Product guide
10-10
Access Control Lists (ACLs)
Terminology
Terminology
Access Control Entry (ACE): A policy consisting of criteria and an action
(permit or deny) to execute on a packet if it meets the criteria. The
elements composing the criteria include:
• source IP address and mask (standard and extended ACLs)
• destination IP address and mask (extended ACLs only)
• either of the following:
– all IP traffic
– IP traffic of a specific IP protocol (extended ACLs only)
(In the cases of TCP, UDP, ICMP, and IGMP, the criteria can
include either all IP traffic of the protocol type or only the IP
traffic of a specific sub-type within the protocol.)
• option to log packet matches with deny ACEs
• optional use of IP precedence and ToS settings (extended ACLs only)
Access Control List (ACL): A list (or set) consisting of one or more
explicitly configured Access Control Entries (ACEs) and terminating with
an implicit “deny” ACE. ACLs can be used to filter IP traffic and to select
IP traffic to be monitored (mirrored). ACL types include “standard” and
“extended”. See “Standard ACL” and “Extended ACL”. For filtering IP
traffic, both can be applied in any of the following ways:
• RACL: an ACL assigned to filter routed IP traffic entering or leaving
the switch on a VLAN. (Separate assignments are required for
inbound and outbound IP traffic.)
• VACL: an ACL assigned to filter inbound IP traffic on a specific VLAN
configured on the switch
• Static Port ACL: an ACL assigned to filter inbound IP traffic on a
specific switch port
• Dynamic Port ACL: dynamic ACL assigned to a port by a RADIUS
server to filter inbound IP traffic from an authenticated client on that
port
An ACL can be configured on a VLAN as an RACL or VACL (or both), and
on a port (or static trunk) as a static port ACL. (Dynamic port ACLs are
configured on a RADIUS server.)
See also “ACL Mirroring”.
ACE: See “Access Control Entry”.