition to forwarding or dropping packets that match an ACL, the switch can also perform
additional operations such as incrementing counters, logging packet headers, mirroring traffic to
a monitor port, sending the packet to a QoS profile, and metering the packets matching the ACL
to control bandwidth. Using ACLs has no impact on switch performance (with the minor
exception of the mirror-cpu action modifier).
ACLs are typically applied to traffic that crosses Layer 3 router boundaries, but it is possible to
use access lists within a Layer
2 virtual LAN (VLAN).
ACLs in XCM8800 apply to all traffic. This is somewhat different from the behavior in NETGEAR.
For example, if you deny all the traffic to a port, no traffic, including control packets, such as
OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those types of packets (if desired). In NETGEAR, an ACL that denied “all” traffic would allow
control packets (those bound for the CPU) to reach the switch.